creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-15 15:34:56 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Browse Source 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
This commit is contained in:
mukul975
2026-03-10 21:02:12 +01:00
parent c74d52fa30
commit 27c6414ca5
1390 changed files with 106806 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
skills/detecting-mimikatz-execution-patterns/references/api-reference.md
+60
View File
@@ -0,0 +1,60 @@
# API Reference: Detecting Mimikatz Execution Patterns
## Mimikatz Command Signatures
| Command | MITRE | Impact |
|---------|-------|--------|
| `sekurlsa::logonpasswords` | T1003.001 | Dump all credentials |
| `lsadump::dcsync` | T1003.006 | DCSync attack |
| `kerberos::golden` | T1558.001 | Golden Ticket |
| `kerberos::ptt` | T1550.003 | Pass-the-Ticket |
| `lsadump::sam` | T1003.002 | SAM dump |
| `misc::skeleton` | T1556.001 | Skeleton Key |
## LSASS Dump Techniques
| Method | Detection Pattern |
|--------|-------------------|
| comsvcs.dll MiniDump | `rundll32.*comsvcs.*MiniDump` |
| ProcDump | `procdump.*-ma.*lsass` |
| SQLDumper | `sqldumper.*lsass` |
| .NET createdump | `createdump.*lsass` |
| PowerShell | `Out-Minidump.*lsass` |
## Sysmon Detection Events
| Event ID | Usage |
|----------|-------|
| 1 | Process Create (mimikatz.exe) |
| 7 | Image Loaded (sekurlsa.dll) |
| 10 | Process Access (LSASS access mask) |
## Splunk SPL Detection
```spl
index=sysmon (EventCode=1 OR EventCode=10)
| where match(CommandLine, "(?i)(sekurlsa|lsadump|kerberos::golden|privilege::debug)")
OR (TargetImage="*\\lsass.exe" AND GrantedAccess IN ("0x1010","0x1FFFFF"))
| table _time Image CommandLine GrantedAccess Computer
```
## YARA Rule
```yara
rule Mimikatz_Strings {
strings:
$s1 = "sekurlsa::logonpasswords" ascii wide
$s2 = "lsadump::dcsync" ascii wide
$s3 = "kerberos::golden" ascii wide
$s4 = "mimilib" ascii wide
condition:
any of them
}
```
## CLI Usage
```bash
python agent.py --evtx-file Sysmon.evtx
python agent.py --text-log process_audit.log
```