Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
2026-06-26 11:44:37 +03:00 · 2026-03-10 21:02:12 +01:00
parent c74d52fa30
commit 27c6414ca5
1390 changed files with 106806 additions and 0 deletions
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Anthropic Agent Skills Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
@@ -0,0 +1,45 @@
+---
+name: implementing-cloud-workload-protection
+description: >
+  Implements cloud workload protection using boto3 and google-cloud APIs for runtime
+  security monitoring, process anomaly detection, and file integrity checking on EC2/GCE
+  instances. Scans for cryptomining, reverse shells, and unauthorized binaries.
+  Use when building runtime security controls for cloud compute workloads.
+---
+
+# Implementing Cloud Workload Protection
+
+## Instructions
+
+Monitor cloud workloads for runtime threats by checking process lists, network
+connections, file integrity, and resource utilization anomalies.
+
+```python
+import boto3
+
+ssm = boto3.client("ssm")
+# Run command on EC2 instances to check for suspicious processes
+response = ssm.send_command(
+    InstanceIds=["i-1234567890abcdef0"],
+    DocumentName="AWS-RunShellScript",
+    Parameters={"commands": ["ps aux | grep -E 'xmrig|minerd|cryptonight'"]},
+)
+```
+
+Key protection areas:
+1. Process monitoring for cryptominers and reverse shells
+2. File integrity monitoring on critical system files
+3. Network connection auditing for C2 callbacks
+4. Resource utilization anomaly detection (CPU spikes)
+5. Unauthorized binary detection via hash comparison
+
+## Examples
+
+```python
+# Check for unauthorized outbound connections
+ssm.send_command(
+    InstanceIds=instances,
+    DocumentName="AWS-RunShellScript",
+    Parameters={"commands": ["ss -tlnp | grep ESTABLISHED"]},
+)
+```
@@ -0,0 +1,61 @@
+# API Reference: Implementing Cloud Workload Protection
+
+## AWS SSM Run Command (boto3)
+
+```python
+import boto3
+ssm = boto3.client("ssm")
+
+# Execute command on instances
+resp = ssm.send_command(
+    InstanceIds=["i-abc123"],
+    DocumentName="AWS-RunShellScript",
+    Parameters={"commands": ["ps aux"]},
+    TimeoutSeconds=60,
+)
+command_id = resp["Command"]["CommandId"]
+
+# Get output
+output = ssm.get_command_invocation(
+    CommandId=command_id, InstanceId="i-abc123"
+)
+print(output["StandardOutputContent"])
+```
+
+## CloudWatch CPU Monitoring
+
+```python
+cw = boto3.client("cloudwatch")
+resp = cw.get_metric_statistics(
+    Namespace="AWS/EC2", MetricName="CPUUtilization",
+    Dimensions=[{"Name": "InstanceId", "Value": "i-abc123"}],
+    StartTime=start, EndTime=end, Period=300,
+    Statistics=["Average"],
+)
+```
+
+## Key Detection Commands
+
+| Threat | Command |
+|--------|---------|
+| Cryptominer | `ps aux \| grep -iE 'xmrig\|minerd'` |
+| Reverse shell | `ss -tlnp \| grep ESTAB` |
+| File integrity | `rpm -Va \| grep '^..5'` |
+| Unauthorized binaries | `find /tmp -executable -type f` |
+| Cron persistence | `crontab -l; ls /etc/cron.d/` |
+
+## GuardDuty Integration
+
+```python
+gd = boto3.client("guardduty")
+findings = gd.list_findings(DetectorId="detector-id")
+for fid in findings["FindingIds"]:
+    detail = gd.get_findings(DetectorId="detector-id", FindingIds=[fid])
+    print(detail["Findings"][0]["Type"])
+```
+
+### References
+
+- SSM Run Command: https://docs.aws.amazon.com/systems-manager/latest/userguide/run-command.html
+- CloudWatch: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cloudwatch.html
+- GuardDuty: https://docs.aws.amazon.com/guardduty/latest/ug/
@@ -0,0 +1,186 @@
+#!/usr/bin/env python3
+"""Agent for cloud workload protection on AWS EC2 instances."""
+
+import os
+import json
+import time
+import argparse
+from datetime import datetime
+
+import boto3
+from botocore.exceptions import ClientError
+
+
+def get_running_instances(session, filters=None):
+    """List all running EC2 instances."""
+    ec2 = session.client("ec2")
+    params = {"Filters": [{"Name": "instance-state-name", "Values": ["running"]}]}
+    if filters:
+        params["Filters"].extend(filters)
+    instances = []
+    paginator = ec2.get_paginator("describe_instances")
+    for page in paginator.paginate(**params):
+        for res in page["Reservations"]:
+            for inst in res["Instances"]:
+                instances.append({
+                    "instance_id": inst["InstanceId"],
+                    "type": inst["InstanceType"],
+                    "ip": inst.get("PrivateIpAddress", ""),
+                    "launch_time": str(inst["LaunchTime"]),
+                })
+    return instances
+
+
+def run_ssm_command(session, instance_ids, commands):
+    """Execute commands on instances via SSM Run Command."""
+    ssm = session.client("ssm")
+    resp = ssm.send_command(
+        InstanceIds=instance_ids,
+        DocumentName="AWS-RunShellScript",
+        Parameters={"commands": commands},
+        TimeoutSeconds=60,
+    )
+    command_id = resp["Command"]["CommandId"]
+    time.sleep(5)
+    results = {}
+    for iid in instance_ids:
+        try:
+            output = ssm.get_command_invocation(CommandId=command_id, InstanceId=iid)
+            results[iid] = {
+                "status": output["Status"],
+                "stdout": output.get("StandardOutputContent", ""),
+                "stderr": output.get("StandardErrorContent", ""),
+            }
+        except ClientError as e:
+            results[iid] = {"status": "Error", "error": str(e)}
+    return results
+
+
+def scan_for_cryptominers(session, instance_ids):
+    """Detect cryptomining processes on instances."""
+    commands = [
+        "ps aux | grep -iE 'xmrig|minerd|cryptonight|stratum|nicehash' | grep -v grep",
+        "find /tmp /var/tmp /dev/shm -name '*.sh' -o -name 'config.json' 2>/dev/null | head -20",
+    ]
+    results = run_ssm_command(session, instance_ids, commands)
+    findings = []
+    for iid, result in results.items():
+        if result.get("stdout", "").strip():
+            findings.append({
+                "instance_id": iid,
+                "type": "cryptominer",
+                "severity": "CRITICAL",
+                "output": result["stdout"].strip(),
+            })
+    return findings
+
+
+def scan_for_reverse_shells(session, instance_ids):
+    """Detect potential reverse shell connections."""
+    commands = [
+        "ss -tlnp 2>/dev/null | grep ESTAB | grep -vE ':443|:80|:22|:8089'",
+        "ls -la /dev/tcp 2>/dev/null; ls -la /proc/*/fd 2>/dev/null | grep socket | head -20",
+    ]
+    results = run_ssm_command(session, instance_ids, commands)
+    findings = []
+    for iid, result in results.items():
+        if result.get("stdout", "").strip():
+            findings.append({
+                "instance_id": iid,
+                "type": "suspicious_connections",
+                "severity": "HIGH",
+                "output": result["stdout"].strip(),
+            })
+    return findings
+
+
+def check_file_integrity(session, instance_ids):
+    """Check integrity of critical system files."""
+    commands = [
+        "rpm -Va 2>/dev/null | grep -E '^..5' | head -20 || "
+        "debsums -c 2>/dev/null | head -20",
+        "find /usr/bin /usr/sbin -newer /var/log/lastlog -type f 2>/dev/null | head -20",
+    ]
+    results = run_ssm_command(session, instance_ids, commands)
+    findings = []
+    for iid, result in results.items():
+        if result.get("stdout", "").strip():
+            findings.append({
+                "instance_id": iid,
+                "type": "file_integrity",
+                "severity": "MEDIUM",
+                "modified_files": result["stdout"].strip().splitlines(),
+            })
+    return findings
+
+
+def check_cpu_anomaly(session, instance_ids):
+    """Detect CPU usage anomalies via CloudWatch."""
+    cw = session.client("cloudwatch")
+    anomalies = []
+    for iid in instance_ids:
+        resp = cw.get_metric_statistics(
+            Namespace="AWS/EC2",
+            MetricName="CPUUtilization",
+            Dimensions=[{"Name": "InstanceId", "Value": iid}],
+            StartTime=datetime.utcnow().replace(hour=0, minute=0),
+            EndTime=datetime.utcnow(),
+            Period=300,
+            Statistics=["Average"],
+        )
+        for dp in resp.get("Datapoints", []):
+            if dp["Average"] > 90:
+                anomalies.append({
+                    "instance_id": iid,
+                    "cpu_avg": round(dp["Average"], 1),
+                    "timestamp": str(dp["Timestamp"]),
+                    "severity": "HIGH",
+                })
+    return anomalies
+
+
+def main():
+    parser = argparse.ArgumentParser(description="Cloud Workload Protection Agent")
+    parser.add_argument("--profile", default=os.getenv("AWS_PROFILE"))
+    parser.add_argument("--region", default=os.getenv("AWS_DEFAULT_REGION", "us-east-1"))
+    parser.add_argument("--output", default="cwp_report.json")
+    parser.add_argument("--action", choices=[
+        "list", "cryptominer", "reverse_shell", "integrity", "cpu", "full_scan"
+    ], default="full_scan")
+    args = parser.parse_args()
+
+    session = boto3.Session(profile_name=args.profile, region_name=args.region)
+    report = {"generated_at": datetime.utcnow().isoformat(), "findings": {}}
+
+    instances = get_running_instances(session)
+    instance_ids = [i["instance_id"] for i in instances]
+    report["instances"] = instances
+    print(f"[+] Running instances: {len(instances)}")
+
+    if args.action in ("cryptominer", "full_scan") and instance_ids:
+        findings = scan_for_cryptominers(session, instance_ids)
+        report["findings"]["cryptominers"] = findings
+        print(f"[+] Cryptominer detections: {len(findings)}")
+
+    if args.action in ("reverse_shell", "full_scan") and instance_ids:
+        findings = scan_for_reverse_shells(session, instance_ids)
+        report["findings"]["reverse_shells"] = findings
+        print(f"[+] Suspicious connections: {len(findings)}")
+
+    if args.action in ("integrity", "full_scan") and instance_ids:
+        findings = check_file_integrity(session, instance_ids)
+        report["findings"]["file_integrity"] = findings
+        print(f"[+] File integrity issues: {len(findings)}")
+
+    if args.action in ("cpu", "full_scan") and instance_ids:
+        anomalies = check_cpu_anomaly(session, instance_ids)
+        report["findings"]["cpu_anomalies"] = anomalies
+        print(f"[+] CPU anomalies: {len(anomalies)}")
+
+    with open(args.output, "w") as f:
+        json.dump(report, f, indent=2, default=str)
+    print(f"[+] Report saved to {args.output}")
+
+
+if __name__ == "__main__":
+    main()