creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-14 06:54:57 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Browse Source 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
This commit is contained in:
mukul975
2026-03-10 21:02:12 +01:00
parent c74d52fa30
commit 27c6414ca5
1390 changed files with 106806 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
skills/detecting-fileless-malware-techniques/references/api-reference.md
+81
View File
@@ -0,0 +1,81 @@
# Fileless Malware Detection API Reference
## Windows Event IDs for Fileless Detection
| Event ID | Log | Description |
|----------|-----|-------------|
| 4104 | PowerShell Operational | Script Block Logging (full script content) |
| 4103 | PowerShell Operational | Module Logging |
| 1 | Sysmon | Process Creation with command line |
| 8 | Sysmon | CreateRemoteThread (injection) |
| 10 | Sysmon | ProcessAccess (injection prep) |
| 19/20/21 | Sysmon | WMI Event Filter/Consumer/Binding |
| 7045 | System | New service installed |
## python-evtx - Parse Windows Event Logs
```python
import Evtx.Evtx as evtx
with evtx.Evtx("Security.evtx") as log:
for record in log.records():
xml = record.xml()
if "<EventID>4104</EventID>" in xml:
print(record.timestamp(), xml[:500])
```
## Volatility 3 Commands
```bash
# Detect injected code (RWX memory, PE headers in non-image VADs)
vol3 -f memory.dmp windows.malfind
# List processes
vol3 -f memory.dmp windows.pslist
# Scan for hidden processes
vol3 -f memory.dmp windows.psscan
# List loaded DLLs
vol3 -f memory.dmp windows.dlllist --pid 1234
# Extract injected code
vol3 -f memory.dmp windows.malfind --dump --pid 1234
```
## LOLBins Detection Patterns (Sysmon)
```xml
<!-- Sysmon config for LOLBin monitoring -->
<RuleGroup groupRelation="or">
<ProcessCreate onmatch="include">
<Image condition="end with">mshta.exe</Image>
<Image condition="end with">regsvr32.exe</Image>
<Image condition="end with">certutil.exe</Image>
<Image condition="end with">wmic.exe</Image>
<Image condition="end with">cmstp.exe</Image>
<Image condition="end with">msbuild.exe</Image>
</ProcessCreate>
</RuleGroup>
```
## Suspicious PowerShell Indicators
```
-enc / -EncodedCommand → Base64-encoded command
IEX / Invoke-Expression → Dynamic code execution
Net.WebClient → Download cradle
DownloadString() → Remote script fetch
Reflection.Assembly → Reflective .NET loading
VirtualAlloc → Shellcode allocation
FromBase64String → Payload decoding
```
## WMI Persistence Check
```powershell
# List WMI event subscriptions
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
```