creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-15 15:34:56 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Browse Source 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
This commit is contained in:
mukul975
2026-03-10 21:02:12 +01:00
parent c74d52fa30
commit 27c6414ca5
1390 changed files with 106806 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
skills/detecting-rootkit-activity/scripts/agent.py
+204
View File
@@ -0,0 +1,204 @@
#!/usr/bin/env python3
"""Rootkit detection agent using cross-view analysis and integrity checking."""
import json
import os
import subprocess
import sys
from datetime import datetime
def run_volatility_pslist(memory_dump):
"""List processes using ActiveProcessLinks (EPROCESS linked list)."""
cmd = ["vol3", "-f", memory_dump, "windows.pslist"]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
processes = []
for line in result.stdout.splitlines():
parts = line.split()
if len(parts) >= 4 and parts[0].isdigit():
processes.append({"pid": int(parts[0]), "ppid": int(parts[1]),
"name": parts[2], "threads": parts[3] if len(parts) > 3 else ""})
return {"method": "pslist", "count": len(processes), "processes": processes}
except FileNotFoundError:
return {"error": "Volatility 3 not installed"}
except subprocess.TimeoutExpired:
return {"error": "Timed out"}
def run_volatility_psscan(memory_dump):
"""Scan physical memory for EPROCESS pool tags (rootkit-resistant)."""
cmd = ["vol3", "-f", memory_dump, "windows.psscan"]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
processes = []
for line in result.stdout.splitlines():
parts = line.split()
if len(parts) >= 4 and parts[0].startswith("0x"):
processes.append({"offset": parts[0], "pid": parts[1],
"ppid": parts[2] if len(parts) > 2 else "",
"name": parts[3] if len(parts) > 3 else ""})
return {"method": "psscan", "count": len(processes), "processes": processes}
except FileNotFoundError:
return {"error": "Volatility 3 not installed"}
except subprocess.TimeoutExpired:
return {"error": "Timed out"}
def cross_view_detection(memory_dump):
"""Compare pslist vs psscan to find hidden processes (DKOM rootkits)."""
pslist = run_volatility_pslist(memory_dump)
psscan = run_volatility_psscan(memory_dump)
if "error" in pslist or "error" in psscan:
return {"error": "Could not complete cross-view analysis",
"pslist": pslist, "psscan": psscan}
pslist_pids = set(str(p["pid"]) for p in pslist.get("processes", []))
psscan_pids = set(str(p.get("pid", "")) for p in psscan.get("processes", []))
hidden = psscan_pids - pslist_pids
hidden_processes = [
p for p in psscan.get("processes", [])
if str(p.get("pid", "")) in hidden
]
return {
"pslist_count": len(pslist_pids),
"psscan_count": len(psscan_pids),
"hidden_processes": hidden_processes,
"hidden_count": len(hidden_processes),
"alert": "ROOTKIT DETECTED - Hidden processes found" if hidden_processes else "No hidden processes detected",
}
def check_ssdt_hooks(memory_dump):
"""Check for SSDT (System Service Descriptor Table) hooks."""
cmd = ["vol3", "-f", memory_dump, "windows.ssdt"]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
hooks = []
for line in result.stdout.splitlines():
if "UNKNOWN" in line.upper() or line.count("\\") == 0:
parts = line.split()
if len(parts) >= 3:
hooks.append({"entry": " ".join(parts)})
return {"ssdt_hooks": hooks, "count": len(hooks)}
except FileNotFoundError:
return {"error": "Volatility 3 not installed"}
except subprocess.TimeoutExpired:
return {"error": "Timed out"}
def check_kernel_modules(memory_dump):
"""List loaded kernel modules and detect unsigned/suspicious ones."""
cmd = ["vol3", "-f", memory_dump, "windows.modules"]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
modules = []
for line in result.stdout.splitlines():
parts = line.split()
if len(parts) >= 3 and parts[0].startswith("0x"):
modules.append({"base": parts[0], "size": parts[1],
"name": parts[2] if len(parts) > 2 else ""})
return {"modules": modules, "count": len(modules)}
except FileNotFoundError:
return {"error": "Volatility 3 not installed"}
except subprocess.TimeoutExpired:
return {"error": "Timed out"}
def run_rkhunter():
"""Run rkhunter for Linux rootkit detection."""
try:
result = subprocess.run(
["rkhunter", "--check", "--skip-keypress", "--report-warnings-only"],
capture_output=True, text=True, timeout=120
)
warnings = [line.strip() for line in result.stdout.splitlines() if "Warning" in line]
return {
"tool": "rkhunter",
"warnings": warnings,
"warning_count": len(warnings),
"exit_code": result.returncode,
}
except FileNotFoundError:
return {"error": "rkhunter not installed (apt install rkhunter)"}
except subprocess.TimeoutExpired:
return {"error": "rkhunter timed out"}
def run_chkrootkit():
"""Run chkrootkit for Linux rootkit detection."""
try:
result = subprocess.run(
["chkrootkit", "-q"], capture_output=True, text=True, timeout=120
)
infected = [line.strip() for line in result.stdout.splitlines()
if "INFECTED" in line.upper()]
return {
"tool": "chkrootkit",
"infected": infected,
"infected_count": len(infected),
"exit_code": result.returncode,
}
except FileNotFoundError:
return {"error": "chkrootkit not installed (apt install chkrootkit)"}
except subprocess.TimeoutExpired:
return {"error": "chkrootkit timed out"}
def check_hidden_files_linux():
"""Check for hidden files and directories that may indicate a rootkit."""
suspicious = []
check_dirs = ["/tmp", "/dev/shm", "/var/tmp"]
for d in check_dirs:
if not os.path.exists(d):
continue
try:
for entry in os.listdir(d):
if entry.startswith(".") and entry not in (".", ".."):
full_path = os.path.join(d, entry)
suspicious.append({
"path": full_path,
"is_dir": os.path.isdir(full_path),
"size": os.path.getsize(full_path) if os.path.isfile(full_path) else 0,
})
except PermissionError:
continue
return {"hidden_files": suspicious, "count": len(suspicious)}
def generate_report(memory_dump=None):
"""Generate comprehensive rootkit detection report."""
report = {"timestamp": datetime.utcnow().isoformat() + "Z"}
if memory_dump:
report["cross_view"] = cross_view_detection(memory_dump)
report["ssdt_hooks"] = check_ssdt_hooks(memory_dump)
report["kernel_modules"] = check_kernel_modules(memory_dump)
else:
report["rkhunter"] = run_rkhunter()
report["chkrootkit"] = run_chkrootkit()
report["hidden_files"] = check_hidden_files_linux()
return report
if __name__ == "__main__":
action = sys.argv[1] if len(sys.argv) > 1 else "help"
if action == "cross-view" and len(sys.argv) > 2:
print(json.dumps(cross_view_detection(sys.argv[2]), indent=2, default=str))
elif action == "malfind" and len(sys.argv) > 2:
print(json.dumps(run_volatility_pslist(sys.argv[2]), indent=2, default=str))
elif action == "ssdt" and len(sys.argv) > 2:
print(json.dumps(check_ssdt_hooks(sys.argv[2]), indent=2, default=str))
elif action == "rkhunter":
print(json.dumps(run_rkhunter(), indent=2))
elif action == "chkrootkit":
print(json.dumps(run_chkrootkit(), indent=2))
elif action == "report":
mem = sys.argv[2] if len(sys.argv) > 2 else None
print(json.dumps(generate_report(mem), indent=2, default=str))
else:
print("Usage: agent.py [cross-view <mem>|malfind <mem>|ssdt <mem>|rkhunter|chkrootkit|report [mem]]")