8 Commits

Author SHA1 Message Date
Mahipal 2c88b96cf7 ci: add workflow to auto-sync marketplace version on release 2026-03-31 14:46:36 +02:00
Mahipal aecb3cd6ed Update marketplace version to v1.1.0 2026-03-31 14:41:58 +02:00
Mahipal d388b31205 Remove Product Hunt badge from README
Removed Product Hunt badge from README.
2026-03-28 17:51:39 +01:00
Mahipal ac6abba321 Add Product Hunt badge to README
Added a Product Hunt badge to promote the project.
2026-03-28 17:23:50 +01:00
mukul975 8dc2a4f9c7 chore: auto-update index.json 2026-03-28 11:41:02 +00:00
mukul975 9fc237a590 Fix ESET AV false positive on AMSI bypass strings in skill docs 2026-03-28 12:40:53 +01:00
mukul975 840049b17d chore: auto-update index.json 2026-03-27 09:24:27 +00:00
Julio César Suástegui b7bd6b1619 Add skill: detecting-lateral-movement-with-zeek (fixes #5) (#29) 2026-03-27 10:24:16 +01:00
43 changed files with 1 additions and 490 deletions
+1 -1
View File
File diff suppressed because one or more lines are too long
@@ -4,7 +4,6 @@ description: Use Sysinternals Autoruns to systematically identify and analyze ma
domain: cybersecurity
subdomain: malware-analysis
tags: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response]
mitre_attack: ["T1547", "T1053", "T1543", "T1546"]
version: "1.0"
author: mahipal
license: Apache-2.0
@@ -9,7 +9,6 @@ description: >
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response]
mitre_attack: ["T1055", "T1003", "T1059", "T1620"]
version: 1.0.0
author: mahipal
license: Apache-2.0
@@ -10,7 +10,6 @@ description: >
domain: cybersecurity
subdomain: incident-response
tags: [network-forensics, PCAP-analysis, Wireshark, Zeek, traffic-analysis]
mitre_attack: ["T1071", "T1095", "T1573", "T1572"]
version: 1.0.0
author: mahipal
license: Apache-2.0
@@ -4,7 +4,6 @@ description: Detect and analyze Linux persistence mechanisms including crontab e
domain: cybersecurity
subdomain: threat-hunting
tags: [linux-persistence, crontab, systemd, ld-preload, auditd, threat-hunting, incident-response]
mitre_attack: ["T1053.003", "T1543.002", "T1574.006", "T1546.004"]
version: "1.0"
author: mahipal
license: Apache-2.0
@@ -10,7 +10,6 @@ description: >
domain: cybersecurity
subdomain: incident-response
tags: [splunk, SPL, SIEM, log-analysis, security-monitoring]
mitre_attack: ["T1070", "T1562", "T1059"]
version: 1.0.0
author: mahipal
license: Apache-2.0
@@ -4,7 +4,6 @@ description: Parse Windows Prefetch files using the windowsprefetch Python libra
domain: cybersecurity
subdomain: digital-forensics
tags: [digital-forensics, windows, prefetch, execution-history, incident-response, malware-analysis]
mitre_attack: ["T1059", "T1204", "T1036"]
version: "1.0"
author: mahipal
license: Apache-2.0
@@ -10,7 +10,6 @@ description: >
domain: cybersecurity
subdomain: incident-response
tags: [IR-playbook, runbook, NIST-800-61, SOAR-integration, response-procedures]
mitre_attack: ["T1190", "T1566", "T1078"]
version: 1.0.0
author: mahipal
license: Apache-2.0
@@ -4,7 +4,6 @@ description: Build collaborative forensic incident timelines using Timesketch to
domain: cybersecurity
subdomain: incident-response
tags: [timesketch, timeline-analysis, forensic-timeline, plaso, dfir, incident-investigation, collaborative-forensics]
mitre_attack: ["T1070", "T1059", "T1053"]
version: "1.0"
author: mahipal
license: Apache-2.0
@@ -4,7 +4,6 @@ description: Build structured communication templates for malware incidents incl
domain: cybersecurity
subdomain: incident-response
tags: [incident-communication, malware-response, stakeholder-notification, crisis-communication, executive-briefing, regulatory-disclosure]
mitre_attack: ["T1566", "T1204", "T1027"]
version: "1.0"
author: mahipal
license: Apache-2.0
@@ -4,7 +4,6 @@ description: Implement a phishing report button in email clients with automated
domain: cybersecurity
subdomain: phishing-defense
tags: [phishing-reporting, email-security, incident-response, security-awareness, outlook, microsoft-365, soar]
mitre_attack: ["T1566", "T1204", "T1534"]
version: "1.0"
author: mahipal
license: Apache-2.0
@@ -8,7 +8,6 @@ description: >
domain: cybersecurity
subdomain: soc-operations
tags: [soc, ransomware, incident-response, playbook, nist, mitre-attack, containment]
mitre_attack: ["T1486", "T1490", "T1489", "T1570"]
version: "1.0"
author: mahipal
license: Apache-2.0
@@ -10,7 +10,6 @@ description: >
domain: cybersecurity
subdomain: incident-response
tags: [IOC-collection, threat-indicators, STIX-TAXII, MISP, threat-intelligence-sharing]
mitre_attack: ["T1071", "T1059", "T1547", "T1053"]
version: 1.0.0
author: mahipal
license: Apache-2.0
@@ -4,7 +4,6 @@ description: Collect volatile forensic evidence from a compromised system follow
domain: cybersecurity
subdomain: incident-response
tags: [incident-response, dfir, forensics, volatile-evidence, memory-forensics, chain-of-custody]
mitre_attack: ["T1003", "T1055", "T1059", "T1547"]
version: "1.0"
author: mahipal
license: Apache-2.0
@@ -9,7 +9,6 @@ description: >
domain: cybersecurity
subdomain: incident-response
tags: [cloud-IR, AWS-forensics, Azure-incident-response, GCP-security, identity-containment]
mitre_attack: ["T1078", "T1537", "T1580", "T1525"]
version: 1.0.0
author: mahipal
license: Apache-2.0
@@ -10,7 +10,6 @@ description: >
domain: cybersecurity
subdomain: incident-response
tags: [malware-response, malware-analysis, eradication, endpoint-remediation, MITRE-ATT&CK]
mitre_attack: ["T1204", "T1027", "T1055", "T1059", "T1486"]
version: 1.0.0
author: mahipal
license: Apache-2.0
@@ -10,7 +10,6 @@ description: >
domain: cybersecurity
subdomain: incident-response
tags: [memory-forensics, volatility, RAM-analysis, process-injection, DFIR]
mitre_attack: ["T1003", "T1055", "T1620", "T1574"]
version: 1.0.0
author: mahipal
license: Apache-2.0
@@ -10,7 +10,6 @@ description: >
domain: cybersecurity
subdomain: incident-response
tags: [phishing-response, email-security, credential-compromise, email-header-analysis, mailbox-remediation]
mitre_attack: ["T1566", "T1204", "T1534", "T1598"]
version: 1.0.0
author: mahipal
license: Apache-2.0
@@ -4,7 +4,6 @@ description: Facilitate structured post-incident reviews to identify root causes
domain: cybersecurity
subdomain: incident-response
tags: [incident-response, lessons-learned, post-incident, after-action-review, process-improvement]
mitre_attack: ["T1190", "T1566", "T1078"]
version: "1.0"
author: mahipal
license: Apache-2.0
-1
View File
@@ -10,7 +10,6 @@ description: >
domain: cybersecurity
subdomain: incident-response
tags: [breach-containment, lateral-movement, network-isolation, credential-revocation, live-response]
mitre_attack: ["T1021", "T1570", "T1210", "T1072"]
version: 1.0.0
author: mahipal
license: Apache-2.0
@@ -4,7 +4,6 @@ description: Systematically deobfuscate multi-layer PowerShell malware using AST
domain: cybersecurity
subdomain: malware-analysis
tags: [powershell, deobfuscation, malware-analysis, scripting, obfuscation, ast-analysis, incident-response]
mitre_attack: ["T1059.001", "T1027", "T1140"]
version: "1.0"
author: mahipal
license: Apache-2.0
@@ -9,7 +9,6 @@ description: >
domain: cybersecurity
subdomain: endpoint-security
tags: [endpoint, osquery, endpoint-monitoring, threat-hunting, fleet-management]
mitre_attack: ["T1547", "T1049", "T1620", "T1053.003", "T1548.001", "T1552"]
version: 1.0.0
author: mahipal
license: Apache-2.0
@@ -4,7 +4,6 @@ description: Detect compromised O365 and Google Workspace email accounts by anal
domain: cybersecurity
subdomain: incident-response
tags: [email-compromise, office365, microsoft-graph, bec, inbox-rules, sign-in-analysis, account-takeover]
mitre_attack: ["T1114", "T1566", "T1078", "T1534"]
version: "1.0"
author: mahipal
license: Apache-2.0
@@ -4,7 +4,6 @@ description: Systematically remove malware, backdoors, and attacker persistence
domain: cybersecurity
subdomain: incident-response
tags: [incident-response, eradication, malware-removal, persistence, dfir]
mitre_attack: ["T1547", "T1053", "T1543", "T1574"]
version: "1.0"
author: mahipal
license: Apache-2.0
@@ -4,7 +4,6 @@ description: Extract cached credentials, password hashes, Kerberos tickets, and
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, credential-extraction, memory-forensics, volatility, mimikatz, password-hashes, incident-response]
mitre_attack: ["T1003", "T1558", "T1552"]
version: "1.0"
author: mahipal
license: Apache-2.0
@@ -8,7 +8,6 @@ description: >
domain: cybersecurity
subdomain: soc-operations
tags: [soc, soar, phantom, splunk-soar, automation, playbook, orchestration, incident-response]
mitre_attack: ["T1566", "T1059", "T1078"]
version: "1.0"
author: mahipal
license: Apache-2.0
@@ -4,7 +4,6 @@ description: Implement automated incident response playbooks in Cortex XSOAR to
domain: cybersecurity
subdomain: soc-operations
tags: [xsoar, soar, palo-alto, playbook, automation, incident-response, orchestration, cortex]
mitre_attack: ["T1566", "T1204", "T1078"]
version: "1.0"
author: mahipal
license: Apache-2.0
@@ -4,7 +4,6 @@ description: Deploy and configure Velociraptor for scalable endpoint forensic ar
domain: cybersecurity
subdomain: incident-response
tags: [velociraptor, dfir, endpoint-collection, vql, forensic-artifacts, rapid7, threat-hunting, incident-response]
mitre_attack: ["T1059", "T1003", "T1070", "T1547"]
version: "1.0"
author: mahipal
license: Apache-2.0
@@ -8,7 +8,6 @@ description: >
domain: cybersecurity
subdomain: soc-operations
tags: [soc, phishing, incident-response, email-security, splunk, defender, sandbox]
mitre_attack: ["T1566.001", "T1566.002", "T1204.001", "T1598.003"]
version: "1.0"
author: mahipal
license: Apache-2.0
@@ -4,7 +4,6 @@ description: Investigate Active Directory compromise by analyzing authentication
domain: cybersecurity
subdomain: incident-response
tags: [active-directory, compromise-investigation, identity-forensics, kerberos, lateral-movement, dfir, ntds-dit, golden-ticket]
mitre_attack: ["T1003", "T1558", "T1021", "T1078", "T1484"]
version: "1.0"
author: mahipal
license: Apache-2.0
@@ -4,7 +4,6 @@ description: Execute cloud-native incident containment across AWS, Azure, and GC
domain: cybersecurity
subdomain: incident-response
tags: [cloud-security, incident-containment, aws, azure, gcp, cloud-forensics, credential-revocation, network-isolation]
mitre_attack: ["T1078", "T1537", "T1580", "T1525", "T1098"]
version: "1.0"
author: mahipal
license: Apache-2.0
@@ -1,151 +0,0 @@
---
name: performing-cloud-native-threat-hunting-with-aws-detective
description: Hunt for threats in AWS environments using Detective behavior graphs, entity investigation timelines, GuardDuty finding correlation, and automated entity profiling across IAM users, EC2 instances, and IP addresses.
domain: cybersecurity
subdomain: cloud-security
tags: [aws-detective, threat-hunting, cloud-security, guardduty, behavior-graph, aws, iam, ec2, incident-investigation]
version: "1.0"
author: juliosuas
license: Apache-2.0
---
# Performing Cloud-Native Threat Hunting with AWS Detective
## Overview
AWS Detective automatically collects and analyzes log data from AWS CloudTrail, VPC Flow Logs, GuardDuty findings, and EKS audit logs to build interactive behavior graphs. These graphs enable security analysts to investigate entities (IAM users, roles, IP addresses, EC2 instances) across time, identify anomalous API calls, detect lateral movement between accounts, and correlate GuardDuty findings into coherent attack narratives — all without manual log parsing.
## Prerequisites
- AWS account with Detective enabled (requires GuardDuty active for 48+ hours)
- AWS CLI v2 configured with appropriate IAM permissions (`detective:*`, `guardduty:List*`)
- Python 3.9+ with boto3
- IAM policy: `AmazonDetectiveFullAccess` or custom policy with `detective:SearchGraph`, `detective:GetInvestigation`, `detective:ListIndicators`
## Key Concepts
| Concept | Description |
|---------|-------------|
| **Behavior Graph** | Data structure linking CloudTrail, VPC Flow, GuardDuty, and EKS logs for an account/region |
| **Entity** | Investigable object: IAM user, IAM role, EC2 instance, IP address, S3 bucket, EKS cluster |
| **Finding Group** | Correlated set of GuardDuty findings linked to the same attack campaign |
| **Entity Profile** | Timeline of API calls, network connections, and resource access for a specific entity |
| **Scope Time** | Investigation window (default 24h, max 1 year) for behavioral analysis |
## Steps
### Step 1: List Available Behavior Graphs
```bash
aws detective list-graphs --output table
```
### Step 2: Investigate a Suspicious IAM User
```bash
# Get entity profile for an IAM user
aws detective get-investigation \
--graph-arn arn:aws:detective:us-east-1:123456789012:graph:a1b2c3d4 \
--investigation-id 000000000000000000001
```
### Step 3: Search Entities Programmatically
```python
#!/usr/bin/env python3
"""Search AWS Detective for suspicious entities."""
import boto3
import json
from datetime import datetime, timedelta
detective = boto3.client('detective')
def list_behavior_graphs():
"""List all Detective behavior graphs."""
response = detective.list_graphs()
return response.get('GraphList', [])
def get_investigation_indicators(graph_arn, investigation_id, max_results=50):
"""Get indicators for a specific investigation."""
response = detective.list_indicators(
GraphArn=graph_arn,
InvestigationId=investigation_id,
MaxResults=max_results
)
return response.get('Indicators', [])
def investigate_guardduty_findings(graph_arn):
"""List high-severity investigations correlated by Detective."""
response = detective.list_investigations(
GraphArn=graph_arn,
FilterCriteria={
'Severity': {'Value': 'CRITICAL'},
'Status': {'Value': 'RUNNING'}
},
MaxResults=20
)
for investigation in response.get('InvestigationDetails', []):
print(f"Investigation: {investigation['InvestigationId']}")
print(f" Entity: {investigation['EntityArn']}")
print(f" Status: {investigation['Status']}")
print(f" Severity: {investigation['Severity']}")
print(f" Created: {investigation['CreatedTime']}")
print()
if __name__ == "__main__":
graphs = list_behavior_graphs()
for graph in graphs:
print(f"Graph: {graph['Arn']}")
investigate_guardduty_findings(graph['Arn'])
```
### Step 4: Analyze Finding Groups for Attack Campaigns
```bash
# List investigations with high severity
aws detective list-investigations \
--graph-arn arn:aws:detective:us-east-1:123456789012:graph:a1b2c3d4 \
--filter-criteria '{"Severity":{"Value":"HIGH"}}' \
--max-results 10
```
### Step 5: Check Entity Indicators
```bash
# Get indicators for a specific investigation
aws detective list-indicators \
--graph-arn arn:aws:detective:us-east-1:123456789012:graph:a1b2c3d4 \
--investigation-id 000000000000000000001 \
--max-results 50
```
## Expected Output
The `list-investigations` command returns investigation metadata:
```json
{
"InvestigationDetails": [
{
"InvestigationId": "000000000000000000001",
"Severity": "CRITICAL",
"Status": "RUNNING",
"State": "ACTIVE",
"EntityArn": "arn:aws:iam::123456789012:user/suspicious-user",
"EntityType": "IAM_USER",
"CreatedTime": "2026-03-15T14:30:00Z"
}
]
}
```
Indicators are retrieved separately via `list-indicators` and include types such as `TTP_OBSERVED`, `IMPOSSIBLE_TRAVEL`, `FLAGGED_IP_ADDRESS`, `NEW_GEOLOCATION`, `NEW_ASO`, `NEW_USER_AGENT`, `RELATED_FINDING`, and `RELATED_FINDING_GROUP`.
## Verification
1. Confirm behavior graph has data: `aws detective list-graphs` returns non-empty list
2. Validate investigation results contain entity timelines with API call sequences
3. Cross-reference Detective findings with raw CloudTrail logs for accuracy
4. Verify finding group correlations match manual investigation conclusions
5. Confirm automated alerts trigger for HIGH/CRITICAL severity investigations
@@ -1,34 +0,0 @@
# AWS Detective Investigation Checklist
## Pre-Investigation
- [ ] Confirm Detective is enabled and receiving data
- [ ] Identify trigger (GuardDuty finding, alert, manual hunt)
- [ ] Define scope time window
- [ ] Document initial IOCs
## Entity Investigation
- [ ] IAM User/Role profile reviewed
- [ ] API call timeline analyzed
- [ ] Geographic anomalies checked (impossible travel)
- [ ] New API calls identified (never seen before)
- [ ] Privilege escalation attempts documented
- [ ] AssumeRole chain traced
## Network Analysis
- [ ] VPC Flow Logs reviewed for entity
- [ ] Outbound connections to suspicious IPs identified
- [ ] Data transfer volumes assessed
- [ ] DNS query patterns checked
## Finding Correlation
- [ ] All related GuardDuty findings grouped
- [ ] MITRE ATT&CK techniques mapped
- [ ] Attack timeline constructed
- [ ] Initial access vector identified
## Response Actions
- [ ] Evidence preserved (or capture rationale if immediate containment required)
- [ ] Compromised credentials disabled
- [ ] Active sessions revoked
- [ ] Affected resources isolated
- [ ] Stakeholders notified
@@ -1,19 +0,0 @@
# Standards & References
## MITRE ATT&CK Cloud Matrix
- **TA0001** Initial Access: T1078 (Valid Accounts), T1190 (Exploit Public-Facing Application)
- **TA0003** Persistence: T1098 (Account Manipulation), T1136 (Create Account)
- **TA0004** Privilege Escalation: T1078, T1484 (Domain Policy Modification)
- **TA0005** Defense Evasion: T1562 (Impair Defenses), T1070 (Indicator Removal)
- **TA0006** Credential Access: T1528 (Steal Application Access Token)
- **TA0007** Discovery: T1580 (Cloud Infrastructure Discovery), T1526 (Cloud Service Discovery)
- **TA0009** Collection: T1530 (Data from Cloud Storage)
- **TA0010** Exfiltration: T1537 (Transfer Data to Cloud Account)
## AWS Documentation
- [AWS Detective User Guide](https://docs.aws.amazon.com/detective/latest/userguide/)
- [AWS Detective API Reference](https://docs.aws.amazon.com/detective/latest/APIReference/)
- [GuardDuty Finding Types](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html)
## CIS AWS Foundations Benchmark
- Section 4: Monitoring (relevant to Detective integration)
@@ -1,31 +0,0 @@
# AWS Detective Investigation Workflow
## Phase 1: Triage
1. Review GuardDuty HIGH/CRITICAL findings
2. Open Detective console → Finding Groups
3. Identify clustered findings pointing to same entity
## Phase 2: Entity Investigation
1. Select entity (IAM user/role, EC2, IP)
2. Review 24h behavior timeline
3. Identify unusual API calls, new geolocations, impossible travel
4. Check for privilege escalation patterns (CreateAccessKey, AttachPolicy)
## Phase 3: Scope Assessment
1. Trace lateral movement via AssumeRole chains
2. Check S3 data access patterns
3. Review VPC Flow Logs for unusual outbound connections
4. Identify all compromised credentials
## Phase 4: Correlation
1. Map findings to MITRE ATT&CK techniques
2. Build attack timeline from entity profiles
3. Identify initial access vector
4. Document indicators of compromise (IOCs)
## Phase 5: Response
1. Preserve evidence (CloudTrail logs, flow logs, snapshots) when safe
2. Disable compromised credentials
3. Revoke active sessions
4. Isolate affected resources
5. If active impact is ongoing, contain first and document evidence trade-offs
@@ -1,217 +0,0 @@
#!/usr/bin/env python3
"""
AWS Detective Threat Hunting Script
Lists behavior graphs, retrieves investigations, and analyzes entity
indicators for cloud-native threat hunting.
"""
import boto3
import json
import sys
import os
from datetime import datetime, timedelta
def _collect_all_pages(client_method, result_key, **kwargs):
"""Paginate through all pages of an AWS Detective API call."""
all_items = []
while True:
response = client_method(**kwargs)
all_items.extend(response.get(result_key, []))
next_token = response.get('NextToken')
if not next_token:
break
kwargs['NextToken'] = next_token
return all_items
def list_behavior_graphs(session):
"""List all Detective behavior graphs in the account."""
client = session.client('detective')
graphs = _collect_all_pages(client.list_graphs, 'GraphList')
if not graphs:
print("[!] No behavior graphs found. Enable Detective first.")
return []
print(f"[+] Found {len(graphs)} behavior graph(s)\n")
for graph in graphs:
print(f" ARN: {graph['Arn']}")
created = graph.get('CreatedTime', 'N/A')
print(f" Created: {created}")
print()
return graphs
def list_investigations(session, graph_arn, severity=None, max_results=20):
"""List investigations filtered by severity."""
client = session.client('detective')
filter_criteria = {}
if severity:
filter_criteria['Severity'] = {'Value': severity}
kwargs = {
'GraphArn': graph_arn,
'MaxResults': max_results,
}
if filter_criteria:
kwargs['FilterCriteria'] = filter_criteria
investigations = _collect_all_pages(
client.list_investigations, 'InvestigationDetails', **kwargs
)
if not investigations:
print("[+] No investigations found matching criteria")
return []
print(f"[+] Found {len(investigations)} investigation(s)\n")
for inv in investigations:
inv_id = inv.get('InvestigationId', 'N/A')
severity = inv.get('Severity', 'N/A')
status = inv.get('Status', 'N/A')
entity = inv.get('EntityArn', 'N/A')
created = inv.get('CreatedTime', 'N/A')
print(f" Investigation: {inv_id}")
print(f" Severity: {severity} | Status: {status}")
print(f" Entity: {entity}")
print(f" Created: {created}")
print()
return investigations
def get_investigation_detail(session, graph_arn, investigation_id):
"""Get detailed information about a specific investigation."""
client = session.client('detective')
response = client.get_investigation(
GraphArn=graph_arn,
InvestigationId=investigation_id,
)
print(f"[+] Investigation: {investigation_id}")
print(f" Entity: {response.get('EntityArn', 'N/A')}")
print(f" Entity Type: {response.get('EntityType', 'N/A')}")
print(f" Severity: {response.get('Severity', 'N/A')}")
print(f" Status: {response.get('Status', 'N/A')}")
print(f" Created: {response.get('CreatedTime', 'N/A')}")
print(f" Scope Start: {response.get('ScopeStartTime', 'N/A')}")
print(f" Scope End: {response.get('ScopeEndTime', 'N/A')}")
return response
def list_indicators(session, graph_arn, investigation_id, max_results=50):
"""List indicators for a specific investigation."""
client = session.client('detective')
indicators = _collect_all_pages(
client.list_indicators, 'Indicators',
GraphArn=graph_arn,
InvestigationId=investigation_id,
MaxResults=max_results,
)
if not indicators:
print("[+] No indicators found for this investigation")
return []
print(f"[+] Found {len(indicators)} indicator(s)\n")
for ind in indicators:
ind_type = ind.get('IndicatorType', 'N/A')
detail = ind.get('IndicatorDetail', {})
print(f" Type: {ind_type}")
if detail:
print(f" Detail: {json.dumps(detail, default=str)[:200]}")
print()
return indicators
def export_results(data, output_dir):
"""Export investigation results to JSON."""
os.makedirs(output_dir, exist_ok=True)
out_path = os.path.join(output_dir, "detective_results.json")
with open(out_path, "w") as f:
json.dump(data, f, indent=2, default=str)
print(f"[+] Results exported to {out_path}")
return out_path
if __name__ == "__main__":
import argparse
parser = argparse.ArgumentParser(
description="AWS Detective Threat Hunting Tool"
)
parser.add_argument(
"--graphs", action="store_true", help="List behavior graphs"
)
parser.add_argument(
"--investigations", action="store_true", help="List investigations"
)
parser.add_argument("--graph-arn", type=str, help="Behavior graph ARN")
parser.add_argument(
"--investigation-id", type=str, help="Investigation ID for detail view"
)
parser.add_argument(
"--indicators", action="store_true", help="List indicators"
)
parser.add_argument(
"--severity",
type=str,
default=None,
choices=["INFORMATIONAL", "LOW", "MEDIUM", "HIGH", "CRITICAL"],
help="Severity filter (e.g. HIGH)",
)
parser.add_argument("--max-results", type=int, default=20,
help="Max results per API call (1-100)")
parser.add_argument("--region", default="us-east-1")
parser.add_argument("--profile", type=str, help="AWS profile name")
parser.add_argument(
"--output", type=str, help="Output directory for JSON export"
)
args = parser.parse_args()
if args.max_results < 1 or args.max_results > 100:
parser.error("--max-results must be between 1 and 100")
kwargs = {"region_name": args.region}
if args.profile:
kwargs["profile_name"] = args.profile
session = boto3.Session(**kwargs)
results = {}
if args.graphs:
results["graphs"] = list_behavior_graphs(session)
if args.investigations:
if not args.graph_arn:
print("[!] --graph-arn required for --investigations")
sys.exit(1)
results["investigations"] = list_investigations(
session, args.graph_arn, args.severity, args.max_results
)
if args.investigation_id:
if not args.graph_arn:
print("[!] --graph-arn required for --investigation-id")
sys.exit(1)
results["detail"] = get_investigation_detail(
session, args.graph_arn, args.investigation_id
)
if args.indicators:
if not args.graph_arn or not args.investigation_id:
print("[!] --graph-arn and --investigation-id required for --indicators")
sys.exit(1)
results["indicators"] = list_indicators(
session, args.graph_arn, args.investigation_id, args.max_results
)
if args.output and results:
export_results(results, args.output)
@@ -10,7 +10,6 @@ description: >
domain: cybersecurity
subdomain: incident-response
tags: [disk-forensics, forensic-imaging, evidence-acquisition, file-recovery, chain-of-custody]
mitre_attack: ["T1070", "T1027", "T1036", "T1564"]
version: 1.0.0
author: mahipal
license: Apache-2.0
@@ -10,7 +10,6 @@ description: >
domain: cybersecurity
subdomain: incident-response
tags: [insider-threat, user-behavior-analytics, data-exfiltration, privilege-misuse, DFIR]
mitre_attack: ["T1078", "T1048", "T1567", "T1114"]
version: 1.0.0
author: mahipal
license: Apache-2.0
@@ -4,7 +4,6 @@ description: Systematically investigate all persistence mechanisms on Windows an
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, malware-persistence, autoruns, registry, scheduled-tasks, rootkit-detection, incident-response]
mitre_attack: ["T1547.001", "T1053.005", "T1543.003", "T1546.003", "T1574"]
version: "1.0"
author: mahipal
license: Apache-2.0
@@ -10,7 +10,6 @@ description: >
domain: cybersecurity
subdomain: incident-response
tags: [ransomware, encryption-recovery, backup-restoration, ransom-negotiation, CISA-guidance]
mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"]
version: 1.0.0
author: mahipal
license: Apache-2.0
@@ -8,7 +8,6 @@ description: >
domain: cybersecurity
subdomain: soc-operations
tags: [soc, tabletop, exercise, incident-response, training, nist, playbook-validation]
mitre_attack: ["T1566", "T1486", "T1078"]
version: "1.0"
author: mahipal
license: Apache-2.0
@@ -4,7 +4,6 @@ description: Classify and prioritize security incidents using structured IR play
domain: cybersecurity
subdomain: incident-response
tags: [incident-response, triage, playbook, severity-classification, soc]
mitre_attack: ["T1190", "T1566", "T1078"]
version: "1.0"
author: mahipal
license: Apache-2.0
@@ -10,7 +10,6 @@ description: >
domain: cybersecurity
subdomain: incident-response
tags: [incident-triage, NIST-800-61, SANS-PICERL, severity-classification, SOC-operations]
mitre_attack: ["T1190", "T1566", "T1078", "T1059"]
version: 1.0.0
author: mahipal
license: Apache-2.0