mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 13:15:16 +03:00
Add 5 new cybersecurity skills: golden ticket detection, traffic baselining, sandbox evasion analysis, domain fronting hunting, SpiderFoot OSINT
This commit is contained in:
@@ -0,0 +1,84 @@
|
||||
# Malware Sandbox Evasion Techniques API Reference
|
||||
|
||||
## MITRE ATT&CK T1497 Sub-techniques
|
||||
|
||||
| Sub-technique | ID | Evasion Method |
|
||||
|---|---|---|
|
||||
| System Checks | T1497.001 | VM artifacts, registry keys, MAC prefixes, process names |
|
||||
| User Activity Based Checks | T1497.002 | Mouse movement, keyboard input, foreground window |
|
||||
| Time Based Evasion | T1497.003 | GetTickCount, sleep inflation, RDTSC timing |
|
||||
|
||||
## Cuckoo Sandbox Report JSON Structure
|
||||
|
||||
### API Call Format
|
||||
```json
|
||||
{
|
||||
"behavior": {
|
||||
"processes": [
|
||||
{
|
||||
"process_name": "malware.exe",
|
||||
"pid": 1234,
|
||||
"calls": [
|
||||
{
|
||||
"api": "GetTickCount",
|
||||
"category": "system",
|
||||
"arguments": {},
|
||||
"return": "123456789"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
## Timing API Indicators
|
||||
|
||||
| API | Purpose | Evasion Use |
|
||||
|---|---|---|
|
||||
| GetTickCount / GetTickCount64 | System uptime in ms | Check if uptime < 20min (sandbox) |
|
||||
| QueryPerformanceCounter | High-res timer | Measure sleep accuracy |
|
||||
| GetSystemTimeAsFileTime | System time | Detect time acceleration |
|
||||
| NtQuerySystemTime | Kernel time query | Compare with user-mode time |
|
||||
| RDTSC | CPU timestamp counter | Detect VM overhead in timing |
|
||||
|
||||
## VM Artifact Indicators
|
||||
|
||||
### Registry Keys
|
||||
```
|
||||
HKLM\SOFTWARE\VMware, Inc.\VMware Tools
|
||||
HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
|
||||
HKLM\HARDWARE\ACPI\DSDT\VBOX__
|
||||
HKLM\SYSTEM\CurrentControlSet\Services\VBoxGuest
|
||||
```
|
||||
|
||||
### VM Process Names
|
||||
```
|
||||
vmtoolsd.exe, vmwaretray.exe # VMware
|
||||
vboxservice.exe, vboxtray.exe # VirtualBox
|
||||
qemu-ga.exe # QEMU
|
||||
prl_tools.exe # Parallels
|
||||
```
|
||||
|
||||
### VM MAC Address Prefixes
|
||||
```
|
||||
00:0C:29 VMware
|
||||
00:50:56 VMware
|
||||
08:00:27 VirtualBox
|
||||
00:1C:42 Parallels
|
||||
52:54:00 QEMU/KVM
|
||||
```
|
||||
|
||||
## AnyRun Report API
|
||||
|
||||
### Get Report
|
||||
```
|
||||
GET https://api.any.run/v1/analysis/{task_id}
|
||||
Authorization: API-Key <key>
|
||||
```
|
||||
|
||||
## CLI Usage
|
||||
```bash
|
||||
python agent.py --report cuckoo_report.json --output evasion_report.json
|
||||
python agent.py --report report.json --min-sleep-ms 30000
|
||||
```
|
||||
Reference in New Issue
Block a user