mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 13:15:16 +03:00
Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
This commit is contained in:
@@ -0,0 +1,63 @@
|
||||
# API Reference: Detecting Evasion Techniques in Endpoint Logs
|
||||
|
||||
## Key Windows Event IDs for Evasion
|
||||
|
||||
| Event ID | Source | Evasion Technique |
|
||||
|----------|--------|-------------------|
|
||||
| 1102 | Security | Audit log cleared (T1070.001) |
|
||||
| Sysmon 2 | Sysmon | Timestomping (T1070.006) |
|
||||
| Sysmon 8 | Sysmon | CreateRemoteThread (T1055) |
|
||||
| Sysmon 10 | Sysmon | Process Access / LSASS (T1003) |
|
||||
| 4688 | Security | Process creation with cmdline |
|
||||
|
||||
## python-evtx Usage
|
||||
|
||||
```python
|
||||
import Evtx.Evtx as evtx
|
||||
with evtx.Evtx("Sysmon.evtx") as log:
|
||||
for record in log.records():
|
||||
xml = record.xml()
|
||||
# Parse EventID, CommandLine, SourceImage, TargetImage
|
||||
```
|
||||
|
||||
## Evasion Detection Patterns
|
||||
|
||||
```python
|
||||
# Log clearing
|
||||
r"wevtutil\s+(cl|clear-log)"
|
||||
r"Clear-EventLog"
|
||||
# Security tool disable
|
||||
r"Set-MpPreference\s+-DisableRealtimeMonitoring\s+\$true"
|
||||
r"sc\s+(stop|delete)\s+WinDefend"
|
||||
# AMSI bypass
|
||||
r"[Ref].Assembly.GetType.*AMSI"
|
||||
r"amsiInitFailed"
|
||||
```
|
||||
|
||||
## MITRE ATT&CK TA0005 Techniques
|
||||
|
||||
| Technique | ID | Detection |
|
||||
|-----------|----|-----------|
|
||||
| Indicator Removal | T1070 | Log clearing, file deletion |
|
||||
| Timestomping | T1070.006 | Sysmon Event ID 2 |
|
||||
| Process Injection | T1055 | Sysmon Event ID 8 |
|
||||
| Impair Defenses | T1562.001 | AV/EDR disabling commands |
|
||||
| AMSI Bypass | T1562.001 | PowerShell AMSI patching |
|
||||
|
||||
## Splunk SPL Detection
|
||||
|
||||
```spl
|
||||
index=sysmon (EventCode=2 OR EventCode=8 OR EventCode=10)
|
||||
| eval technique=case(
|
||||
EventCode=2, "Timestomping",
|
||||
EventCode=8, "Process Injection",
|
||||
EventCode=10, "Process Access")
|
||||
| stats count by technique, SourceImage, Computer
|
||||
```
|
||||
|
||||
## CLI Usage
|
||||
|
||||
```bash
|
||||
python agent.py --evtx-file Sysmon.evtx
|
||||
python agent.py --evtx-file Security.evtx
|
||||
```
|
||||
Reference in New Issue
Block a user