mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 04:35:18 +03:00
Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
This commit is contained in:
@@ -0,0 +1,21 @@
|
||||
MIT License
|
||||
|
||||
Copyright (c) 2025 Anthropic Agent Skills Contributors
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
@@ -0,0 +1,60 @@
|
||||
# API Reference: Detecting Mimikatz Execution Patterns
|
||||
|
||||
## Mimikatz Command Signatures
|
||||
|
||||
| Command | MITRE | Impact |
|
||||
|---------|-------|--------|
|
||||
| `sekurlsa::logonpasswords` | T1003.001 | Dump all credentials |
|
||||
| `lsadump::dcsync` | T1003.006 | DCSync attack |
|
||||
| `kerberos::golden` | T1558.001 | Golden Ticket |
|
||||
| `kerberos::ptt` | T1550.003 | Pass-the-Ticket |
|
||||
| `lsadump::sam` | T1003.002 | SAM dump |
|
||||
| `misc::skeleton` | T1556.001 | Skeleton Key |
|
||||
|
||||
## LSASS Dump Techniques
|
||||
|
||||
| Method | Detection Pattern |
|
||||
|--------|-------------------|
|
||||
| comsvcs.dll MiniDump | `rundll32.*comsvcs.*MiniDump` |
|
||||
| ProcDump | `procdump.*-ma.*lsass` |
|
||||
| SQLDumper | `sqldumper.*lsass` |
|
||||
| .NET createdump | `createdump.*lsass` |
|
||||
| PowerShell | `Out-Minidump.*lsass` |
|
||||
|
||||
## Sysmon Detection Events
|
||||
|
||||
| Event ID | Usage |
|
||||
|----------|-------|
|
||||
| 1 | Process Create (mimikatz.exe) |
|
||||
| 7 | Image Loaded (sekurlsa.dll) |
|
||||
| 10 | Process Access (LSASS access mask) |
|
||||
|
||||
## Splunk SPL Detection
|
||||
|
||||
```spl
|
||||
index=sysmon (EventCode=1 OR EventCode=10)
|
||||
| where match(CommandLine, "(?i)(sekurlsa|lsadump|kerberos::golden|privilege::debug)")
|
||||
OR (TargetImage="*\\lsass.exe" AND GrantedAccess IN ("0x1010","0x1FFFFF"))
|
||||
| table _time Image CommandLine GrantedAccess Computer
|
||||
```
|
||||
|
||||
## YARA Rule
|
||||
|
||||
```yara
|
||||
rule Mimikatz_Strings {
|
||||
strings:
|
||||
$s1 = "sekurlsa::logonpasswords" ascii wide
|
||||
$s2 = "lsadump::dcsync" ascii wide
|
||||
$s3 = "kerberos::golden" ascii wide
|
||||
$s4 = "mimilib" ascii wide
|
||||
condition:
|
||||
any of them
|
||||
}
|
||||
```
|
||||
|
||||
## CLI Usage
|
||||
|
||||
```bash
|
||||
python agent.py --evtx-file Sysmon.evtx
|
||||
python agent.py --text-log process_audit.log
|
||||
```
|
||||
@@ -0,0 +1,153 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Mimikatz execution pattern detection agent.
|
||||
|
||||
Detects Mimikatz and related credential theft tools by analyzing process
|
||||
creation logs, LSASS access patterns, and known command-line signatures.
|
||||
"""
|
||||
|
||||
import argparse
|
||||
import json
|
||||
import re
|
||||
import sys
|
||||
from datetime import datetime
|
||||
|
||||
try:
|
||||
import Evtx.Evtx as evtx
|
||||
except ImportError:
|
||||
evtx = None
|
||||
|
||||
MIMIKATZ_CMDLINE_PATTERNS = [
|
||||
(r"sekurlsa::logonpasswords", "CRITICAL", "Credential dump via sekurlsa"),
|
||||
(r"sekurlsa::wdigest", "CRITICAL", "WDigest credential extraction"),
|
||||
(r"sekurlsa::kerberos", "CRITICAL", "Kerberos ticket extraction"),
|
||||
(r"lsadump::dcsync", "CRITICAL", "DCSync attack"),
|
||||
(r"lsadump::sam", "CRITICAL", "SAM database dump"),
|
||||
(r"lsadump::lsa\s*/patch", "CRITICAL", "LSA secrets dump"),
|
||||
(r"kerberos::golden", "CRITICAL", "Golden Ticket creation"),
|
||||
(r"kerberos::ptt", "HIGH", "Pass-the-Ticket"),
|
||||
(r"privilege::debug", "HIGH", "Debug privilege escalation"),
|
||||
(r"token::elevate", "HIGH", "Token elevation"),
|
||||
(r"crypto::capi", "MEDIUM", "Certificate export"),
|
||||
(r"dpapi::chrome", "HIGH", "Chrome credential extraction"),
|
||||
(r"vault::cred", "HIGH", "Credential Vault access"),
|
||||
(r"misc::skeleton", "CRITICAL", "Skeleton Key injection"),
|
||||
]
|
||||
|
||||
MIMIKATZ_BINARY_INDICATORS = [
|
||||
(r"mimikatz\.exe", "CRITICAL"),
|
||||
(r"mimi(32|64)\.exe", "CRITICAL"),
|
||||
(r"mimikittenz", "CRITICAL"),
|
||||
(r"sekurlsa\.dll", "CRITICAL"),
|
||||
(r"mimilib\.dll", "CRITICAL"),
|
||||
(r"mimidrv\.sys", "CRITICAL"),
|
||||
(r"kiwi_passwords", "CRITICAL"),
|
||||
]
|
||||
|
||||
LSASS_DUMP_PATTERNS = [
|
||||
(r"rundll32.*comsvcs.*MiniDump", "CRITICAL", "LSASS minidump via comsvcs.dll"),
|
||||
(r"procdump.*-ma.*lsass", "HIGH", "LSASS dump via ProcDump"),
|
||||
(r"sqldumper.*lsass", "HIGH", "LSASS dump via SQLDumper"),
|
||||
(r"createdump.*lsass", "HIGH", "LSASS dump via .NET createdump"),
|
||||
(r"taskmgr.*lsass.*dump", "MEDIUM", "LSASS dump via Task Manager"),
|
||||
(r"Out-Minidump.*lsass", "CRITICAL", "PowerShell LSASS minidump"),
|
||||
]
|
||||
|
||||
|
||||
def scan_evtx(filepath):
|
||||
if evtx is None:
|
||||
return {"error": "python-evtx not installed: pip install python-evtx"}
|
||||
findings = []
|
||||
with evtx.Evtx(filepath) as log:
|
||||
for record in log.records():
|
||||
xml = record.xml()
|
||||
event_id_match = re.search(r'<EventID[^>]*>(\d+)</EventID>', xml)
|
||||
if not event_id_match:
|
||||
continue
|
||||
event_id = int(event_id_match.group(1))
|
||||
if event_id not in (1, 4688, 10):
|
||||
continue
|
||||
|
||||
cmdline = re.search(r'<Data Name="CommandLine">([^<]+)', xml)
|
||||
image = re.search(r'<Data Name="Image">([^<]+)', xml)
|
||||
new_proc = re.search(r'<Data Name="NewProcessName">([^<]+)', xml)
|
||||
time_match = re.search(r'SystemTime="([^"]+)"', xml)
|
||||
user = re.search(r'<Data Name="User">([^<]+)', xml)
|
||||
|
||||
cmd = cmdline.group(1) if cmdline else ""
|
||||
proc = image.group(1) if image else (new_proc.group(1) if new_proc else "")
|
||||
|
||||
for pattern, severity in MIMIKATZ_BINARY_INDICATORS:
|
||||
if re.search(pattern, proc, re.IGNORECASE):
|
||||
findings.append({
|
||||
"event_id": event_id,
|
||||
"timestamp": time_match.group(1) if time_match else "",
|
||||
"type": "mimikatz_binary",
|
||||
"process": proc,
|
||||
"severity": severity,
|
||||
"mitre": "T1003.001",
|
||||
})
|
||||
|
||||
for pattern, severity, desc in MIMIKATZ_CMDLINE_PATTERNS:
|
||||
if re.search(pattern, cmd, re.IGNORECASE):
|
||||
findings.append({
|
||||
"event_id": event_id,
|
||||
"timestamp": time_match.group(1) if time_match else "",
|
||||
"type": "mimikatz_command",
|
||||
"command": cmd[:300],
|
||||
"description": desc,
|
||||
"severity": severity,
|
||||
"mitre": "T1003",
|
||||
})
|
||||
|
||||
for pattern, severity, desc in LSASS_DUMP_PATTERNS:
|
||||
if re.search(pattern, cmd, re.IGNORECASE):
|
||||
findings.append({
|
||||
"event_id": event_id,
|
||||
"timestamp": time_match.group(1) if time_match else "",
|
||||
"type": "lsass_dump",
|
||||
"command": cmd[:300],
|
||||
"description": desc,
|
||||
"severity": severity,
|
||||
"mitre": "T1003.001",
|
||||
})
|
||||
|
||||
return findings
|
||||
|
||||
|
||||
def scan_text_log(filepath):
|
||||
findings = []
|
||||
with open(filepath, "r", encoding="utf-8", errors="replace") as f:
|
||||
for num, line in enumerate(f, 1):
|
||||
for pattern, severity, desc in MIMIKATZ_CMDLINE_PATTERNS + LSASS_DUMP_PATTERNS:
|
||||
if re.search(pattern, line, re.IGNORECASE):
|
||||
findings.append({
|
||||
"line": num, "severity": severity,
|
||||
"description": desc, "excerpt": line.strip()[:200],
|
||||
})
|
||||
return findings
|
||||
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser(description="Mimikatz Execution Pattern Detector")
|
||||
parser.add_argument("--evtx-file", help="Sysmon or Security EVTX file")
|
||||
parser.add_argument("--text-log", help="Text log file to scan")
|
||||
args = parser.parse_args()
|
||||
|
||||
results = {"timestamp": datetime.utcnow().isoformat() + "Z", "findings": []}
|
||||
|
||||
if args.evtx_file:
|
||||
evtx_findings = scan_evtx(args.evtx_file)
|
||||
if isinstance(evtx_findings, dict):
|
||||
results.update(evtx_findings)
|
||||
else:
|
||||
results["findings"].extend(evtx_findings)
|
||||
|
||||
if args.text_log:
|
||||
results["findings"].extend(scan_text_log(args.text_log))
|
||||
|
||||
results["total_findings"] = len(results["findings"])
|
||||
print(json.dumps(results, indent=2))
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
Reference in New Issue
Block a user