Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
This commit is contained in:
mukul975
2026-03-10 21:02:12 +01:00
parent c74d52fa30
commit 27c6414ca5
1390 changed files with 106806 additions and 0 deletions
@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2025 Anthropic Agent Skills Contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
@@ -0,0 +1,47 @@
# API Reference: Memory Forensics with Volatility 3
## Volatility 3 CLI
| Plugin | Description |
|--------|-------------|
| `windows.info` | OS version, kernel base, system time |
| `windows.pslist` | List processes via EPROCESS linked list |
| `windows.pstree` | Process tree with parent-child relationships |
| `windows.psscan` | Pool scan for processes (finds hidden) |
| `windows.malfind` | Detect injected code in process memory |
| `windows.netscan` | Active network connections and listening ports |
| `windows.cmdline` | Command line arguments for all processes |
| `windows.dlllist` | DLLs loaded per process |
| `windows.hashdump` | Extract cached NTLM password hashes |
| `windows.lsadump` | LSA secrets from memory |
| `windows.svcscan` | Windows services enumeration |
| `windows.modules` | Loaded kernel modules |
| `windows.modscan` | Pool scan for kernel modules (finds hidden) |
| `windows.registry.hivelist` | List registry hives in memory |
| `windows.registry.printkey` | Print specific registry key values |
| `yarascan` | Scan memory with YARA rules |
| `windows.memmap` | Dump process memory to disk |
## Common Flags
| Flag | Description |
|------|-------------|
| `-f <file>` | Memory dump file path |
| `--pid <pid>` | Filter by process ID |
| `--dump` | Dump matched content to files |
| `-o <dir>` | Output directory for dumps |
| `--yara-file <file>` | YARA rules file for scanning |
## Python Libraries
| Library | Version | Purpose |
|---------|---------|---------|
| `subprocess` | stdlib | Execute Volatility 3 CLI commands |
| `re` | stdlib | Parse plugin output |
## References
- Volatility 3: https://github.com/volatilityfoundation/volatility3
- Symbol tables: https://downloads.volatilityfoundation.org/volatility3/symbols/
- LiME: https://github.com/504ensicsLabs/LiME
- MemProcFS: https://github.com/ufrisk/MemProcFS
@@ -0,0 +1,161 @@
#!/usr/bin/env python3
"""Agent for performing memory forensics with Volatility 3.
Automates memory dump analysis including process enumeration,
network connection extraction, malware detection, and credential
extraction using Volatility 3 framework via subprocess.
"""
import subprocess
import json
import sys
import re
from pathlib import Path
from collections import defaultdict
class MemoryForensicsAgent:
"""Automates Volatility 3 memory forensics analysis."""
def __init__(self, memory_dump, output_dir):
self.memory_dump = memory_dump
self.output_dir = Path(output_dir)
self.output_dir.mkdir(parents=True, exist_ok=True)
def _run_vol(self, plugin, extra_args=None):
"""Execute a Volatility 3 plugin and return output."""
cmd = ["vol", "-f", self.memory_dump, plugin]
if extra_args:
cmd.extend(extra_args)
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
return {"output": result.stdout, "stderr": result.stderr, "rc": result.returncode}
def get_os_info(self):
"""Identify the operating system from the memory dump."""
result = self._run_vol("windows.info")
if result["rc"] != 0:
result = self._run_vol("linux.info")
return result
def list_processes(self):
"""List all running processes."""
return self._run_vol("windows.pslist")
def get_process_tree(self):
"""Show process tree with parent-child relationships."""
return self._run_vol("windows.pstree")
def scan_hidden_processes(self):
"""Scan for hidden/unlinked processes via pool scanning."""
return self._run_vol("windows.psscan")
def detect_injected_code(self):
"""Detect process injection via malfind plugin."""
return self._run_vol("windows.malfind")
def get_network_connections(self):
"""Extract active network connections."""
return self._run_vol("windows.netscan")
def get_command_lines(self):
"""Extract command lines for all processes."""
return self._run_vol("windows.cmdline")
def dump_process_memory(self, pid):
"""Dump memory of a specific process."""
dump_dir = self.output_dir / "process_dumps"
dump_dir.mkdir(exist_ok=True)
return self._run_vol("windows.memmap", [
"--pid", str(pid), "--dump", "-o", str(dump_dir)
])
def extract_hashes(self):
"""Extract cached password hashes."""
return self._run_vol("windows.hashdump")
def scan_with_yara(self, yara_file):
"""Scan memory with YARA rules."""
return self._run_vol("yarascan", ["--yara-file", yara_file])
def get_registry_keys(self, key_path):
"""Extract specific registry keys from memory."""
return self._run_vol("windows.registry.printkey", ["--key", key_path])
def list_services(self):
"""List Windows services from memory."""
return self._run_vol("windows.svcscan")
def list_loaded_modules(self):
"""List loaded kernel modules."""
return self._run_vol("windows.modules")
def scan_hidden_modules(self):
"""Scan for hidden kernel modules."""
return self._run_vol("windows.modscan")
def get_dll_list(self, pid=None):
"""List DLLs loaded by processes."""
args = ["--pid", str(pid)] if pid else []
return self._run_vol("windows.dlllist", args if args else None)
def detect_anomalies(self):
"""Compare pslist vs psscan to find hidden processes."""
pslist = self._run_vol("windows.pslist")
psscan = self._run_vol("windows.psscan")
pslist_pids = set(re.findall(r"^\s*(\d+)\s", pslist["output"], re.MULTILINE))
psscan_pids = set(re.findall(r"^\s*(\d+)\s", psscan["output"], re.MULTILINE))
hidden = psscan_pids - pslist_pids
return {
"pslist_count": len(pslist_pids),
"psscan_count": len(psscan_pids),
"hidden_pids": sorted(hidden),
"hidden_count": len(hidden),
}
def generate_report(self, yara_file=None):
"""Run comprehensive memory analysis and generate report."""
report = {
"memory_dump": self.memory_dump,
"os_info": self.get_os_info()["output"][:500],
}
report["process_list"] = self.list_processes()["output"]
report["process_tree"] = self.get_process_tree()["output"]
report["malfind"] = self.detect_injected_code()["output"]
report["network"] = self.get_network_connections()["output"]
report["cmdline"] = self.get_command_lines()["output"]
report["hashes"] = self.extract_hashes()["output"]
report["services"] = self.list_services()["output"][:2000]
report["hidden_processes"] = self.detect_anomalies()
if yara_file:
report["yara_hits"] = self.scan_with_yara(yara_file)["output"]
report_path = self.output_dir / "memory_forensics_report.json"
with open(report_path, "w") as f:
json.dump(report, f, indent=2)
print(f"Memory Forensics Report: {report_path}")
print(f"Hidden processes: {report['hidden_processes']['hidden_count']}")
if report["malfind"]["output"].strip():
print("Malfind detections found - check report for details")
return report
def main():
if len(sys.argv) < 3:
print("Usage: agent.py <memory_dump> <output_dir> [yara_rules]")
sys.exit(1)
memory_dump = sys.argv[1]
output_dir = sys.argv[2]
yara_file = sys.argv[3] if len(sys.argv) > 3 else None
agent = MemoryForensicsAgent(memory_dump, output_dir)
agent.generate_report(yara_file)
if __name__ == "__main__":
main()