mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-19 05:59:40 +03:00
Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
This commit is contained in:
@@ -0,0 +1,70 @@
|
||||
# API Reference: Detecting Fileless Attacks on Endpoints
|
||||
|
||||
## Key Event Sources
|
||||
|
||||
| Source | Event ID | Detection |
|
||||
|--------|----------|-----------|
|
||||
| PowerShell Script Block | 4104 | Malicious script content |
|
||||
| Sysmon Process Create | 1 | Encoded command execution |
|
||||
| Sysmon CreateRemoteThread | 8 | Reflective DLL injection |
|
||||
| Sysmon WMI EventFilter | 19 | WMI persistence |
|
||||
| Sysmon WMI EventConsumer | 20 | WMI persistence |
|
||||
| Sysmon WMI Binding | 21 | WMI persistence |
|
||||
|
||||
## python-evtx Usage
|
||||
|
||||
```python
|
||||
import Evtx.Evtx as evtx
|
||||
with evtx.Evtx("PowerShell-Operational.evtx") as log:
|
||||
for record in log.records():
|
||||
xml = record.xml()
|
||||
# Parse Event 4104 ScriptBlockText
|
||||
```
|
||||
|
||||
## Suspicious PowerShell Patterns
|
||||
|
||||
```python
|
||||
# Dynamic execution
|
||||
r"Invoke-Expression|IEX\s*\("
|
||||
# Reflective loading
|
||||
r"System\.Reflection\.Assembly.*Load"
|
||||
# Memory injection APIs
|
||||
r"VirtualAlloc|VirtualProtect|CreateThread"
|
||||
# WMI persistence
|
||||
r"Register-WMI|__EventFilter|__EventConsumer"
|
||||
# Encoded commands
|
||||
r"-enc\s|-encodedcommand\s"
|
||||
```
|
||||
|
||||
## Splunk SPL - Fileless Detection
|
||||
|
||||
```spl
|
||||
index=powershell EventCode=4104
|
||||
| where match(ScriptBlockText, "(?i)(Invoke-Expression|IEX|VirtualAlloc|FromBase64)")
|
||||
| stats count by ScriptBlockText, Computer, UserID
|
||||
```
|
||||
|
||||
## AMSI (Anti-Malware Scan Interface)
|
||||
|
||||
```powershell
|
||||
# Enable AMSI logging
|
||||
Set-MpPreference -EnableNetworkProtection Enabled
|
||||
# Check AMSI status
|
||||
Get-MpComputerStatus | Select AMServiceEnabled, AntispywareEnabled
|
||||
```
|
||||
|
||||
## WMI Persistence Detection
|
||||
|
||||
```powershell
|
||||
# List WMI event subscriptions
|
||||
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
|
||||
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
|
||||
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
|
||||
```
|
||||
|
||||
## CLI Usage
|
||||
|
||||
```bash
|
||||
python agent.py --ps-log PowerShell-Operational.evtx
|
||||
python agent.py --sysmon-log Sysmon.evtx --check-wmi --check-injection
|
||||
```
|
||||
Reference in New Issue
Block a user