creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 06:34:57 +03:00
Code Issues Packages Projects Releases Wiki Activity

feat: add 5 cybersecurity skills - CloudTrail anomalies, SSL/TLS assessment, Wazuh detection, Prefetch analysis, WMI lateral movement

Browse Source
This commit is contained in:
mukul975
2026-03-11 00:44:42 +01:00
parent 1ba371d7f7
commit 724fda0883
20 changed files with 1593 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
skills/analyzing-windows-prefetch-with-python/LICENSE
+21
View File
@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2025 Mahipal
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
skills/analyzing-windows-prefetch-with-python/SKILL.md
+39
View File
@@ -0,0 +1,39 @@
---
name: analyzing-windows-prefetch-with-python
description: Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history, detect renamed or masquerading binaries, and identify suspicious program execution patterns.
domain: cybersecurity
subdomain: digital-forensics
tags: [digital-forensics, windows, prefetch, execution-history, incident-response, malware-analysis]
version: "1.0"
author: mahipal
license: MIT
---
# Analyzing Windows Prefetch with Python
## Overview
Windows Prefetch files (.pf) record application execution data including executable names, run counts, timestamps, loaded DLLs, and accessed directories. This skill covers parsing Prefetch files using the windowsprefetch Python library to reconstruct execution timelines, detect renamed or masquerading binaries by comparing executable names with loaded resources, and identifying suspicious programs that may indicate malware execution or lateral movement.
## Prerequisites
- Python 3.9+ with `windowsprefetch` library (pip install windowsprefetch)
- Windows Prefetch files from C:\Windows\Prefetch\ (versions 17-30 supported)
- Understanding of Windows Prefetch file naming conventions (EXECUTABLE-HASH.pf)
## Steps
### Step 1: Collect Prefetch Files
Gather .pf files from target system's C:\Windows\Prefetch\ directory.
### Step 2: Parse Execution History
Extract executable name, run count, last execution timestamps, and volume information.
### Step 3: Detect Suspicious Execution
Flag known attack tools (mimikatz, psexec, etc.), renamed binaries, and unusual execution patterns.
### Step 4: Build Execution Timeline
Reconstruct chronological execution timeline from all Prefetch files.
## Expected Output
JSON report with execution history, suspicious executables, renamed binary indicators, and timeline reconstruction.
skills/analyzing-windows-prefetch-with-python/references/api-reference.md
+60
View File
@@ -0,0 +1,60 @@
# API Reference: Analyzing Windows Prefetch with Python
## windowsprefetch Library
```python
import windowsprefetch
pf = windowsprefetch.Prefetch("CMD.EXE-1234ABCD.pf")
print(pf.executableName) # CMD.EXE
print(pf.runCount) # 42
print(pf.lastRunTime) # 2025-01-15 10:30:22
print(pf.timestamps) # List of up to 8 execution times
print(pf.resources) # List of loaded files/DLLs
print(pf.volumes) # Volume info (name, serial, creation)
```
Install: `pip install windowsprefetch`
## Prefetch File Versions
| Version | Windows | Max Timestamps |
|---------|---------|----------------|
| 17 | XP/2003 | 1 |
| 23 | Vista/7 | 1 |
| 26 | 8/8.1 | 8 |
| 30 | 10/11 | 8 (compressed) |
## File Naming Convention
Format: `EXECUTABLE-XXXXXXXX.pf`
- EXECUTABLE: uppercase executable name
- XXXXXXXX: hash of file path (allows multiple entries per executable)
## Suspicious Executables to Flag
| Category | Examples |
|----------|---------|
| Credential tools | mimikatz, rubeus, lazagne, secretsdump |
| Lateral movement | psexec, psexesvc, wmiexec |
| C2 agents | beacon, meterpreter, covenant, empire |
| LOLBins | certutil, mshta, regsvr32, rundll32, bitsadmin |
| Recon | sharphound, bloodhound, nmap |
## Prefetch Directory Location
```
C:\Windows\Prefetch\
```
Requires admin privileges to read. Enable via:
```
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters"
```
## References
- windowsprefetch PyPI: https://pypi.org/project/windowsprefetch/
- Windows Prefetch Parser: https://github.com/PoorBillionaire/Windows-Prefetch-Parser
- libscca/pyscca: https://github.com/libyal/libscca
- SANS Prefetch Analysis: https://www.sans.org/blog/a-prescription-for-windows-prefetch-analysis
skills/analyzing-windows-prefetch-with-python/scripts/agent.py
+188
View File
@@ -0,0 +1,188 @@
#!/usr/bin/env python3
"""Agent for analyzing Windows Prefetch files with Python.
Parses Prefetch (.pf) files to reconstruct execution history,
detect renamed/masquerading binaries, and identify suspicious
tool execution using the windowsprefetch library.
"""
import argparse
import hashlib
import json
import os
from datetime import datetime
from pathlib import Path
try:
import windowsprefetch
except ImportError:
windowsprefetch = None
SUSPICIOUS_EXECUTABLES = {
"mimikatz", "psexec", "psexesvc", "procdump", "lazagne",
"rubeus", "sharphound", "bloodhound", "cobalt", "beacon",
"meterpreter", "powersploit", "empire", "covenant",
"secretsdump", "wce", "fgdump", "pwdump", "gsecdump",
"certutil", "bitsadmin", "mshta", "regsvr32", "rundll32",
"wscript", "cscript", "msiexec", "installutil",
}
LOLBINS = {
"certutil.exe", "bitsadmin.exe", "mshta.exe", "regsvr32.exe",
"rundll32.exe", "wscript.exe", "cscript.exe", "msiexec.exe",
"installutil.exe", "regasm.exe", "regsvcs.exe", "msconfig.exe",
"esentutl.exe", "expand.exe", "extrac32.exe", "findstr.exe",
"hh.exe", "ie4uinit.exe", "makecab.exe", "replace.exe",
}
class PrefetchAnalyzer:
"""Analyzes Windows Prefetch files for forensic investigation."""
def __init__(self, output_dir="./prefetch_analysis"):
self.output_dir = Path(output_dir)
self.output_dir.mkdir(parents=True, exist_ok=True)
self.findings = []
self.executions = []
def parse_prefetch_file(self, pf_path):
"""Parse a single Prefetch file and extract execution data."""
if windowsprefetch is None:
raise RuntimeError("windowsprefetch not installed: pip install windowsprefetch")
try:
pf = windowsprefetch.Prefetch(pf_path)
except Exception:
return None
timestamps = []
if hasattr(pf, "lastRunTime"):
timestamps.append(str(pf.lastRunTime))
if hasattr(pf, "timestamps"):
timestamps.extend([str(t) for t in pf.timestamps])
resources = []
if hasattr(pf, "resources"):
resources = pf.resources if isinstance(pf.resources, list) else []
elif hasattr(pf, "filenames"):
resources = pf.filenames if isinstance(pf.filenames, list) else []
volumes = []
if hasattr(pf, "volumes"):
for v in pf.volumes:
volumes.append({
"name": getattr(v, "name", str(v)),
"serial": getattr(v, "serialNumber", ""),
})
entry = {
"file": str(pf_path),
"executable": pf.executableName if hasattr(pf, "executableName") else Path(pf_path).stem,
"run_count": pf.runCount if hasattr(pf, "runCount") else 0,
"last_run_time": timestamps[0] if timestamps else "",
"all_timestamps": timestamps,
"pf_hash": Path(pf_path).stem.split("-")[-1] if "-" in Path(pf_path).stem else "",
"resources_count": len(resources),
"volumes": volumes,
"file_size": os.path.getsize(pf_path),
"file_sha256": self._hash_file(pf_path),
}
self.executions.append(entry)
return entry
def _hash_file(self, path):
h = hashlib.sha256()
with open(path, "rb") as f:
for chunk in iter(lambda: f.read(8192), b""):
h.update(chunk)
return h.hexdigest()
def parse_directory(self, prefetch_dir):
"""Parse all .pf files in a directory."""
pf_dir = Path(prefetch_dir)
pf_files = sorted(pf_dir.glob("*.pf"), key=lambda p: p.stat().st_mtime, reverse=True)
for pf_file in pf_files:
self.parse_prefetch_file(str(pf_file))
return len(pf_files)
def detect_suspicious(self):
"""Flag known attack tools and LOLBins."""
for entry in self.executions:
exe = entry["executable"].lower()
exe_base = exe.replace(".exe", "")
if exe_base in SUSPICIOUS_EXECUTABLES:
self.findings.append({
"severity": "critical", "type": "Attack Tool Executed",
"detail": f"{entry['executable']} run {entry['run_count']} times, "
f"last: {entry['last_run_time']}",
})
elif exe in LOLBINS:
if entry["run_count"] > 10:
self.findings.append({
"severity": "medium", "type": "LOLBin High Usage",
"detail": f"{entry['executable']} run {entry['run_count']} times",
})
def detect_renamed_binaries(self):
"""Detect potential binary renaming/masquerading."""
for entry in self.executions:
exe = entry["executable"].upper()
pf_name = Path(entry["file"]).stem.upper()
expected_prefix = exe.replace(".EXE", "")
if not pf_name.startswith(expected_prefix):
self.findings.append({
"severity": "high", "type": "Possible Renamed Binary",
"detail": f"PF name '{pf_name}' does not match executable '{exe}'",
})
def build_timeline(self):
"""Build chronological execution timeline."""
timeline = []
for entry in self.executions:
for ts in entry["all_timestamps"]:
if ts:
timeline.append({
"timestamp": ts,
"executable": entry["executable"],
"run_count": entry["run_count"],
})
timeline.sort(key=lambda x: x["timestamp"], reverse=True)
return timeline[:100]
def generate_report(self, prefetch_dir):
count = self.parse_directory(prefetch_dir)
self.detect_suspicious()
self.detect_renamed_binaries()
timeline = self.build_timeline()
report = {
"report_date": datetime.utcnow().isoformat(),
"prefetch_dir": str(prefetch_dir),
"total_prefetch_files": count,
"total_unique_executables": len(self.executions),
"execution_history": self.executions,
"execution_timeline": timeline[:50],
"findings": self.findings,
"total_findings": len(self.findings),
}
out = self.output_dir / "prefetch_analysis_report.json"
with open(out, "w") as f:
json.dump(report, f, indent=2, default=str)
print(json.dumps(report, indent=2, default=str))
return report
def main():
parser = argparse.ArgumentParser(
description="Analyze Windows Prefetch files for execution forensics"
)
parser.add_argument("prefetch_dir", help="Path to directory containing .pf files")
parser.add_argument("--output-dir", default="./prefetch_analysis")
args = parser.parse_args()
os.makedirs(args.output_dir, exist_ok=True)
analyzer = PrefetchAnalyzer(output_dir=args.output_dir)
analyzer.generate_report(args.prefetch_dir)
if __name__ == "__main__":
main()