mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 13:39:40 +03:00
Add 5 new cybersecurity skills: AFL++ fuzzing, Sysmon scheduled task detection, ModSecurity WAF logging, MITRE Navigator TTP analysis, PowerShell script block hunting
This commit is contained in:
@@ -0,0 +1,106 @@
|
||||
# Hunting for Anomalous PowerShell Execution — API Reference
|
||||
|
||||
## Windows Event Log IDs
|
||||
|
||||
| Event ID | Log Source | Description |
|
||||
|----------|-----------|-------------|
|
||||
| 4104 | Microsoft-Windows-PowerShell/Operational | Script Block Logging — full deobfuscated script text |
|
||||
| 4103 | Microsoft-Windows-PowerShell/Operational | Module Logging — pipeline execution details |
|
||||
| 4688 | Security | Process Creation with command line auditing |
|
||||
| 800 | Windows PowerShell | Pipeline execution (classic log) |
|
||||
|
||||
## Event 4104 XML Fields
|
||||
|
||||
| Field | Path | Description |
|
||||
|-------|------|-------------|
|
||||
| ScriptBlockText | EventData/Data[@Name='ScriptBlockText'] | Full script block content |
|
||||
| ScriptBlockId | EventData/Data[@Name='ScriptBlockId'] | GUID linking multi-part blocks |
|
||||
| MessageNumber | EventData/Data[@Name='MessageNumber'] | Part number for split blocks |
|
||||
| MessageTotal | EventData/Data[@Name='MessageTotal'] | Total parts in split block |
|
||||
| Path | EventData/Data[@Name='Path'] | Script file path (if applicable) |
|
||||
|
||||
## AMSI Bypass Indicators
|
||||
|
||||
| Indicator | Context |
|
||||
|-----------|---------|
|
||||
| `System.Management.Automation.AmsiUtils` | Reflection access to AMSI internals |
|
||||
| `amsiInitFailed` | Setting AMSI init flag to bypass scanning |
|
||||
| `AmsiScanBuffer` | Patching the scan buffer function |
|
||||
| `amsi.dll` | Direct DLL manipulation |
|
||||
| `VirtualProtect` | Memory protection change for AMSI patching |
|
||||
| `Marshal::Copy` | Overwriting AMSI function bytes in memory |
|
||||
|
||||
## Suspicious PowerShell Keywords
|
||||
|
||||
| Keyword | Category |
|
||||
|---------|----------|
|
||||
| `Invoke-Mimikatz` | Credential Dumping |
|
||||
| `Invoke-Kerberoast` | Credential Access |
|
||||
| `Invoke-ShellCode` | Code Injection |
|
||||
| `Invoke-ReflectivePEInjection` | Process Injection |
|
||||
| `PowerView` | Active Directory Enumeration |
|
||||
| `SharpHound` / `BloodHound` | AD Attack Path Mapping |
|
||||
| `Rubeus` | Kerberos Ticket Manipulation |
|
||||
| `Out-Minidump` | LSASS Memory Dumping |
|
||||
|
||||
## Download Cradle Patterns
|
||||
|
||||
| Pattern | Example |
|
||||
|---------|---------|
|
||||
| `Net.WebClient` | `(New-Object Net.WebClient).DownloadString(...)` |
|
||||
| `Invoke-WebRequest` | `IWR -Uri http://... -OutFile ...` |
|
||||
| `DownloadString` | `$wc.DownloadString('http://...')` |
|
||||
| `Start-BitsTransfer` | `Start-BitsTransfer -Source http://...` |
|
||||
| `Invoke-RestMethod` | `IRM http://... \| IEX` |
|
||||
|
||||
## Obfuscation Indicators
|
||||
|
||||
| Pattern | Description |
|
||||
|---------|-------------|
|
||||
| `-EncodedCommand` / `-enc` | Base64-encoded PowerShell command |
|
||||
| `IEX` / `Invoke-Expression` | Dynamic execution of string content |
|
||||
| `[Convert]::FromBase64String` | Base64 decoding in script |
|
||||
| `-join [char[]]` | Character array concatenation obfuscation |
|
||||
| `.Replace()` chaining | String substitution for keyword evasion |
|
||||
|
||||
## python-evtx Library Usage
|
||||
|
||||
```python
|
||||
import Evtx.Evtx as evtx
|
||||
from lxml import etree
|
||||
|
||||
with evtx.Evtx("PowerShell-Operational.evtx") as log:
|
||||
for record in log.records():
|
||||
xml = record.xml()
|
||||
root = etree.fromstring(xml.encode("utf-8"))
|
||||
# Extract EventID, EventData fields
|
||||
```
|
||||
|
||||
## CLI Usage
|
||||
|
||||
```bash
|
||||
# Hunt for suspicious PowerShell in EVTX file
|
||||
python agent.py --evtx /path/to/PowerShell-Operational.evtx
|
||||
|
||||
# Limit events parsed
|
||||
python agent.py --evtx logs.evtx --max-events 5000
|
||||
|
||||
# Save report to JSON
|
||||
python agent.py --evtx logs.evtx --output hunt_report.json
|
||||
```
|
||||
|
||||
## Group Policy Settings for Script Block Logging
|
||||
|
||||
```
|
||||
Computer Configuration > Administrative Templates > Windows Components
|
||||
> Windows PowerShell > Turn on PowerShell Script Block Logging
|
||||
-> Enabled
|
||||
-> Log script block invocation start / stop events: Checked
|
||||
```
|
||||
|
||||
## External References
|
||||
|
||||
- [Splunk: Hunting for Malicious PowerShell using Script Block Logging](https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html)
|
||||
- [block-parser: PowerShell Script Block Log Parser](https://github.com/matthewdunwoody/block-parser)
|
||||
- [Windows Forensic Artifacts: EVTX 4104](https://github.com/Psmths/windows-forensic-artifacts/blob/main/execution/evtx-4104-script-block-logging.md)
|
||||
- [Elastic: AMSI Bypass via PowerShell Detection Rule](https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/defense_evasion_amsi_bypass_powershell)
|
||||
Reference in New Issue
Block a user