mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 13:15:16 +03:00
Compare commits
33 Commits
e8105a2f4d
..
v1.0.0
| Author | SHA1 | Date | |
|---|---|---|---|
| dfea41c26a | |||
| f435b0cb28 | |||
| edf50953ac | |||
| 281dc9983a | |||
| d696e750dd | |||
| 8f7ab23bf3 | |||
| a15f57ad34 | |||
| 6f6b4d63ce | |||
| 21d8faf1fe | |||
| 66c4dc14cd | |||
| 3e9477670c | |||
| 740ff85adc | |||
| c639db4596 | |||
| b36af033f4 | |||
| d08b68f646 | |||
| 0c26c1eb87 | |||
| 6b32dc4da2 | |||
| ccce7d4e06 | |||
| 5a5dcd84ac | |||
| 915ea611e5 | |||
| d2341d4c96 | |||
| 724fda0883 | |||
| 1ba371d7f7 | |||
| 679c98b339 | |||
| 466f37bfb6 | |||
| a6746179d3 | |||
| 992dae80cf | |||
| de282538ae | |||
| 6d74c0fc8b | |||
| f0c54ee732 | |||
| bec23e9649 | |||
| f612883701 | |||
| eb33225f61 |
@@ -2,18 +2,18 @@
|
||||
"name": "anthropic-cybersecurity-skills",
|
||||
"owner": {
|
||||
"name": "mukul975",
|
||||
"email": "mukuljangra5@gmail.com"
|
||||
"email": "mukul975@users.noreply.github.com"
|
||||
},
|
||||
"metadata": {
|
||||
"description": "753 cybersecurity skills for AI agents and security practitioners covering web security, pentesting, forensics, threat intelligence, cloud security, and more.",
|
||||
"version": "1.1.0"
|
||||
"description": "607+ cybersecurity skills for AI agents and security practitioners covering web security, pentesting, forensics, threat intelligence, cloud security, and more.",
|
||||
"version": "1.0.0"
|
||||
},
|
||||
"plugins": [
|
||||
{
|
||||
"name": "cybersecurity-skills",
|
||||
"source": "./",
|
||||
"descripyion": "753 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
|
||||
"version": "1.1.0",
|
||||
"description": "607+ cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
|
||||
"version": "1.0.0",
|
||||
"author": {
|
||||
"name": "mukul975"
|
||||
},
|
||||
@@ -34,4 +34,4 @@
|
||||
"repository": "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
{
|
||||
"name": "cybersecurity-skills",
|
||||
"description": "753 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
|
||||
"description": "607+ cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
|
||||
"version": "1.0.0"
|
||||
}
|
||||
|
||||
@@ -1,2 +0,0 @@
|
||||
github: mukul975
|
||||
custom: ["https://paypal.me/mahipaljangra"]
|
||||
@@ -1,41 +0,0 @@
|
||||
name: Sync Marketplace Version on Release
|
||||
|
||||
on:
|
||||
release:
|
||||
types: [published]
|
||||
|
||||
jobs:
|
||||
sync-version:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Extract version from tag
|
||||
id: version
|
||||
run: |
|
||||
VERSION=${GITHUB_REF_NAME#v}
|
||||
echo "version=$VERSION" >> $GITHUB_OUTPUT
|
||||
echo "tag=$GITHUB_REF_NAME" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Update marketplace.json version
|
||||
env:
|
||||
VERSION: ${{ steps.version.outputs.version }}
|
||||
run: |
|
||||
jq --arg v "$VERSION"
|
||||
'.metadata.version = $v | .plugins[].version = $v'
|
||||
.claude-plugin/marketplace.json > tmp.json
|
||||
mv tmp.json .claude-plugin/marketplace.json
|
||||
echo "Updated marketplace.json to version $VERSION"
|
||||
|
||||
- name: Commit and push
|
||||
run: |
|
||||
git config user.name "mukul975"
|
||||
git config user.email "mukuljangra5@gmail.com"
|
||||
git add .claude-plugin/marketplace.json
|
||||
git diff --staged --quiet || git commit -m "chore: bump marketplace version to ${{ steps.version.outputs.tag }}"
|
||||
git push
|
||||
@@ -5,8 +5,6 @@ on:
|
||||
branches: [main]
|
||||
paths:
|
||||
- 'skills/**'
|
||||
- '.github/workflows/update-index.yml'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
update-index:
|
||||
@@ -23,9 +21,12 @@ jobs:
|
||||
python3 << 'EOF'
|
||||
import os, json, re
|
||||
from datetime import datetime, timezone
|
||||
from collections import Counter
|
||||
|
||||
skills_dir = "skills"
|
||||
skills = []
|
||||
subdomain_counts = Counter()
|
||||
tag_counter = Counter()
|
||||
|
||||
for skill_name in sorted(os.listdir(skills_dir)):
|
||||
skill_md = os.path.join(skills_dir, skill_name, "SKILL.md")
|
||||
@@ -34,37 +35,58 @@ jobs:
|
||||
with open(skill_md, "r", encoding="utf-8") as f:
|
||||
content = f.read()
|
||||
fm_match = re.match(r"^---\n(.*?)\n---", content, re.DOTALL)
|
||||
description = ""
|
||||
if fm_match:
|
||||
m = re.search(r"^description:\s*(.+)$", fm_match.group(1), re.MULTILINE)
|
||||
if m:
|
||||
description = m.group(1).strip().strip('"')
|
||||
if not fm_match:
|
||||
continue
|
||||
fm = fm_match.group(1)
|
||||
def get_field(field, text):
|
||||
m = re.search(rf"^{field}:\s*(.+)$", text, re.MULTILINE)
|
||||
return m.group(1).strip().strip('"') if m else ""
|
||||
def get_tags(text):
|
||||
m = re.search(r"^tags:\s*\[(.+)\]", text, re.MULTILINE)
|
||||
return [t.strip() for t in m.group(1).split(",")] if m else []
|
||||
|
||||
tags = get_tags(fm)
|
||||
subdomain = get_field("subdomain", fm)
|
||||
subdomain_counts[subdomain] += 1
|
||||
for t in tags:
|
||||
tag_counter[t] += 1
|
||||
|
||||
skills.append({
|
||||
"name": skill_name,
|
||||
"description": description,
|
||||
"name": get_field("name", fm),
|
||||
"description": get_field("description", fm),
|
||||
"domain": "cybersecurity",
|
||||
"subdomain": subdomain,
|
||||
"tags": tags,
|
||||
"version": get_field("version", fm) or "1.0",
|
||||
"author": "mukul975",
|
||||
"license": "Apache-2.0",
|
||||
"path": f"skills/{skill_name}"
|
||||
})
|
||||
|
||||
top_tags = sorted(tag_counter.items(), key=lambda x: -x[1])[:20]
|
||||
index = {
|
||||
"version": "1.1.0",
|
||||
"version": "1.0.0",
|
||||
"generated_at": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"),
|
||||
"repository": "https://github.com/mukul975/Anthropic-Cybersecurity-Skills",
|
||||
"domain": "cybersecurity",
|
||||
"total_skills": len(skills),
|
||||
"total_domains": 1,
|
||||
"total_subdomains": len(subdomain_counts),
|
||||
"domain_stats": {"cybersecurity": len(skills)},
|
||||
"subdomain_stats": dict(subdomain_counts),
|
||||
"top_tags": [{"tag": t, "count": c} for t, c in top_tags],
|
||||
"skills": skills
|
||||
}
|
||||
|
||||
with open("index.json", "w", encoding="utf-8") as f:
|
||||
json.dump(index, f, separators=(',', ':'))
|
||||
json.dump(index, f, indent=2)
|
||||
|
||||
print(f"Updated index.json: {len(skills)} skills")
|
||||
print(f"Updated index.json: {len(skills)} skills, {len(subdomain_counts)} subdomains")
|
||||
EOF
|
||||
|
||||
- name: Commit updated index
|
||||
run: |
|
||||
git config user.name "mukul975"
|
||||
git config user.email "mukuljangra5@gmail.com"
|
||||
git config user.email "mukul975@users.noreply.github.com"
|
||||
git add index.json
|
||||
git diff --staged --quiet || git commit -m "chore: auto-update index.json"
|
||||
git push
|
||||
|
||||
@@ -12,5 +12,3 @@ __pycache__/
|
||||
Thumbs.db
|
||||
*.swp
|
||||
launch/
|
||||
extract_attack.py
|
||||
AUDIT_REPORT.md
|
||||
|
||||
@@ -1,509 +0,0 @@
|
||||
# MITRE ATT&CK Coverage Map
|
||||
|
||||
<p align="center">
|
||||
<a href="https://attack.mitre.org/"><img src="https://img.shields.io/badge/MITRE_ATT%26CK-v16-red?style=for-the-badge&logo=shield&logoColor=white" alt="MITRE ATT&CK" /></a>
|
||||
<img src="https://img.shields.io/badge/Techniques-291+-blueviolet?style=for-the-badge" alt="Techniques" />
|
||||
<img src="https://img.shields.io/badge/Tactics-14%2F14-green?style=for-the-badge" alt="Tactics" />
|
||||
</p>
|
||||
|
||||
This document maps all **291 unique MITRE ATT&CK techniques** (across **149 parent techniques**) referenced in our **753+ cybersecurity skills** to the 14 Enterprise ATT&CK tactics. Use this to identify coverage gaps, plan detection engineering priorities, or validate your security program against the ATT&CK framework.
|
||||
|
||||
> **How to read this:** Each technique links to its official ATT&CK page. Skills listed under each technique are the ones in this repository that teach detection, hunting, exploitation, or response for that technique.
|
||||
|
||||
---
|
||||
|
||||
## Coverage Summary
|
||||
|
||||
| Tactic | Techniques | Coverage |
|
||||
|:-------|:---------:|:---------|
|
||||
| 🔎 **Reconnaissance** | **12** | `████████████░░░░░░░░░░░░░░░░░░` |
|
||||
| 🏗️ **Resource Development** | **7** | `███████░░░░░░░░░░░░░░░░░░░░░░░` |
|
||||
| 🚪 **Initial Access** | **18** | `██████████████████░░░░░░░░░░░░` |
|
||||
| ⚡ **Execution** | **18** | `██████████████████░░░░░░░░░░░░` |
|
||||
| 🔩 **Persistence** | **36** | `██████████████████████████████` |
|
||||
| ⬆️ **Privilege Escalation** | **11** | `███████████░░░░░░░░░░░░░░░░░░░` |
|
||||
| 🥷 **Defense Evasion** | **48** | `██████████████████████████████` |
|
||||
| 🔑 **Credential Access** | **27** | `███████████████████████████░░░` |
|
||||
| 🗺️ **Discovery** | **20** | `████████████████████░░░░░░░░░░` |
|
||||
| ↔️ **Lateral Movement** | **9** | `█████████░░░░░░░░░░░░░░░░░░░░░` |
|
||||
| 📦 **Collection** | **13** | `█████████████░░░░░░░░░░░░░░░░░` |
|
||||
| 📡 **Command and Control** | **20** | `████████████████████░░░░░░░░░░` |
|
||||
| 📤 **Exfiltration** | **12** | `████████████░░░░░░░░░░░░░░░░░░` |
|
||||
| 💥 **Impact** | **6** | `██████░░░░░░░░░░░░░░░░░░░░░░░░` |
|
||||
| 🔧 **Other/Cross-tactic** | **34** | |
|
||||
| | **291** | **Total unique techniques** |
|
||||
|
||||
---
|
||||
|
||||
## 🔎 Reconnaissance
|
||||
|
||||
**12 techniques covered**
|
||||
|
||||
| Technique | Skills |
|
||||
|:----------|:-------|
|
||||
| [T1589](https://attack.mitre.org/techniques/T1589/) | `conducting-full-scope-red-team-engagement`, `conducting-social-engineering-pretext-call`, `performing-open-source-intelligence-gathering` |
|
||||
| [T1590](https://attack.mitre.org/techniques/T1590/) | `performing-open-source-intelligence-gathering` |
|
||||
| [T1591](https://attack.mitre.org/techniques/T1591/) | `collecting-open-source-intelligence`, `conducting-social-engineering-pretext-call`, `performing-open-source-intelligence-gathering` |
|
||||
| [T1592](https://attack.mitre.org/techniques/T1592/) | `performing-open-source-intelligence-gathering` |
|
||||
| [T1593](https://attack.mitre.org/techniques/T1593/) | `conducting-full-scope-red-team-engagement`, `performing-open-source-intelligence-gathering` |
|
||||
| [T1594](https://attack.mitre.org/techniques/T1594/) | `performing-open-source-intelligence-gathering` |
|
||||
| [T1595](https://attack.mitre.org/techniques/T1595/) | `executing-red-team-engagement-planning`, `triaging-security-incident` |
|
||||
| [T1595.001](https://attack.mitre.org/techniques/T1595/001/) | `performing-open-source-intelligence-gathering` |
|
||||
| [T1595.002](https://attack.mitre.org/techniques/T1595/002/) | `performing-open-source-intelligence-gathering` |
|
||||
| [T1596](https://attack.mitre.org/techniques/T1596/) | `performing-open-source-intelligence-gathering` |
|
||||
| [T1598](https://attack.mitre.org/techniques/T1598/) | `conducting-social-engineering-pretext-call` |
|
||||
| [T1598.003](https://attack.mitre.org/techniques/T1598/003/) | `conducting-social-engineering-pretext-call`, `conducting-spearphishing-simulation-campaign` |
|
||||
|
||||
---
|
||||
|
||||
## 🏗️ Resource Development
|
||||
|
||||
**7 techniques covered**
|
||||
|
||||
| Technique | Skills |
|
||||
|:----------|:-------|
|
||||
| [T1583.001](https://attack.mitre.org/techniques/T1583/001/) | `building-red-team-c2-infrastructure-with-havoc`, `conducting-full-scope-red-team-engagement`, `conducting-spearphishing-simulation-campaign`, `implementing-mitre-attack-coverage-mapping` |
|
||||
| [T1583.003](https://attack.mitre.org/techniques/T1583/003/) | `building-red-team-c2-infrastructure-with-havoc` |
|
||||
| [T1584.001](https://attack.mitre.org/techniques/T1584/001/) | `hunting-for-dns-based-persistence` |
|
||||
| [T1585.002](https://attack.mitre.org/techniques/T1585/002/) | `conducting-spearphishing-simulation-campaign` |
|
||||
| [T1587.001](https://attack.mitre.org/techniques/T1587/001/) | `building-red-team-c2-infrastructure-with-havoc`, `conducting-full-scope-red-team-engagement` |
|
||||
| [T1608.001](https://attack.mitre.org/techniques/T1608/001/) | `conducting-spearphishing-simulation-campaign` |
|
||||
| [T1608.005](https://attack.mitre.org/techniques/T1608/005/) | `conducting-spearphishing-simulation-campaign` |
|
||||
|
||||
---
|
||||
|
||||
## 🚪 Initial Access
|
||||
|
||||
**18 techniques covered**
|
||||
|
||||
| Technique | Skills |
|
||||
|:----------|:-------|
|
||||
| [T1078](https://attack.mitre.org/techniques/T1078/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-powershell-script-block-logging`, `analyzing-windows-event-logs-in-splunk`, `building-threat-hunt-hypothesis-framework`, `conducting-full-scope-red-team-engagement` +13 more |
|
||||
| [T1078.001](https://attack.mitre.org/techniques/T1078/001/) | `detecting-service-account-abuse` |
|
||||
| [T1078.002](https://attack.mitre.org/techniques/T1078/002/) | `conducting-domain-persistence-with-dcsync`, `detecting-service-account-abuse`, `exploiting-active-directory-certificate-services-esc1`, `exploiting-constrained-delegation-abuse`, `exploiting-nopac-cve-2021-42278-42287` +1 more |
|
||||
| [T1078.003](https://attack.mitre.org/techniques/T1078/003/) | `performing-privilege-escalation-assessment` |
|
||||
| [T1078.004](https://attack.mitre.org/techniques/T1078/004/) | `detecting-azure-lateral-movement`, `detecting-azure-service-principal-abuse`, `implementing-mitre-attack-coverage-mapping`, `implementing-threat-modeling-with-mitre-attack` |
|
||||
| [T1091](https://attack.mitre.org/techniques/T1091/) | `executing-red-team-engagement-planning`, `performing-physical-intrusion-assessment` |
|
||||
| [T1133](https://attack.mitre.org/techniques/T1133/) | `executing-red-team-engagement-planning`, `performing-threat-landscape-assessment-for-sector` |
|
||||
| [T1190](https://attack.mitre.org/techniques/T1190/) | `conducting-full-scope-red-team-engagement`, `executing-red-team-engagement-planning`, `exploiting-ms17-010-eternalblue-vulnerability`, `hunting-for-webshell-activity`, `performing-threat-landscape-assessment-for-sector` +1 more |
|
||||
| [T1195](https://attack.mitre.org/techniques/T1195/) | `analyzing-supply-chain-malware-artifacts`, `performing-threat-landscape-assessment-for-sector` |
|
||||
| [T1195.001](https://attack.mitre.org/techniques/T1195/001/) | `hunting-for-supply-chain-compromise` |
|
||||
| [T1195.002](https://attack.mitre.org/techniques/T1195/002/) | `hunting-for-supply-chain-compromise` |
|
||||
| [T1199](https://attack.mitre.org/techniques/T1199/) | `hunting-for-supply-chain-compromise`, `performing-physical-intrusion-assessment` |
|
||||
| [T1200](https://attack.mitre.org/techniques/T1200/) | `executing-red-team-engagement-planning`, `performing-physical-intrusion-assessment` |
|
||||
| [T1566](https://attack.mitre.org/techniques/T1566/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-threat-actor-ttps-with-mitre-attack`, `analyzing-threat-landscape-with-misp`, `building-attack-pattern-library-from-cti-reports`, `hunting-advanced-persistent-threats` +3 more |
|
||||
| [T1566.001](https://attack.mitre.org/techniques/T1566/001/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-campaign-attribution-evidence`, `analyzing-macro-malware-in-office-documents`, `analyzing-threat-actor-ttps-with-mitre-navigator`, `building-attack-pattern-library-from-cti-reports` +13 more |
|
||||
| [T1566.002](https://attack.mitre.org/techniques/T1566/002/) | `building-attack-pattern-library-from-cti-reports`, `conducting-spearphishing-simulation-campaign`, `hunting-for-spearphishing-indicators`, `implementing-continuous-security-validation-with-bas`, `implementing-mitre-attack-coverage-mapping` +1 more |
|
||||
| [T1566.003](https://attack.mitre.org/techniques/T1566/003/) | `conducting-spearphishing-simulation-campaign`, `hunting-for-spearphishing-indicators`, `implementing-continuous-security-validation-with-bas` |
|
||||
| [T1566.004](https://attack.mitre.org/techniques/T1566/004/) | `conducting-social-engineering-pretext-call` |
|
||||
|
||||
---
|
||||
|
||||
## ⚡ Execution
|
||||
|
||||
**18 techniques covered**
|
||||
|
||||
| Technique | Skills |
|
||||
|:----------|:-------|
|
||||
| [T1047](https://attack.mitre.org/techniques/T1047/) | `conducting-full-scope-red-team-engagement`, `detecting-fileless-attacks-on-endpoints`, `detecting-lateral-movement-with-splunk`, `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas` +8 more |
|
||||
| [T1053](https://attack.mitre.org/techniques/T1053/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-persistence-mechanisms-in-linux`, `hunting-advanced-persistent-threats`, `hunting-for-persistence-mechanisms-in-windows`, `implementing-mitre-attack-coverage-mapping` +4 more |
|
||||
| [T1053.002](https://attack.mitre.org/techniques/T1053/002/) | `hunting-for-scheduled-task-persistence` |
|
||||
| [T1053.003](https://attack.mitre.org/techniques/T1053/003/) | `analyzing-persistence-mechanisms-in-linux`, `hunting-for-scheduled-task-persistence`, `performing-privilege-escalation-assessment`, `performing-privilege-escalation-on-linux` |
|
||||
| [T1053.005](https://attack.mitre.org/techniques/T1053/005/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-campaign-attribution-evidence`, `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl` +17 more |
|
||||
| [T1059](https://attack.mitre.org/techniques/T1059/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-threat-actor-ttps-with-mitre-attack`, `analyzing-windows-event-logs-in-splunk`, `building-incident-timeline-with-timesketch`, `deobfuscating-powershell-obfuscated-malware` +7 more |
|
||||
| [T1059.001](https://attack.mitre.org/techniques/T1059/001/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-campaign-attribution-evidence`, `analyzing-macro-malware-in-office-documents`, `analyzing-powershell-empire-artifacts`, `analyzing-powershell-script-block-logging` +29 more |
|
||||
| [T1059.003](https://attack.mitre.org/techniques/T1059/003/) | `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl`, `detecting-suspicious-powershell-execution`, `mapping-mitre-attack-techniques`, `performing-purple-team-atomic-testing` |
|
||||
| [T1059.004](https://attack.mitre.org/techniques/T1059/004/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1059.005](https://attack.mitre.org/techniques/T1059/005/) | `analyzing-macro-malware-in-office-documents`, `detecting-living-off-the-land-attacks`, `executing-red-team-exercise`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs` +2 more |
|
||||
| [T1059.006](https://attack.mitre.org/techniques/T1059/006/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1059.007](https://attack.mitre.org/techniques/T1059/007/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1129](https://attack.mitre.org/techniques/T1129/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1203](https://attack.mitre.org/techniques/T1203/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1204.001](https://attack.mitre.org/techniques/T1204/001/) | `conducting-spearphishing-simulation-campaign` |
|
||||
| [T1204.002](https://attack.mitre.org/techniques/T1204/002/) | `analyzing-macro-malware-in-office-documents`, `conducting-full-scope-red-team-engagement`, `conducting-spearphishing-simulation-campaign`, `detecting-living-off-the-land-attacks`, `executing-red-team-engagement-planning` +4 more |
|
||||
| [T1569](https://attack.mitre.org/techniques/T1569/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1569.002](https://attack.mitre.org/techniques/T1569/002/) | `detecting-lateral-movement-in-network`, `detecting-lateral-movement-with-splunk`, `exploiting-ms17-010-eternalblue-vulnerability`, `performing-purple-team-atomic-testing` |
|
||||
|
||||
---
|
||||
|
||||
## 🔩 Persistence
|
||||
|
||||
**36 techniques covered**
|
||||
|
||||
| Technique | Skills |
|
||||
|:----------|:-------|
|
||||
| [T1098](https://attack.mitre.org/techniques/T1098/) | `analyzing-windows-event-logs-in-splunk`, `conducting-domain-persistence-with-dcsync`, `hunting-for-t1098-account-manipulation`, `implementing-mitre-attack-coverage-mapping`, `implementing-siem-use-cases-for-detection` +1 more |
|
||||
| [T1098.001](https://attack.mitre.org/techniques/T1098/001/) | `conducting-cloud-penetration-testing`, `detecting-azure-lateral-movement`, `detecting-azure-service-principal-abuse`, `hunting-for-t1098-account-manipulation`, `implementing-mitre-attack-coverage-mapping` |
|
||||
| [T1098.002](https://attack.mitre.org/techniques/T1098/002/) | `detecting-azure-lateral-movement`, `detecting-email-forwarding-rules-attack` |
|
||||
| [T1098.004](https://attack.mitre.org/techniques/T1098/004/) | `analyzing-persistence-mechanisms-in-linux`, `implementing-security-monitoring-with-datadog` |
|
||||
| [T1136](https://attack.mitre.org/techniques/T1136/) | `detecting-privilege-escalation-in-kubernetes-pods`, `implementing-mitre-attack-coverage-mapping`, `performing-purple-team-atomic-testing` |
|
||||
| [T1136.001](https://attack.mitre.org/techniques/T1136/001/) | `analyzing-windows-event-logs-in-splunk`, `performing-purple-team-atomic-testing` |
|
||||
| [T1136.002](https://attack.mitre.org/techniques/T1136/002/) | `exploiting-nopac-cve-2021-42278-42287` |
|
||||
| [T1197](https://attack.mitre.org/techniques/T1197/) | `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs`, `performing-purple-team-atomic-testing` |
|
||||
| [T1505](https://attack.mitre.org/techniques/T1505/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1505.003](https://attack.mitre.org/techniques/T1505/003/) | `building-attack-pattern-library-from-cti-reports`, `hunting-for-webshell-activity`, `performing-purple-team-atomic-testing` |
|
||||
| [T1542.001](https://attack.mitre.org/techniques/T1542/001/) | `analyzing-uefi-bootkit-persistence` |
|
||||
| [T1542.003](https://attack.mitre.org/techniques/T1542/003/) | `analyzing-uefi-bootkit-persistence` |
|
||||
| [T1543](https://attack.mitre.org/techniques/T1543/) | `analyzing-persistence-mechanisms-in-linux`, `hunting-for-persistence-mechanisms-in-windows`, `performing-purple-team-atomic-testing` |
|
||||
| [T1543.002](https://attack.mitre.org/techniques/T1543/002/) | `analyzing-persistence-mechanisms-in-linux`, `performing-privilege-escalation-on-linux` |
|
||||
| [T1543.003](https://attack.mitre.org/techniques/T1543/003/) | `detecting-lateral-movement-with-splunk`, `detecting-living-off-the-land-attacks`, `detecting-privilege-escalation-attempts`, `hunting-for-persistence-mechanisms-in-windows`, `hunting-for-unusual-service-installations` +2 more |
|
||||
| [T1546](https://attack.mitre.org/techniques/T1546/) | `analyzing-persistence-mechanisms-in-linux`, `performing-purple-team-atomic-testing` |
|
||||
| [T1546.001](https://attack.mitre.org/techniques/T1546/001/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1546.003](https://attack.mitre.org/techniques/T1546/003/) | `analyzing-windows-event-logs-in-splunk`, `detecting-fileless-attacks-on-endpoints`, `detecting-fileless-malware-techniques`, `detecting-wmi-persistence`, `hunting-for-lateral-movement-via-wmi` +3 more |
|
||||
| [T1546.004](https://attack.mitre.org/techniques/T1546/004/) | `analyzing-persistence-mechanisms-in-linux` |
|
||||
| [T1546.010](https://attack.mitre.org/techniques/T1546/010/) | `hunting-for-persistence-mechanisms-in-windows` |
|
||||
| [T1546.012](https://attack.mitre.org/techniques/T1546/012/) | `hunting-for-persistence-mechanisms-in-windows`, `hunting-for-registry-persistence-mechanisms` |
|
||||
| [T1546.015](https://attack.mitre.org/techniques/T1546/015/) | `hunting-for-persistence-mechanisms-in-windows`, `hunting-for-registry-persistence-mechanisms` |
|
||||
| [T1547](https://attack.mitre.org/techniques/T1547/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-malware-persistence-with-autoruns`, `hunting-advanced-persistent-threats`, `hunting-for-persistence-mechanisms-in-windows`, `implementing-siem-use-cases-for-detection` +3 more |
|
||||
| [T1547.001](https://attack.mitre.org/techniques/T1547/001/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `conducting-full-scope-red-team-engagement`, `detecting-fileless-attacks-on-endpoints` +10 more |
|
||||
| [T1547.004](https://attack.mitre.org/techniques/T1547/004/) | `hunting-for-persistence-mechanisms-in-windows`, `hunting-for-registry-persistence-mechanisms`, `performing-purple-team-atomic-testing` |
|
||||
| [T1547.005](https://attack.mitre.org/techniques/T1547/005/) | `hunting-for-persistence-mechanisms-in-windows` |
|
||||
| [T1547.009](https://attack.mitre.org/techniques/T1547/009/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1556](https://attack.mitre.org/techniques/T1556/) | `performing-initial-access-with-evilginx3` |
|
||||
| [T1556.007](https://attack.mitre.org/techniques/T1556/007/) | `detecting-azure-lateral-movement` |
|
||||
| [T1574](https://attack.mitre.org/techniques/T1574/) | `analyzing-persistence-mechanisms-in-linux`, `performing-purple-team-atomic-testing` |
|
||||
| [T1574.001](https://attack.mitre.org/techniques/T1574/001/) | `detecting-dll-sideloading-attacks`, `hunting-for-persistence-mechanisms-in-windows`, `performing-purple-team-atomic-testing` |
|
||||
| [T1574.002](https://attack.mitre.org/techniques/T1574/002/) | `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `detecting-dll-sideloading-attacks`, `implementing-siem-use-cases-for-detection`, `performing-purple-team-atomic-testing` |
|
||||
| [T1574.006](https://attack.mitre.org/techniques/T1574/006/) | `analyzing-persistence-mechanisms-in-linux`, `detecting-dll-sideloading-attacks`, `performing-privilege-escalation-on-linux` |
|
||||
| [T1574.008](https://attack.mitre.org/techniques/T1574/008/) | `detecting-dll-sideloading-attacks` |
|
||||
| [T1574.009](https://attack.mitre.org/techniques/T1574/009/) | `detecting-privilege-escalation-attempts` |
|
||||
| [T1574.011](https://attack.mitre.org/techniques/T1574/011/) | `detecting-privilege-escalation-attempts` |
|
||||
|
||||
---
|
||||
|
||||
## ⬆️ Privilege Escalation
|
||||
|
||||
**11 techniques covered**
|
||||
|
||||
| Technique | Skills |
|
||||
|:----------|:-------|
|
||||
| [T1068](https://attack.mitre.org/techniques/T1068/) | `conducting-full-scope-red-team-engagement`, `detecting-container-escape-attempts`, `detecting-privilege-escalation-attempts`, `detecting-privilege-escalation-in-kubernetes-pods`, `executing-red-team-engagement-planning` +5 more |
|
||||
| [T1134](https://attack.mitre.org/techniques/T1134/) | `analyzing-windows-event-logs-in-splunk`, `detecting-privilege-escalation-attempts` |
|
||||
| [T1134.001](https://attack.mitre.org/techniques/T1134/001/) | `detecting-privilege-escalation-attempts`, `exploiting-constrained-delegation-abuse`, `performing-purple-team-atomic-testing` |
|
||||
| [T1134.005](https://attack.mitre.org/techniques/T1134/005/) | `hunting-for-t1098-account-manipulation`, `performing-active-directory-compromise-investigation` |
|
||||
| [T1484](https://attack.mitre.org/techniques/T1484/) | `exploiting-active-directory-certificate-services-esc1`, `performing-active-directory-vulnerability-assessment` |
|
||||
| [T1484.001](https://attack.mitre.org/techniques/T1484/001/) | `deploying-active-directory-honeytokens`, `performing-active-directory-compromise-investigation` |
|
||||
| [T1548](https://attack.mitre.org/techniques/T1548/) | `detecting-container-escape-attempts`, `detecting-privilege-escalation-in-kubernetes-pods`, `detecting-t1548-abuse-elevation-control-mechanism`, `performing-privilege-escalation-assessment` |
|
||||
| [T1548.001](https://attack.mitre.org/techniques/T1548/001/) | `detecting-privilege-escalation-attempts`, `detecting-privilege-escalation-in-kubernetes-pods`, `detecting-t1548-abuse-elevation-control-mechanism`, `performing-privilege-escalation-assessment`, `performing-privilege-escalation-on-linux` |
|
||||
| [T1548.002](https://attack.mitre.org/techniques/T1548/002/) | `conducting-full-scope-red-team-engagement`, `detecting-privilege-escalation-attempts`, `detecting-t1548-abuse-elevation-control-mechanism`, `performing-purple-team-atomic-testing` |
|
||||
| [T1548.003](https://attack.mitre.org/techniques/T1548/003/) | `detecting-privilege-escalation-attempts`, `detecting-t1548-abuse-elevation-control-mechanism`, `performing-privilege-escalation-assessment`, `performing-privilege-escalation-on-linux` |
|
||||
| [T1548.004](https://attack.mitre.org/techniques/T1548/004/) | `detecting-t1548-abuse-elevation-control-mechanism` |
|
||||
|
||||
---
|
||||
|
||||
## 🥷 Defense Evasion
|
||||
|
||||
**48 techniques covered**
|
||||
|
||||
| Technique | Skills |
|
||||
|:----------|:-------|
|
||||
| [T1027](https://attack.mitre.org/techniques/T1027/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-powershell-empire-artifacts`, `analyzing-powershell-script-block-logging`, `building-attack-pattern-library-from-cti-reports`, `conducting-full-scope-red-team-engagement` +3 more |
|
||||
| [T1036](https://attack.mitre.org/techniques/T1036/) | `detecting-evasion-techniques-in-endpoint-logs`, `implementing-mitre-attack-coverage-mapping`, `implementing-siem-use-cases-for-detection`, `performing-purple-team-atomic-testing` |
|
||||
| [T1036.005](https://attack.mitre.org/techniques/T1036/005/) | `detecting-process-injection-techniques`, `performing-purple-team-atomic-testing` |
|
||||
| [T1055](https://attack.mitre.org/techniques/T1055/) | `building-attack-pattern-library-from-cti-reports`, `building-red-team-c2-infrastructure-with-havoc`, `conducting-full-scope-red-team-engagement`, `detecting-evasion-techniques-in-endpoint-logs`, `detecting-fileless-attacks-on-endpoints` +13 more |
|
||||
| [T1055.001](https://attack.mitre.org/techniques/T1055/001/) | `detecting-process-hollowing-technique`, `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon`, `hunting-for-process-injection-techniques`, `performing-purple-team-atomic-testing` +1 more |
|
||||
| [T1055.002](https://attack.mitre.org/techniques/T1055/002/) | `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon` |
|
||||
| [T1055.003](https://attack.mitre.org/techniques/T1055/003/) | `detecting-process-hollowing-technique`, `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon`, `performing-purple-team-atomic-testing` |
|
||||
| [T1055.004](https://attack.mitre.org/techniques/T1055/004/) | `detecting-process-hollowing-technique`, `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon`, `hunting-for-process-injection-techniques` |
|
||||
| [T1055.005](https://attack.mitre.org/techniques/T1055/005/) | `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon` |
|
||||
| [T1055.008](https://attack.mitre.org/techniques/T1055/008/) | `detecting-process-injection-techniques` |
|
||||
| [T1055.009](https://attack.mitre.org/techniques/T1055/009/) | `detecting-process-injection-techniques` |
|
||||
| [T1055.011](https://attack.mitre.org/techniques/T1055/011/) | `detecting-process-injection-techniques` |
|
||||
| [T1055.012](https://attack.mitre.org/techniques/T1055/012/) | `conducting-malware-incident-response`, `detecting-fileless-malware-techniques`, `detecting-process-hollowing-technique`, `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon` +2 more |
|
||||
| [T1055.013](https://attack.mitre.org/techniques/T1055/013/) | `detecting-process-hollowing-technique`, `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon` |
|
||||
| [T1055.014](https://attack.mitre.org/techniques/T1055/014/) | `detecting-process-injection-techniques` |
|
||||
| [T1055.015](https://attack.mitre.org/techniques/T1055/015/) | `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon` |
|
||||
| [T1070](https://attack.mitre.org/techniques/T1070/) | `detecting-evasion-techniques-in-endpoint-logs`, `implementing-siem-use-cases-for-detection`, `implementing-velociraptor-for-ir-collection`, `performing-purple-team-atomic-testing` |
|
||||
| [T1070.001](https://attack.mitre.org/techniques/T1070/001/) | `detecting-evasion-techniques-in-endpoint-logs`, `implementing-mitre-attack-coverage-mapping`, `performing-purple-team-atomic-testing`, `performing-purple-team-exercise` |
|
||||
| [T1070.004](https://attack.mitre.org/techniques/T1070/004/) | `implementing-threat-modeling-with-mitre-attack`, `performing-purple-team-atomic-testing` |
|
||||
| [T1070.006](https://attack.mitre.org/techniques/T1070/006/) | `detecting-evasion-techniques-in-endpoint-logs`, `hunting-for-defense-evasion-via-timestomping` |
|
||||
| [T1112](https://attack.mitre.org/techniques/T1112/) | `detecting-fileless-malware-techniques`, `performing-purple-team-atomic-testing` |
|
||||
| [T1127](https://attack.mitre.org/techniques/T1127/) | `detecting-evasion-techniques-in-endpoint-logs`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-lolbins-execution-in-endpoint-logs` |
|
||||
| [T1127.001](https://attack.mitre.org/techniques/T1127/001/) | `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-lolbins-execution-in-endpoint-logs` |
|
||||
| [T1140](https://attack.mitre.org/techniques/T1140/) | `analyzing-powershell-script-block-logging`, `detecting-fileless-attacks-on-endpoints`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs` +1 more |
|
||||
| [T1202](https://attack.mitre.org/techniques/T1202/) | `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs` |
|
||||
| [T1218](https://attack.mitre.org/techniques/T1218/) | `detecting-evasion-techniques-in-endpoint-logs`, `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-advanced-persistent-threats`, `hunting-for-living-off-the-land-binaries` +3 more |
|
||||
| [T1218.001](https://attack.mitre.org/techniques/T1218/001/) | `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs`, `performing-purple-team-atomic-testing` |
|
||||
| [T1218.002](https://attack.mitre.org/techniques/T1218/002/) | `hunting-for-living-off-the-land-binaries` |
|
||||
| [T1218.003](https://attack.mitre.org/techniques/T1218/003/) | `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs`, `performing-purple-team-atomic-testing` |
|
||||
| [T1218.004](https://attack.mitre.org/techniques/T1218/004/) | `detecting-living-off-the-land-attacks`, `hunting-for-lolbins-execution-in-endpoint-logs` |
|
||||
| [T1218.005](https://attack.mitre.org/techniques/T1218/005/) | `detecting-fileless-malware-techniques`, `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs` +1 more |
|
||||
| [T1218.007](https://attack.mitre.org/techniques/T1218/007/) | `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs` |
|
||||
| [T1218.010](https://attack.mitre.org/techniques/T1218/010/) | `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs`, `performing-purple-team-atomic-testing` |
|
||||
| [T1218.011](https://attack.mitre.org/techniques/T1218/011/) | `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs`, `performing-dynamic-analysis-with-any-run` +1 more |
|
||||
| [T1218.013](https://attack.mitre.org/techniques/T1218/013/) | `detecting-living-off-the-land-attacks` |
|
||||
| [T1222.001](https://attack.mitre.org/techniques/T1222/001/) | `conducting-domain-persistence-with-dcsync` |
|
||||
| [T1497](https://attack.mitre.org/techniques/T1497/) | `analyzing-malware-sandbox-evasion-techniques` |
|
||||
| [T1497.001](https://attack.mitre.org/techniques/T1497/001/) | `analyzing-malware-sandbox-evasion-techniques` |
|
||||
| [T1497.002](https://attack.mitre.org/techniques/T1497/002/) | `analyzing-malware-sandbox-evasion-techniques` |
|
||||
| [T1497.003](https://attack.mitre.org/techniques/T1497/003/) | `analyzing-malware-sandbox-evasion-techniques` |
|
||||
| [T1550](https://attack.mitre.org/techniques/T1550/) | `performing-lateral-movement-detection` |
|
||||
| [T1550.001](https://attack.mitre.org/techniques/T1550/001/) | `detecting-azure-lateral-movement` |
|
||||
| [T1550.002](https://attack.mitre.org/techniques/T1550/002/) | `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `conducting-full-scope-red-team-engagement`, `detecting-lateral-movement-in-network`, `detecting-lateral-movement-with-splunk` +6 more |
|
||||
| [T1550.003](https://attack.mitre.org/techniques/T1550/003/) | `conducting-pass-the-ticket-attack`, `detecting-pass-the-hash-attacks`, `detecting-pass-the-ticket-attacks`, `exploiting-constrained-delegation-abuse` |
|
||||
| [T1550.004](https://attack.mitre.org/techniques/T1550/004/) | `performing-initial-access-with-evilginx3` |
|
||||
| [T1562](https://attack.mitre.org/techniques/T1562/) | `detecting-evasion-techniques-in-endpoint-logs`, `performing-purple-team-atomic-testing` |
|
||||
| [T1562.001](https://attack.mitre.org/techniques/T1562/001/) | `analyzing-powershell-script-block-logging`, `building-attack-pattern-library-from-cti-reports`, `detecting-evasion-techniques-in-endpoint-logs`, `detecting-fileless-attacks-on-endpoints`, `detecting-suspicious-powershell-execution` +1 more |
|
||||
| [T1610](https://attack.mitre.org/techniques/T1610/) | `detecting-container-escape-attempts`, `detecting-container-escape-with-falco-rules` |
|
||||
|
||||
---
|
||||
|
||||
## 🔑 Credential Access
|
||||
|
||||
**27 techniques covered**
|
||||
|
||||
| Technique | Skills |
|
||||
|:----------|:-------|
|
||||
| [T1003](https://attack.mitre.org/techniques/T1003/) | `analyzing-powershell-script-block-logging`, `building-attack-pattern-library-from-cti-reports`, `building-detection-rules-with-sigma`, `detecting-container-escape-with-falco-rules`, `detecting-credential-dumping-techniques` +10 more |
|
||||
| [T1003.001](https://attack.mitre.org/techniques/T1003/001/) | `analyzing-campaign-attribution-evidence`, `analyzing-powershell-script-block-logging`, `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl` +13 more |
|
||||
| [T1003.002](https://attack.mitre.org/techniques/T1003/002/) | `detecting-credential-dumping-techniques`, `detecting-t1003-credential-dumping-with-edr`, `performing-purple-team-atomic-testing` |
|
||||
| [T1003.003](https://attack.mitre.org/techniques/T1003/003/) | `detecting-credential-dumping-techniques`, `detecting-t1003-credential-dumping-with-edr`, `performing-purple-team-atomic-testing` |
|
||||
| [T1003.004](https://attack.mitre.org/techniques/T1003/004/) | `detecting-t1003-credential-dumping-with-edr`, `performing-credential-access-with-lazagne`, `performing-purple-team-atomic-testing` |
|
||||
| [T1003.005](https://attack.mitre.org/techniques/T1003/005/) | `detecting-t1003-credential-dumping-with-edr`, `performing-purple-team-atomic-testing` |
|
||||
| [T1003.006](https://attack.mitre.org/techniques/T1003/006/) | `analyzing-windows-event-logs-in-splunk`, `conducting-domain-persistence-with-dcsync`, `conducting-full-scope-red-team-engagement`, `conducting-internal-network-penetration-test`, `detecting-dcsync-attack-in-active-directory` +8 more |
|
||||
| [T1110](https://attack.mitre.org/techniques/T1110/) | `analyzing-windows-event-logs-in-splunk`, `building-detection-rule-with-splunk-spl`, `conducting-internal-network-penetration-test`, `implementing-mitre-attack-coverage-mapping`, `implementing-siem-use-cases-for-detection` +3 more |
|
||||
| [T1110.001](https://attack.mitre.org/techniques/T1110/001/) | `analyzing-windows-event-logs-in-splunk`, `building-detection-rule-with-splunk-spl`, `implementing-siem-use-cases-for-detection`, `performing-false-positive-reduction-in-siem`, `performing-purple-team-atomic-testing` |
|
||||
| [T1110.002](https://attack.mitre.org/techniques/T1110/002/) | `exploiting-kerberoasting-with-impacket` |
|
||||
| [T1110.003](https://attack.mitre.org/techniques/T1110/003/) | `detecting-pass-the-ticket-attacks`, `implementing-siem-use-cases-for-detection`, `performing-purple-team-atomic-testing` |
|
||||
| [T1187](https://attack.mitre.org/techniques/T1187/) | `detecting-ntlm-relay-with-event-correlation` |
|
||||
| [T1528](https://attack.mitre.org/techniques/T1528/) | `detecting-azure-lateral-movement`, `detecting-azure-service-principal-abuse` |
|
||||
| [T1539](https://attack.mitre.org/techniques/T1539/) | `performing-credential-access-with-lazagne`, `performing-initial-access-with-evilginx3` |
|
||||
| [T1552](https://attack.mitre.org/techniques/T1552/) | `performing-cloud-incident-containment-procedures`, `performing-purple-team-atomic-testing` |
|
||||
| [T1552.001](https://attack.mitre.org/techniques/T1552/001/) | `performing-credential-access-with-lazagne`, `performing-purple-team-atomic-testing` |
|
||||
| [T1552.002](https://attack.mitre.org/techniques/T1552/002/) | `performing-credential-access-with-lazagne` |
|
||||
| [T1552.005](https://attack.mitre.org/techniques/T1552/005/) | `conducting-cloud-penetration-testing` |
|
||||
| [T1552.006](https://attack.mitre.org/techniques/T1552/006/) | `deploying-active-directory-honeytokens` |
|
||||
| [T1557](https://attack.mitre.org/techniques/T1557/) | `performing-initial-access-with-evilginx3` |
|
||||
| [T1557.001](https://attack.mitre.org/techniques/T1557/001/) | `conducting-internal-network-penetration-test`, `detecting-ntlm-relay-with-event-correlation`, `hunting-for-ntlm-relay-attacks` |
|
||||
| [T1558](https://attack.mitre.org/techniques/T1558/) | `analyzing-windows-event-logs-in-splunk`, `conducting-pass-the-ticket-attack`, `exploiting-kerberoasting-with-impacket`, `exploiting-nopac-cve-2021-42278-42287`, `performing-lateral-movement-detection` +1 more |
|
||||
| [T1558.001](https://attack.mitre.org/techniques/T1558/001/) | `analyzing-windows-event-logs-in-splunk`, `conducting-domain-persistence-with-dcsync`, `detecting-golden-ticket-attacks-in-kerberos-logs`, `detecting-golden-ticket-forgery`, `detecting-kerberoasting-attacks` +3 more |
|
||||
| [T1558.002](https://attack.mitre.org/techniques/T1558/002/) | `performing-active-directory-compromise-investigation` |
|
||||
| [T1558.003](https://attack.mitre.org/techniques/T1558/003/) | `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `conducting-full-scope-red-team-engagement`, `conducting-internal-network-penetration-test`, `deploying-active-directory-honeytokens` +12 more |
|
||||
| [T1558.004](https://attack.mitre.org/techniques/T1558/004/) | `detecting-kerberoasting-attacks` |
|
||||
| [T1649](https://attack.mitre.org/techniques/T1649/) | `exploiting-active-directory-certificate-services-esc1` |
|
||||
|
||||
---
|
||||
|
||||
## 🗺️ Discovery
|
||||
|
||||
**20 techniques covered**
|
||||
|
||||
| Technique | Skills |
|
||||
|:----------|:-------|
|
||||
| [T1016](https://attack.mitre.org/techniques/T1016/) | `conducting-full-scope-red-team-engagement`, `conducting-internal-reconnaissance-with-bloodhound-ce`, `exploiting-active-directory-with-bloodhound`, `performing-purple-team-atomic-testing` |
|
||||
| [T1018](https://attack.mitre.org/techniques/T1018/) | `conducting-full-scope-red-team-engagement`, `conducting-internal-reconnaissance-with-bloodhound-ce`, `detecting-network-scanning-with-ids-signatures`, `exploiting-active-directory-with-bloodhound`, `performing-active-directory-bloodhound-analysis` |
|
||||
| [T1033](https://attack.mitre.org/techniques/T1033/) | `conducting-internal-reconnaissance-with-bloodhound-ce`, `detecting-privilege-escalation-attempts`, `exploiting-active-directory-with-bloodhound`, `performing-purple-team-atomic-testing` |
|
||||
| [T1040](https://attack.mitre.org/techniques/T1040/) | `implementing-continuous-security-validation-with-bas` |
|
||||
| [T1046](https://attack.mitre.org/techniques/T1046/) | `detecting-network-scanning-with-ids-signatures`, `detecting-privilege-escalation-attempts`, `performing-packet-injection-attack`, `triaging-security-incident` |
|
||||
| [T1049](https://attack.mitre.org/techniques/T1049/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1057](https://attack.mitre.org/techniques/T1057/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1069](https://attack.mitre.org/techniques/T1069/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1069.001](https://attack.mitre.org/techniques/T1069/001/) | `performing-active-directory-bloodhound-analysis`, `performing-purple-team-atomic-testing` |
|
||||
| [T1069.002](https://attack.mitre.org/techniques/T1069/002/) | `conducting-internal-reconnaissance-with-bloodhound-ce`, `exploiting-active-directory-with-bloodhound`, `performing-active-directory-bloodhound-analysis`, `performing-kerberoasting-attack`, `performing-purple-team-atomic-testing` |
|
||||
| [T1082](https://attack.mitre.org/techniques/T1082/) | `conducting-full-scope-red-team-engagement`, `performing-purple-team-atomic-testing` |
|
||||
| [T1083](https://attack.mitre.org/techniques/T1083/) | `implementing-canary-tokens-for-network-intrusion`, `performing-purple-team-atomic-testing` |
|
||||
| [T1087](https://attack.mitre.org/techniques/T1087/) | `conducting-full-scope-red-team-engagement`, `executing-red-team-engagement-planning`, `implementing-continuous-security-validation-with-bas`, `performing-purple-team-atomic-testing` |
|
||||
| [T1087.001](https://attack.mitre.org/techniques/T1087/001/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1087.002](https://attack.mitre.org/techniques/T1087/002/) | `conducting-internal-reconnaissance-with-bloodhound-ce`, `deploying-active-directory-honeytokens`, `exploiting-active-directory-certificate-services-esc1`, `exploiting-active-directory-with-bloodhound`, `exploiting-kerberoasting-with-impacket` +3 more |
|
||||
| [T1087.004](https://attack.mitre.org/techniques/T1087/004/) | `detecting-azure-service-principal-abuse`, `implementing-mitre-attack-coverage-mapping` |
|
||||
| [T1482](https://attack.mitre.org/techniques/T1482/) | `conducting-internal-reconnaissance-with-bloodhound-ce`, `exploiting-active-directory-with-bloodhound`, `performing-active-directory-bloodhound-analysis` |
|
||||
| [T1518](https://attack.mitre.org/techniques/T1518/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1518.001](https://attack.mitre.org/techniques/T1518/001/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1580](https://attack.mitre.org/techniques/T1580/) | `implementing-mitre-attack-coverage-mapping` |
|
||||
|
||||
---
|
||||
|
||||
## ↔️ Lateral Movement
|
||||
|
||||
**9 techniques covered**
|
||||
|
||||
| Technique | Skills |
|
||||
|:----------|:-------|
|
||||
| [T1021](https://attack.mitre.org/techniques/T1021/) | `detecting-lateral-movement-in-network`, `detecting-lateral-movement-with-splunk`, `detecting-service-account-abuse`, `executing-red-team-engagement-planning`, `exploiting-constrained-delegation-abuse` +10 more |
|
||||
| [T1021.001](https://attack.mitre.org/techniques/T1021/001/) | `analyzing-campaign-attribution-evidence`, `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl`, `building-threat-hunt-hypothesis-framework` +8 more |
|
||||
| [T1021.002](https://attack.mitre.org/techniques/T1021/002/) | `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl`, `conducting-full-scope-red-team-engagement`, `conducting-internal-network-penetration-test` +10 more |
|
||||
| [T1021.003](https://attack.mitre.org/techniques/T1021/003/) | `detecting-lateral-movement-with-splunk`, `hunting-for-dcom-lateral-movement`, `performing-lateral-movement-detection`, `performing-lateral-movement-with-wmiexec`, `performing-purple-team-atomic-testing` |
|
||||
| [T1021.004](https://attack.mitre.org/techniques/T1021/004/) | `detecting-lateral-movement-with-splunk`, `performing-purple-team-atomic-testing` |
|
||||
| [T1021.006](https://attack.mitre.org/techniques/T1021/006/) | `building-attack-pattern-library-from-cti-reports`, `detecting-lateral-movement-with-splunk`, `performing-lateral-movement-detection`, `performing-purple-team-atomic-testing` |
|
||||
| [T1210](https://attack.mitre.org/techniques/T1210/) | `exploiting-ms17-010-eternalblue-vulnerability`, `exploiting-zerologon-vulnerability-cve-2020-1472` |
|
||||
| [T1534](https://attack.mitre.org/techniques/T1534/) | `implementing-mitre-attack-coverage-mapping` |
|
||||
| [T1570](https://attack.mitre.org/techniques/T1570/) | `detecting-lateral-movement-in-network`, `detecting-lateral-movement-with-splunk`, `performing-lateral-movement-with-wmiexec`, `performing-purple-team-atomic-testing` |
|
||||
|
||||
---
|
||||
|
||||
## 📦 Collection
|
||||
|
||||
**13 techniques covered**
|
||||
|
||||
| Technique | Skills |
|
||||
|:----------|:-------|
|
||||
| [T1005](https://attack.mitre.org/techniques/T1005/) | `conducting-malware-incident-response`, `detecting-container-escape-with-falco-rules`, `performing-purple-team-atomic-testing` |
|
||||
| [T1039](https://attack.mitre.org/techniques/T1039/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1074](https://attack.mitre.org/techniques/T1074/) | `building-attack-pattern-library-from-cti-reports`, `executing-red-team-exercise`, `hunting-for-data-staging-before-exfiltration` |
|
||||
| [T1074.001](https://attack.mitre.org/techniques/T1074/001/) | `hunting-for-data-staging-before-exfiltration`, `performing-purple-team-atomic-testing` |
|
||||
| [T1074.002](https://attack.mitre.org/techniques/T1074/002/) | `hunting-for-data-staging-before-exfiltration` |
|
||||
| [T1113](https://attack.mitre.org/techniques/T1113/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1114.002](https://attack.mitre.org/techniques/T1114/002/) | `detecting-email-forwarding-rules-attack` |
|
||||
| [T1114.003](https://attack.mitre.org/techniques/T1114/003/) | `detecting-business-email-compromise`, `detecting-email-forwarding-rules-attack` |
|
||||
| [T1115](https://attack.mitre.org/techniques/T1115/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1213](https://attack.mitre.org/techniques/T1213/) | `conducting-full-scope-red-team-engagement` |
|
||||
| [T1530](https://attack.mitre.org/techniques/T1530/) | `detecting-insider-threat-behaviors`, `implementing-mitre-attack-coverage-mapping`, `performing-cloud-incident-containment-procedures` |
|
||||
| [T1560](https://attack.mitre.org/techniques/T1560/) | `conducting-full-scope-red-team-engagement`, `hunting-for-data-staging-before-exfiltration` |
|
||||
| [T1560.001](https://attack.mitre.org/techniques/T1560/001/) | `hunting-for-data-staging-before-exfiltration`, `performing-purple-team-atomic-testing` |
|
||||
|
||||
---
|
||||
|
||||
## 📡 Command and Control
|
||||
|
||||
**20 techniques covered**
|
||||
|
||||
| Technique | Skills |
|
||||
|:----------|:-------|
|
||||
| [T1071](https://attack.mitre.org/techniques/T1071/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-network-covert-channels-in-malware`, `analyzing-ransomware-network-indicators`, `analyzing-threat-actor-ttps-with-mitre-attack`, `hunting-advanced-persistent-threats` +6 more |
|
||||
| [T1071.001](https://attack.mitre.org/techniques/T1071/001/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-campaign-attribution-evidence`, `analyzing-powershell-empire-artifacts`, `analyzing-powershell-script-block-logging`, `building-attack-pattern-library-from-cti-reports` +13 more |
|
||||
| [T1071.004](https://attack.mitre.org/techniques/T1071/004/) | `building-attack-pattern-library-from-cti-reports`, `building-c2-infrastructure-with-sliver-framework`, `hunting-for-beaconing-with-frequency-analysis`, `hunting-for-command-and-control-beaconing`, `hunting-for-dns-tunneling-with-zeek` +3 more |
|
||||
| [T1090](https://attack.mitre.org/techniques/T1090/) | `implementing-mitre-attack-coverage-mapping`, `performing-purple-team-atomic-testing` |
|
||||
| [T1090.001](https://attack.mitre.org/techniques/T1090/001/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1090.002](https://attack.mitre.org/techniques/T1090/002/) | `building-c2-infrastructure-with-sliver-framework`, `building-red-team-c2-infrastructure-with-havoc` |
|
||||
| [T1090.004](https://attack.mitre.org/techniques/T1090/004/) | `hunting-for-domain-fronting-c2-traffic` |
|
||||
| [T1095](https://attack.mitre.org/techniques/T1095/) | `hunting-for-command-and-control-beaconing`, `hunting-for-unusual-network-connections` |
|
||||
| [T1102](https://attack.mitre.org/techniques/T1102/) | `hunting-for-living-off-the-cloud-techniques` |
|
||||
| [T1105](https://attack.mitre.org/techniques/T1105/) | `analyzing-powershell-script-block-logging`, `building-attack-pattern-library-from-cti-reports`, `building-c2-infrastructure-with-sliver-framework`, `building-red-team-c2-infrastructure-with-havoc`, `detecting-fileless-attacks-on-endpoints` +7 more |
|
||||
| [T1132](https://attack.mitre.org/techniques/T1132/) | `hunting-for-command-and-control-beaconing`, `performing-purple-team-atomic-testing` |
|
||||
| [T1132.001](https://attack.mitre.org/techniques/T1132/001/) | `building-c2-infrastructure-with-sliver-framework`, `performing-purple-team-atomic-testing` |
|
||||
| [T1219](https://attack.mitre.org/techniques/T1219/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1568](https://attack.mitre.org/techniques/T1568/) | `hunting-for-command-and-control-beaconing`, `implementing-mitre-attack-coverage-mapping` |
|
||||
| [T1568.002](https://attack.mitre.org/techniques/T1568/002/) | `hunting-for-beaconing-with-frequency-analysis` |
|
||||
| [T1571](https://attack.mitre.org/techniques/T1571/) | `hunting-for-unusual-network-connections`, `implementing-mitre-attack-coverage-mapping` |
|
||||
| [T1572](https://attack.mitre.org/techniques/T1572/) | `building-c2-infrastructure-with-sliver-framework`, `hunting-for-command-and-control-beaconing`, `hunting-for-dns-tunneling-with-zeek`, `implementing-mitre-attack-coverage-mapping` |
|
||||
| [T1573](https://attack.mitre.org/techniques/T1573/) | `analyzing-ransomware-network-indicators`, `hunting-for-beaconing-with-frequency-analysis`, `hunting-for-command-and-control-beaconing`, `implementing-mitre-attack-coverage-mapping`, `performing-purple-team-atomic-testing` |
|
||||
| [T1573.001](https://attack.mitre.org/techniques/T1573/001/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1573.002](https://attack.mitre.org/techniques/T1573/002/) | `building-c2-infrastructure-with-sliver-framework`, `building-red-team-c2-infrastructure-with-havoc` |
|
||||
|
||||
---
|
||||
|
||||
## 📤 Exfiltration
|
||||
|
||||
**12 techniques covered**
|
||||
|
||||
| Technique | Skills |
|
||||
|:----------|:-------|
|
||||
| [T1020](https://attack.mitre.org/techniques/T1020/) | `hunting-for-data-exfiltration-indicators` |
|
||||
| [T1029](https://attack.mitre.org/techniques/T1029/) | `hunting-for-data-exfiltration-indicators` |
|
||||
| [T1030](https://attack.mitre.org/techniques/T1030/) | `hunting-for-data-exfiltration-indicators` |
|
||||
| [T1041](https://attack.mitre.org/techniques/T1041/) | `analyzing-campaign-attribution-evidence`, `analyzing-ransomware-network-indicators`, `building-attack-pattern-library-from-cti-reports`, `conducting-full-scope-red-team-engagement`, `conducting-malware-incident-response` +6 more |
|
||||
| [T1048](https://attack.mitre.org/techniques/T1048/) | `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl`, `conducting-full-scope-red-team-engagement`, `hunting-for-data-exfiltration-indicators`, `implementing-continuous-security-validation-with-bas` +2 more |
|
||||
| [T1048.001](https://attack.mitre.org/techniques/T1048/001/) | `hunting-for-data-exfiltration-indicators` |
|
||||
| [T1048.002](https://attack.mitre.org/techniques/T1048/002/) | `hunting-for-data-exfiltration-indicators` |
|
||||
| [T1048.003](https://attack.mitre.org/techniques/T1048/003/) | `conducting-full-scope-red-team-engagement`, `hunting-for-data-exfiltration-indicators`, `hunting-for-dns-tunneling-with-zeek`, `implementing-continuous-security-validation-with-bas`, `implementing-mitre-attack-coverage-mapping` +2 more |
|
||||
| [T1052](https://attack.mitre.org/techniques/T1052/) | `hunting-for-data-exfiltration-indicators` |
|
||||
| [T1537](https://attack.mitre.org/techniques/T1537/) | `hunting-for-data-exfiltration-indicators`, `hunting-for-living-off-the-cloud-techniques`, `implementing-mitre-attack-coverage-mapping`, `implementing-threat-modeling-with-mitre-attack`, `performing-cloud-incident-containment-procedures` |
|
||||
| [T1567](https://attack.mitre.org/techniques/T1567/) | `detecting-insider-threat-behaviors`, `hunting-for-data-exfiltration-indicators`, `hunting-for-living-off-the-cloud-techniques`, `implementing-continuous-security-validation-with-bas`, `performing-purple-team-atomic-testing` |
|
||||
| [T1567.002](https://attack.mitre.org/techniques/T1567/002/) | `hunting-for-data-exfiltration-indicators`, `performing-purple-team-atomic-testing` |
|
||||
|
||||
---
|
||||
|
||||
## 💥 Impact
|
||||
|
||||
**6 techniques covered**
|
||||
|
||||
| Technique | Skills |
|
||||
|:----------|:-------|
|
||||
| [T1485](https://attack.mitre.org/techniques/T1485/) | `hunting-for-shadow-copy-deletion`, `performing-purple-team-atomic-testing` |
|
||||
| [T1486](https://attack.mitre.org/techniques/T1486/) | `analyzing-ransomware-network-indicators`, `building-attack-pattern-library-from-cti-reports`, `building-threat-hunt-hypothesis-framework`, `conducting-full-scope-red-team-engagement`, `hunting-for-shadow-copy-deletion` +7 more |
|
||||
| [T1489](https://attack.mitre.org/techniques/T1489/) | `conducting-full-scope-red-team-engagement`, `performing-purple-team-atomic-testing` |
|
||||
| [T1490](https://attack.mitre.org/techniques/T1490/) | `building-soc-playbook-for-ransomware`, `hunting-for-shadow-copy-deletion`, `performing-purple-team-atomic-testing`, `performing-purple-team-exercise` |
|
||||
| [T1491](https://attack.mitre.org/techniques/T1491/) | `performing-purple-team-atomic-testing` |
|
||||
| [T1491.002](https://attack.mitre.org/techniques/T1491/002/) | `performing-purple-team-atomic-testing` |
|
||||
|
||||
---
|
||||
|
||||
## 🔧 Other / Cross-Tactic Techniques
|
||||
|
||||
| Technique | Skills |
|
||||
|:----------|:-------|
|
||||
| T0157 | `exploiting-kerberoasting-with-impacket` |
|
||||
| T0200 | `building-vulnerability-scanning-workflow`, `performing-authenticated-scan-with-openvas` |
|
||||
| T0802 | `detecting-attacks-on-historian-servers` |
|
||||
| T0809 | `detecting-attacks-on-historian-servers` |
|
||||
| T0814 | `detecting-modbus-command-injection-attacks` |
|
||||
| T0816 | `detecting-dnp3-protocol-anomalies` |
|
||||
| T0830 | `detecting-modbus-protocol-anomalies` |
|
||||
| T0831 | `detecting-modbus-protocol-anomalies` |
|
||||
| T0832 | `detecting-attacks-on-historian-servers` |
|
||||
| T0833 | `detecting-stuxnet-style-attacks` |
|
||||
| T0836 | `detecting-modbus-command-injection-attacks`, `detecting-modbus-protocol-anomalies`, `detecting-stuxnet-style-attacks` |
|
||||
| T0839 | `detecting-dnp3-protocol-anomalies`, `detecting-stuxnet-style-attacks` |
|
||||
| T0843 | `detecting-modbus-command-injection-attacks`, `performing-s7comm-protocol-security-analysis` |
|
||||
| T0847 | `detecting-stuxnet-style-attacks` |
|
||||
| T0855 | `detecting-dnp3-protocol-anomalies`, `detecting-modbus-command-injection-attacks`, `detecting-modbus-protocol-anomalies` |
|
||||
| T0856 | `detecting-stuxnet-style-attacks` |
|
||||
| T0862 | `detecting-stuxnet-style-attacks` |
|
||||
| T0866 | `detecting-stuxnet-style-attacks` |
|
||||
| T0869 | `detecting-dnp3-protocol-anomalies` |
|
||||
| T0881 | `performing-s7comm-protocol-security-analysis` |
|
||||
| T0886 | `detecting-modbus-protocol-anomalies` |
|
||||
| T1404 | `analyzing-android-malware-with-apktool` |
|
||||
| T1417 | `analyzing-android-malware-with-apktool` |
|
||||
| T1418 | `analyzing-android-malware-with-apktool` |
|
||||
| T1553.006 | `analyzing-uefi-bootkit-persistence` |
|
||||
| T1555 | `performing-credential-access-with-lazagne`, `performing-purple-team-atomic-testing` |
|
||||
| T1555.003 | `performing-credential-access-with-lazagne`, `performing-purple-team-atomic-testing` |
|
||||
| T1555.004 | `performing-credential-access-with-lazagne` |
|
||||
| T1578 | `performing-cloud-incident-containment-procedures` |
|
||||
| T1582 | `analyzing-android-malware-with-apktool` |
|
||||
| T1611 | `detecting-container-escape-attempts`, `detecting-container-escape-with-falco-rules` |
|
||||
| T1615 | `conducting-internal-reconnaissance-with-bloodhound-ce`, `exploiting-active-directory-with-bloodhound`, `performing-active-directory-bloodhound-analysis` |
|
||||
| T1620 | `detecting-fileless-attacks-on-endpoints` |
|
||||
| T5577 | `performing-physical-intrusion-assessment` |
|
||||
|
||||
---
|
||||
|
||||
## How This Was Generated
|
||||
|
||||
This coverage map was automatically generated by scanning all 753+ SKILL.md and agent.py files for MITRE ATT&CK technique IDs (pattern: `T####` and `T####.###`). Each technique was mapped to its parent tactic using the [MITRE ATT&CK Enterprise Matrix v16](https://attack.mitre.org/matrices/enterprise/).
|
||||
|
||||
To regenerate: `python3 extract_attack.py`
|
||||
|
||||
---
|
||||
|
||||
## MITRE ATLAS Coverage (v5.5.0)
|
||||
|
||||
81 skills mapped to ATLAS adversarial ML techniques.
|
||||
|
||||
Key techniques applied:
|
||||
- AML.T0051 — LLM Prompt Injection (Execution)
|
||||
- AML.T0054 — LLM Jailbreak (Privilege Escalation)
|
||||
- AML.T0088 — Generate Deepfakes (AI Attack Staging)
|
||||
- AML.T0010 — AI Supply Chain Compromise (Initial Access)
|
||||
- AML.T0020 — Poison Training Data (Resource Development)
|
||||
- AML.T0070 — RAG Poisoning (Persistence)
|
||||
- AML.T0080 — AI Agent Context Poisoning (Persistence)
|
||||
- AML.T0056 — Extract LLM System Prompt (Exfiltration)
|
||||
|
||||
## MITRE D3FEND Coverage (v1.3)
|
||||
|
||||
11 skills mapped to D3FEND defensive countermeasures.
|
||||
|
||||
Countermeasures applied span D3FEND tactical categories:
|
||||
Harden, Detect, Isolate, Deceive, Evict, Restore.
|
||||
Each skill's d3fend_techniques field lists the top 5 most relevant
|
||||
defensive countermeasures derived from the skill's ATT&CK technique tags.
|
||||
|
||||
## NIST AI RMF Coverage (AI 100-1)
|
||||
|
||||
85 skills mapped to NIST AI Risk Management Framework subcategories.
|
||||
|
||||
Core functions covered:
|
||||
- GOVERN: Organizational accountability for AI risk (GOVERN-1.1, GOVERN-6.1, GOVERN-6.2)
|
||||
- MAP: AI risk identification and context (MAP-5.1, MAP-5.2, MAP-1.6)
|
||||
- MEASURE: AI risk analysis and evaluation (MEASURE-2.5, MEASURE-2.7, MEASURE-2.8, MEASURE-2.11)
|
||||
- MANAGE: AI risk response and recovery (MANAGE-2.4, MANAGE-3.1)
|
||||
|
||||
GenAI-specific subcategories applied: GOVERN-6.1, GOVERN-6.2 (responsible deployment policies).
|
||||
|
||||
---
|
||||
|
||||
<p align="center">
|
||||
<sub>Part of <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills">Anthropic Cybersecurity Skills</a> — 753+ open-source cybersecurity skills for AI agents</sub>
|
||||
</p>
|
||||
@@ -1,32 +0,0 @@
|
||||
cff-version: 1.2.0
|
||||
message: "If you use this repository in your research, tools, or publications, please cite it as below."
|
||||
type: software
|
||||
title: "Anthropic-Cybersecurity-Skills"
|
||||
abstract: >
|
||||
A structured collection of 753 cybersecurity skills for AI agents, covering
|
||||
penetration testing, digital forensics, threat intelligence, incident response,
|
||||
cloud security, OT/SCADA security, AI security, and more. Each skill follows
|
||||
a standardized format with YAML frontmatter metadata, step-by-step procedures,
|
||||
tool commands, expected outputs, and MITRE ATT&CK mappings. Compatible with
|
||||
Claude Code, GitHub Copilot, Cursor, Windsurf, Gemini CLI, and 20+ AI agent
|
||||
platforms.
|
||||
authors:
|
||||
- name: "Mahipal"
|
||||
email: mukuljangra5@gmail.com
|
||||
alias: mukul975
|
||||
repository-code: "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
|
||||
url: "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
|
||||
license: Apache-2.0
|
||||
version: "1.1.0"
|
||||
date-released: "2026-03-21"
|
||||
keywords:
|
||||
- cybersecurity
|
||||
- AI agents
|
||||
- skills
|
||||
- penetration testing
|
||||
- digital forensics
|
||||
- threat intelligence
|
||||
- incident response
|
||||
- MITRE ATT&CK
|
||||
- Claude Code
|
||||
- open source
|
||||
+1
-1
@@ -36,7 +36,7 @@ This Code of Conduct applies within all community spaces, and also applies when
|
||||
|
||||
## Enforcement
|
||||
|
||||
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at mukuljangra5@gmail.com. All complaints will be reviewed and investigated promptly and fairly.
|
||||
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at mukul975@users.noreply.github.com. All complaints will be reviewed and investigated promptly and fairly.
|
||||
|
||||
All community leaders are obligated to respect the privacy and security of the reporter of any incident.
|
||||
|
||||
|
||||
@@ -1,574 +1,138 @@
|
||||
<p align="center">
|
||||
<img src="assets/banner.png" alt="Anthropic Cybersecurity Skills — 753 skills for AI agents" width="100%" />
|
||||
<img src="assets/banner.png" alt="Anthropic Cybersecurity Skills" width="600">
|
||||
</p>
|
||||
|
||||
<p align="center">
|
||||
<a href="https://opensource.org/licenses/Apache-2.0"><img src="https://img.shields.io/badge/License-Apache_2.0-blue.svg?style=for-the-badge" alt="License: Apache 2.0" /></a>
|
||||
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers"><img src="https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="GitHub Stars" /></a>
|
||||
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/network/members"><img src="https://img.shields.io/github/forks/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="GitHub Forks" /></a>
|
||||
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/commits"><img src="https://img.shields.io/github/last-commit/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="Last Commit" /></a>
|
||||
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills"><img src="https://img.shields.io/badge/Skills-753-blueviolet?style=for-the-badge&logo=bookstack&logoColor=white" alt="753 Skills" /></a>
|
||||
<a href="https://attack.mitre.org/"><img src="https://img.shields.io/badge/MITRE_ATT%26CK-Mapped-red?style=for-the-badge&logo=shield&logoColor=white" alt="MITRE ATT&CK Mapped" /></a>
|
||||
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/graphs/contributors"><img src="https://img.shields.io/github/contributors/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="Contributors" /></a>
|
||||
<strong>611+ cybersecurity skills for AI agents · agentskills.io open standard</strong>
|
||||
</p>
|
||||
|
||||
<p align="center">
|
||||
<b>The largest open-source collection of cybersecurity skills for AI agents.<br/>753 structured skills · MITRE ATT&CK mapped · NIST CSF 2.0 aligned · <a href="https://agentskills.io">agentskills.io</a> open standard</b>
|
||||
</p>
|
||||
|
||||
<p align="center">
|
||||
<a href="https://mahipal.engineer/Anthropic-Cybersecurity-Skills/">🌐 Landing Page</a> · <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.1.0">📦 v1.1.0 Release</a> · <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues">🐛 Report Bug</a> · <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues">💡 Request Feature</a>
|
||||
<a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache_2.0-blue.svg?style=flat" alt="License"></a>
|
||||
<img src="https://img.shields.io/badge/skills-611%2B-brightgreen?style=flat" alt="Skills Count">
|
||||
<img src="https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=flat" alt="Stars">
|
||||
<img src="https://img.shields.io/github/last-commit/mukul975/Anthropic-Cybersecurity-Skills?style=flat" alt="Last Commit">
|
||||
<a href="https://agentskills.io"><img src="https://img.shields.io/badge/standard-agentskills.io-purple?style=flat" alt="Agent Skills"></a>
|
||||
<img src="https://img.shields.io/badge/platforms-26%2B-orange?style=flat" alt="Platforms">
|
||||
</p>
|
||||
|
||||
---
|
||||
|
||||
Anthropic Cybersecurity Skills gives every AI agent — from Claude Code to GitHub Copilot to your custom LangChain pipeline — instant access to **753 production-grade cybersecurity skills** spanning 26 security domains. Each skill follows the [agentskills.io](https://agentskills.io) open standard: a YAML frontmatter header for lightning-fast discovery, a structured Markdown body for step-by-step execution, and reference files for deep technical context. The entire collection is mapped to **MITRE ATT&CK** (all 14 Enterprise tactics, 200+ techniques) and aligned to **NIST CSF 2.0** — giving AI agents the same structured knowledge that senior security practitioners carry in their heads. Install in one command and your agent immediately knows how to perform memory forensics, hunt for C2 beaconing, audit Kubernetes RBAC, reverse .NET malware, and hundreds more tasks.
|
||||
> **Warning: Community Project -- Not affiliated with Anthropic PBC.**
|
||||
> This is an independent, community-created collection. "Anthropic" in the repository name refers to the agentskills.io standard compatibility, not official Anthropic affiliation.
|
||||
|
||||
## 📑 Table of contents
|
||||
The largest open-source collection of cybersecurity skills for AI agents. Every skill follows the [agentskills.io](https://agentskills.io) open standard and works instantly with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and 20+ other platforms.
|
||||
|
||||
- [🚀 Quick start](#-quick-start--install-cybersecurity-skills-for-ai-agents)
|
||||
- [🛡️ What's inside](#️-whats-inside--753-cybersecurity-skills-across-38-domains)
|
||||
- [🤖 Compatible platforms](#-compatible-ai-agent-platforms)
|
||||
- [📐 Skill structure](#-skill-structure-and-agentskillsio-format)
|
||||
- [🗺️ MITRE ATT&CK coverage](#️-mitre-attck-and-nist-csf-20-coverage)
|
||||
- [🧠 How AI agents use these skills](#-how-ai-agents-use-these-cybersecurity-skills)
|
||||
- [📝 Example skills](#-example-cybersecurity-skills)
|
||||
- [👥 Contributors](#-contributors)
|
||||
- [🤝 Contributing](#-contributing-to-cybersecurity-ai-skills)
|
||||
- [⭐ Star history](#-star-history)
|
||||
- [🌐 Community](#-community)
|
||||
- [📄 License](#-license)
|
||||
|
||||
---
|
||||
|
||||
## 🚀 Quick start — install cybersecurity skills for AI agents
|
||||
|
||||
Get up and running in under 30 seconds. Choose your preferred method:
|
||||
|
||||
### Option 1 · npx (recommended)
|
||||
## Quick Start
|
||||
|
||||
**Method 1: npx skills**
|
||||
```bash
|
||||
npx skills add mukul975/Anthropic-Cybersecurity-Skills
|
||||
```
|
||||
|
||||
### Option 2 · Claude Code plugin marketplace
|
||||
|
||||
**Method 2: Claude Code plugin**
|
||||
```
|
||||
/plugin marketplace add mukul975/Anthropic-Cybersecurity-Skills
|
||||
```
|
||||
|
||||
### Option 3 · Manual clone
|
||||
|
||||
**Method 3: Manual clone**
|
||||
```bash
|
||||
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
|
||||
cd Anthropic-Cybersecurity-Skills
|
||||
```
|
||||
|
||||
> **That's it.** Your AI agent can now discover and execute 753 cybersecurity skills on demand. No configuration, no API keys, no setup scripts.
|
||||
## Skill Categories
|
||||
|
||||
---
|
||||
| Category | Skills | Example Skills |
|
||||
|----------|-------:|----------------|
|
||||
| Cloud Security | 48 | AWS S3 Bucket Audit, Azure AD Configuration, GCP Security Assessment |
|
||||
| Threat Intelligence | 43 | APT Group Analysis with MITRE Navigator, Campaign Attribution, Dark Web Monitoring |
|
||||
| Web Application Security | 41 | HTTP Request Smuggling, XSS with Burp Suite, Web Cache Poisoning |
|
||||
| Threat Hunting | 35 | Credential Dumping Detection, DNS Tunneling with Zeek, Living-off-the-Land Binaries |
|
||||
| Malware Analysis | 34 | Cobalt Strike Beacon Config, Ghidra Reverse Engineering, YARA Rule Development |
|
||||
| Digital Forensics | 34 | Disk Imaging with dd/dcfldd, Memory Forensics with Volatility3, Browser Forensics |
|
||||
| SOC Operations | 33 | Windows Event Log Analysis, Splunk Detection Rules, SIEM Use Case Implementation |
|
||||
| Network Security | 33 | Wireshark Traffic Analysis, VLAN Segmentation, Suricata IDS Configuration |
|
||||
| Identity & Access Management | 33 | SAML SSO with Okta, Privileged Access Management, RBAC for Kubernetes |
|
||||
| OT/ICS Security | 28 | SCADA System Attack Detection, Modbus Anomaly Detection, Purdue Model Segmentation |
|
||||
| API Security | 28 | API Enumeration Detection, BOLA Exploitation, GraphQL Security Assessment |
|
||||
| Container Security | 26 | Trivy Image Scanning, Falco Runtime Detection, Kubernetes Pod Security |
|
||||
| Vulnerability Management | 24 | DefectDojo Dashboard, CVSS Scoring, Patch Management Workflow |
|
||||
| Red Teaming | 24 | Sliver C2 Framework, BloodHound AD Analysis, Kerberoasting with Impacket |
|
||||
| Incident Response | 24 | Ransomware Response, Cloud Incident Containment, Volatile Evidence Collection |
|
||||
| Penetration Testing | 23 | External Network Pentest, Kubernetes Pentest, Active Directory Pentest |
|
||||
| Zero Trust Architecture | 17 | HashiCorp Boundary, Zscaler ZTNA, BeyondCorp Access Model |
|
||||
| Endpoint Security | 16 | CIS Benchmark Hardening, Windows Defender Configuration, Host-Based IDS |
|
||||
| DevSecOps | 16 | GitLab CI Pipeline, Semgrep Custom SAST Rules, Secret Scanning with Gitleaks |
|
||||
| Phishing Defense | 16 | Email Header Analysis, GoPhish Simulation, DMARC/DKIM/SPF Configuration |
|
||||
| Cryptography | 13 | TLS 1.3 Configuration, HSM Key Storage, Certificate Authority with OpenSSL |
|
||||
| Mobile Security | 12 | iOS App Analysis with Objection, Android Malware Reverse Engineering, Frida Hooking |
|
||||
| Ransomware Defense | 5 | Ransomware Precursor Detection, Backup Strategy, Honeypot Detection |
|
||||
| Compliance & Governance | 5 | GDPR Data Protection, ISO 27001 ISMS, PCI DSS Controls |
|
||||
|
||||
## 🛡️ What's inside — 753 cybersecurity skills across 38 domains
|
||||
## How It Works
|
||||
|
||||
Every skill is a self-contained directory with structured workflows, reference materials, helper scripts, and validation steps. Here are the top 16 domains:
|
||||
|
||||
| Domain | Skills | Example capabilities |
|
||||
|:-------|:------:|:---------------------|
|
||||
| ☁️ **Cloud Security** | **48** | AWS S3 bucket audit, Azure AD config review, GCP IAM assessment |
|
||||
| 🌐 **Web Application Security** | **45** | HTTP request smuggling, XSS with Burp Suite, web cache poisoning |
|
||||
| 🔌 **Network Security** | **41** | Wireshark traffic analysis, VLAN segmentation, Suricata IDS tuning |
|
||||
| 🎯 **Penetration Testing** | **38** | Active Directory exploitation, OSCP-style methodology, pivoting |
|
||||
| 🔴 **Red Teaming** | **35** | Cobalt Strike operations, LOTL techniques, evasion & persistence |
|
||||
| 🔍 **DFIR** | **32** | Disk imaging, memory forensics with Volatility3, browser forensics |
|
||||
| 🦠 **Malware Analysis** | **28** | Ghidra reverse engineering, YARA rules, .NET decompilation |
|
||||
| 📡 **Threat Intelligence** | **26** | APT group analysis with MITRE Navigator, campaign attribution |
|
||||
| ☸️ **Cloud Native / Kubernetes** | **24** | etcd security assessment, pod security policies, RBAC audit |
|
||||
| 📋 **Compliance & Governance** | **22** | PCI DSS scoping, SOC 2 readiness, GDPR data mapping |
|
||||
| 🔑 **IAM Security** | **20** | SAML SSO with Okta, PAM deployment, service account hardening |
|
||||
| 🔐 **Cryptography** | **18** | TLS configuration audit, certificate lifecycle, key management |
|
||||
| 🏰 **Zero Trust** | **16** | Microsegmentation, BeyondCorp implementation, continuous verification |
|
||||
| 🏭 **OT / ICS Security** | **14** | SCADA monitoring, Modbus anomaly detection, Purdue model |
|
||||
| 🔧 **DevSecOps** | **12** | Pipeline security gates, SAST/DAST integration, IaC scanning |
|
||||
| 🕵️ **OSINT** | **15** | Domain reconnaissance, social engineering recon, dark web monitoring |
|
||||
| ➕ **Additional domains (10+)** | **300+** | SOC operations, API security, endpoint security, phishing defense, ransomware defense, mobile security, deception technology, and more |
|
||||
| | **753** | **Total skills across 38 domains** |
|
||||
|
||||
---
|
||||
|
||||
## 🤖 Compatible AI agent platforms
|
||||
|
||||
Skills follow the [agentskills.io](https://agentskills.io) open standard — **write once, use everywhere**. Any platform that reads `SKILL.md` files with YAML frontmatter works out of the box.
|
||||
|
||||
### AI code assistants
|
||||
|
||||
| Platform | Status | Install method |
|
||||
|:---------|:------:|:---------------|
|
||||
| **Claude Code** (Anthropic) | ✅ | `/plugin marketplace add mukul975/Anthropic-Cybersecurity-Skills` |
|
||||
| **GitHub Copilot** (Microsoft) | ✅ | Place in `.github/skills` directory |
|
||||
| **Cursor** | ✅ | `npx skills add` or manual clone |
|
||||
| **Windsurf** | ✅ | `npx skills add` or manual clone |
|
||||
| **Cline** | ✅ | `npx skills add` or manual clone |
|
||||
| **Aider** | ✅ | `npx skills add` or manual clone |
|
||||
| **Continue** | ✅ | `npx skills add` or manual clone |
|
||||
| **Roo Code** | ✅ | `npx skills add` or manual clone |
|
||||
| **Amazon Q Developer** | ✅ | `npx skills add` or manual clone |
|
||||
| **Tabnine** | ✅ | `npx skills add` or manual clone |
|
||||
| **Sourcegraph Cody** | ✅ | `npx skills add` or manual clone |
|
||||
| **JetBrains AI** | ✅ | `npx skills add` or manual clone |
|
||||
|
||||
### CLI agents
|
||||
|
||||
| Platform | Status | Install method |
|
||||
|:---------|:------:|:---------------|
|
||||
| **OpenAI Codex CLI** | ✅ | `npx skills add` — reads from `~/.codex/skills` |
|
||||
| **Gemini CLI** (Google) | ✅ | `npx skills add` or manual clone |
|
||||
|
||||
### Autonomous agents
|
||||
|
||||
| Platform | Status | Install method |
|
||||
|:---------|:------:|:---------------|
|
||||
| **Devin** | ✅ | Point to cloned skill directory |
|
||||
| **Replit Agent** | ✅ | Import via repo URL |
|
||||
| **SWE-agent** | ✅ | Mount skill directory |
|
||||
| **OpenHands** | ✅ | Mount skill directory |
|
||||
|
||||
### Agent frameworks & SDKs
|
||||
|
||||
| Platform | Status | Install method |
|
||||
|:---------|:------:|:---------------|
|
||||
| **LangChain** | ✅ | Load `SKILL.md` files as tool descriptions |
|
||||
| **CrewAI** | ✅ | Load as agent knowledge base |
|
||||
| **AutoGen** | ✅ | Load as agent knowledge base |
|
||||
| **Semantic Kernel** | ✅ | Load as plugins |
|
||||
| **Haystack** | ✅ | Ingest via document store |
|
||||
| **Vercel AI SDK** | ✅ | Load as tool definitions |
|
||||
| **Any MCP-compatible agent** | ✅ | Via MCP tool integration |
|
||||
|
||||
---
|
||||
|
||||
## 📐 Skill structure and agentskills.io format
|
||||
|
||||
Every skill lives in its own directory under `skills/` and follows a consistent structure:
|
||||
|
||||
```
|
||||
skills/performing-memory-forensics-with-volatility3/
|
||||
├── SKILL.md # Skill definition (YAML frontmatter + Markdown body)
|
||||
│ ├── Frontmatter # → name, description, domain, subdomain, tags
|
||||
│ ├── When to Use # → Trigger conditions for AI agents
|
||||
│ ├── Prerequisites # → Required tools, access, environment
|
||||
│ ├── Workflow # → Step-by-step execution guide
|
||||
│ └── Verification # → How to confirm success
|
||||
├── references/
|
||||
│ ├── standards.md # NIST, MITRE ATT&CK, CVE references
|
||||
│ └── workflows.md # Deep technical procedure reference
|
||||
├── scripts/
|
||||
│ └── process.py # Practitioner helper scripts
|
||||
└── assets/
|
||||
└── template.md # Checklists, report templates
|
||||
```
|
||||
|
||||
### YAML frontmatter (the discovery layer)
|
||||
Each skill follows the [agentskills.io](https://agentskills.io) **progressive disclosure** pattern. During discovery, an AI agent reads only the YAML frontmatter (~30-50 tokens) to decide relevance:
|
||||
|
||||
```yaml
|
||||
---
|
||||
name: performing-memory-forensics-with-volatility3
|
||||
description: >-
|
||||
Analyze memory dumps to extract running processes, network connections,
|
||||
injected code, and malware artifacts using Volatility3 framework.
|
||||
domain: cybersecurity
|
||||
subdomain: digital-forensics
|
||||
tags: [forensics, memory-analysis, volatility3, incident-response, dfir]
|
||||
version: "1.0"
|
||||
author: mukul975
|
||||
license: Apache-2.0
|
||||
---
|
||||
```
|
||||
|
||||
**Required fields:** `name` (kebab-case, 1–64 chars), `description` (keyword-rich for agent discovery), `domain`, `subdomain`, `tags`
|
||||
|
||||
**Optional fields:** `version`, `author`, `license`
|
||||
|
||||
---
|
||||
|
||||
## 🗺️ MITRE ATT&CK and NIST CSF 2.0 coverage
|
||||
|
||||
This collection provides **comprehensive coverage** of the two most widely adopted cybersecurity frameworks in the industry.
|
||||
|
||||
### MITRE ATT&CK Enterprise
|
||||
|
||||
All **14 Enterprise tactics** are covered, with skills mapped to **200+ individual techniques**:
|
||||
|
||||
| Tactic | Coverage | Example skills |
|
||||
|:-------|:--------:|:---------------|
|
||||
| Reconnaissance | ✅ | OSINT gathering, domain enumeration, social engineering recon |
|
||||
| Resource Development | ✅ | Infrastructure profiling, certificate analysis |
|
||||
| Initial Access | ✅ | Phishing analysis, exploit detection, supply chain review |
|
||||
| Execution | ✅ | Script analysis, command-line forensics, scheduled task audit |
|
||||
| Persistence | ✅ | Registry analysis, startup item review, implant detection |
|
||||
| Privilege Escalation | ✅ | Token manipulation detection, UAC bypass analysis |
|
||||
| Defense Evasion | ✅ | Process injection detection, obfuscation analysis |
|
||||
| Credential Access | ✅ | Credential dumping detection, Kerberoasting defense |
|
||||
| Discovery | ✅ | Network scanning detection, AD enumeration monitoring |
|
||||
| Lateral Movement | ✅ | Pass-the-hash detection, RDP abuse monitoring |
|
||||
| Collection | ✅ | Data staging detection, screen capture forensics |
|
||||
| Command and Control | ✅ | C2 beaconing detection, DNS tunneling analysis |
|
||||
| Exfiltration | ✅ | Data transfer monitoring, covert channel detection |
|
||||
| Impact | ✅ | Ransomware response, data destruction forensics |
|
||||
|
||||
### NIST CSF 2.0 alignment
|
||||
|
||||
Every skill maps to one or more **NIST Cybersecurity Framework 2.0** functions:
|
||||
|
||||
- **Identify (ID)** — Asset management, risk assessment, governance skills
|
||||
- **Protect (PR)** — Access control, awareness training, data security skills
|
||||
- **Detect (DE)** — Anomaly detection, continuous monitoring, event analysis skills
|
||||
- **Respond (RS)** — Incident response, mitigation, communication skills
|
||||
- **Recover (RC)** — Recovery planning, improvement, communication skills
|
||||
|
||||
> An ATT&CK Navigator layer file is included in the v1.1.0 release for visual coverage mapping.
|
||||
|
||||
---
|
||||
|
||||
## 🧠 How AI agents use these cybersecurity skills
|
||||
|
||||
Skills use a **progressive disclosure pattern** that minimizes token usage while maximizing agent capability. Here's what happens when you ask your AI agent to "analyze this memory dump for signs of compromise":
|
||||
|
||||
### Stage 1 · Discovery (~30–50 tokens per skill)
|
||||
|
||||
The agent scans **only YAML frontmatter** across all 753 skills. Each scan costs ~30–50 tokens — the entire collection can be indexed for under 40K tokens. The agent matches your task against `name`, `description`, `subdomain`, and `tags` fields to find relevant skills.
|
||||
|
||||
```yaml
|
||||
# Agent reads ONLY this:
|
||||
name: performing-memory-forensics-with-volatility3
|
||||
description: Analyze memory dumps to extract processes, network connections, and malware artifacts using Volatility3.
|
||||
domain: cybersecurity
|
||||
subdomain: digital-forensics
|
||||
tags: [forensics, memory-analysis, volatility3, incident-response]
|
||||
```
|
||||
|
||||
### Stage 2 · Full workflow load (~200–500 tokens)
|
||||
|
||||
Once a skill matches, the agent loads the **complete `SKILL.md` body** — trigger conditions, prerequisites, step-by-step workflow, and verification checks. This gives the agent a structured playbook to follow.
|
||||
|
||||
### Stage 3 · Deep reference access (on demand)
|
||||
|
||||
For complex tasks, the agent pulls in **supporting files** from `references/`, `scripts/`, and `assets/` — NIST standards mappings, detailed technical procedures, helper scripts, and report templates. These files are loaded only when the agent needs deeper context.
|
||||
|
||||
> **Result:** Irrelevant skills cost ~30 tokens. Relevant skills provide complete, structured, expert-level guidance. No wasted context window.
|
||||
|
||||
---
|
||||
|
||||
## 📝 Example cybersecurity skills
|
||||
|
||||
<details>
|
||||
<summary><b>🔍 Memory forensics with Volatility3</b> — DFIR domain</summary>
|
||||
|
||||
````yaml
|
||||
---
|
||||
name: performing-memory-forensics-with-volatility3
|
||||
description: >-
|
||||
Analyze memory dumps to extract running processes, network connections,
|
||||
injected code, and malware artifacts using the Volatility3 framework.
|
||||
domain: cybersecurity
|
||||
subdomain: digital-forensics
|
||||
tags: [forensics, memory-analysis, volatility3, incident-response, dfir]
|
||||
version: "1.0"
|
||||
author: mukul975
|
||||
license: Apache-2.0
|
||||
---
|
||||
|
||||
## When to Use
|
||||
|
||||
- Incident responder needs to analyze a memory dump from a compromised host
|
||||
- Investigating potential malware infection or lateral movement
|
||||
- Extracting indicators of compromise (IOCs) from volatile memory
|
||||
- Identifying injected code, hidden processes, or rootkit activity
|
||||
- Memory dump file (.raw, .mem, .dmp, .vmem) is available for analysis
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- **Volatility3** installed (`pip install volatility3`)
|
||||
- Memory dump file acquired from target system
|
||||
- **Python 3.8+** runtime environment
|
||||
- Symbol tables for target OS (auto-downloaded by Volatility3)
|
||||
- Sufficient disk space for analysis output (~2x memory dump size)
|
||||
|
||||
## Workflow
|
||||
|
||||
### Step 1 — Identify the operating system profile
|
||||
|
||||
Run the banner and `windows.info` (or `linux.info` / `mac.info`) plugin to
|
||||
auto-detect the OS version and confirm the dump is valid:
|
||||
|
||||
```bash
|
||||
vol -f memory.raw windows.info
|
||||
```
|
||||
|
||||
### Step 2 — List running processes
|
||||
If the skill matches the task, the agent loads the full body -- workflow steps, prerequisites, tool commands, and verification checks -- without wasting tokens on irrelevant skills.
|
||||
|
||||
Extract the process tree to identify suspicious or unexpected processes:
|
||||
## Compatible Platforms
|
||||
|
||||
```bash
|
||||
vol -f memory.raw windows.pslist
|
||||
vol -f memory.raw windows.pstree
|
||||
vol -f memory.raw windows.psscan # Finds hidden/unlinked processes
|
||||
```
|
||||
These skills work with any tool that supports the agentskills.io standard or can read structured Markdown:
|
||||
|
||||
Look for: unusual parent-child relationships, processes with suspicious names,
|
||||
processes running from temp directories, unsigned executables.
|
||||
| Platform | Integration |
|
||||
|----------|------------|
|
||||
| **Claude Code** | Native skill loading via `/plugin` |
|
||||
| **GitHub Copilot** | Workspace context via `.skills/` directory |
|
||||
| **OpenAI Codex CLI** | File-based context injection |
|
||||
| **Cursor** | Project rules and docs integration |
|
||||
| **Gemini CLI** | Context file loading |
|
||||
| **Amp** | Skill directory mounting |
|
||||
| **Goose** | Plugin-based skill loading |
|
||||
| **Windsurf** | Context awareness from project files |
|
||||
| **Aider** | Repository map integration |
|
||||
| **Continue** | Custom context providers |
|
||||
| And 16+ others | Any agent that reads structured Markdown |
|
||||
|
||||
### Step 3 — Analyze network connections
|
||||
## Skill Anatomy
|
||||
|
||||
Extract active and closed network connections:
|
||||
|
||||
```bash
|
||||
vol -f memory.raw windows.netscan
|
||||
vol -f memory.raw windows.netstat
|
||||
```
|
||||
|
||||
Flag: connections to known-bad IPs, unusual ports (4444, 8443, 1337),
|
||||
beaconing patterns, connections from non-browser processes.
|
||||
|
||||
### Step 4 — Detect code injection
|
||||
|
||||
Scan for injected code in process memory:
|
||||
|
||||
```bash
|
||||
vol -f memory.raw windows.malfind
|
||||
```
|
||||
|
||||
Review output for: PAGE_EXECUTE_READWRITE memory regions, MZ headers in
|
||||
non-image regions, shellcode signatures, hollow process indicators.
|
||||
|
||||
### Step 5 — Extract artifacts
|
||||
|
||||
Dump suspicious processes, DLLs, and drivers for further analysis:
|
||||
|
||||
```bash
|
||||
vol -f memory.raw windows.dumpfiles --pid <PID>
|
||||
vol -f memory.raw windows.dlllist --pid <PID>
|
||||
vol -f memory.raw windows.handles --pid <PID>
|
||||
```
|
||||
|
||||
### Step 6 — Check persistence mechanisms
|
||||
|
||||
Examine registry hives and services loaded in memory:
|
||||
|
||||
```bash
|
||||
vol -f memory.raw windows.registry.hivelist
|
||||
vol -f memory.raw windows.svcscan
|
||||
vol -f memory.raw windows.cmdline
|
||||
```
|
||||
|
||||
## Verification
|
||||
|
||||
- [ ] OS profile correctly identified and dump validated
|
||||
- [ ] Complete process tree exported and anomalies flagged
|
||||
- [ ] Network connections reviewed and suspicious IPs documented
|
||||
- [ ] Malfind output reviewed — injected code regions identified
|
||||
- [ ] Suspicious binaries dumped for downstream malware analysis
|
||||
- [ ] IOCs extracted (IPs, domains, file hashes, mutex names)
|
||||
- [ ] Findings documented in incident report with timestamps
|
||||
````
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
<summary><b>🦠 Reverse engineering .NET malware with dnSpy</b> — Malware Analysis domain</summary>
|
||||
|
||||
````yaml
|
||||
---
|
||||
name: analyzing-dotnet-malware-with-dnspy
|
||||
description: >-
|
||||
Decompile, analyze, and extract IOCs from .NET-based malware samples
|
||||
using dnSpy for static analysis and behavioral understanding.
|
||||
domain: cybersecurity
|
||||
subdomain: malware-analysis
|
||||
tags: [malware, reverse-engineering, dotnet, dnspy, static-analysis]
|
||||
version: "1.0"
|
||||
author: mukul975
|
||||
license: Apache-2.0
|
||||
---
|
||||
|
||||
## When to Use
|
||||
|
||||
- Triaging a suspected .NET malware sample (.exe or .dll compiled with CLR)
|
||||
- Extracting hardcoded C2 URLs, encryption keys, or configuration data
|
||||
- Understanding malware behavior before dynamic analysis
|
||||
- Analyzing obfuscated .NET payloads (ConfuserEx, SmartAssembly, etc.)
|
||||
- Building detection signatures (YARA, Sigma) from decompiled source
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- **dnSpy** (or dnSpyEx fork) installed on analysis workstation
|
||||
- Isolated malware analysis environment (VM with snapshots)
|
||||
- **PE analysis tool** (CFF Explorer, PE-bear, or pestudio) for initial triage
|
||||
- **de4dot** for automated .NET deobfuscation
|
||||
- Sample SHA256 hash documented before analysis begins
|
||||
- Network monitoring tools (Wireshark/FakeNet-NG) for dynamic validation
|
||||
|
||||
## Workflow
|
||||
|
||||
### Step 1 — Initial triage and environment setup
|
||||
|
||||
Confirm the sample is a .NET assembly before opening in dnSpy:
|
||||
|
||||
```bash
|
||||
# Check for CLR metadata
|
||||
file sample.exe
|
||||
# Look for .NET version string, mscoree.dll import
|
||||
pestudio sample.exe
|
||||
```
|
||||
|
||||
Take a VM snapshot. Disable network adapters. Document sample hash.
|
||||
|
||||
### Step 2 — Deobfuscate if protected
|
||||
|
||||
Many .NET malware families use obfuscation. Run de4dot first:
|
||||
|
||||
```bash
|
||||
de4dot sample.exe -o sample_clean.exe
|
||||
```
|
||||
|
||||
Check output log for identified obfuscator (ConfuserEx, Dotfuscator,
|
||||
SmartAssembly, Babel, Eazfuscator). If de4dot fails, note the packer
|
||||
for manual unpacking in dnSpy.
|
||||
|
||||
### Step 3 — Load and explore in dnSpy
|
||||
|
||||
Open the cleaned binary in dnSpy. Start with high-level reconnaissance:
|
||||
|
||||
1. **Assembly Explorer** — Review namespaces, classes, entry point
|
||||
2. **Entry point** (`Main()` or module initializer) — Trace execution flow
|
||||
3. **Resources** — Check for embedded payloads, encrypted configs
|
||||
4. **String references** — Search for URLs, IP addresses, registry keys
|
||||
5. **References** — Note any P/Invoke calls (Win32 API) indicating native interaction
|
||||
|
||||
### Step 4 — Identify C2 infrastructure and configuration
|
||||
|
||||
Search decompiled source for network indicators:
|
||||
|
||||
- Hardcoded URLs, IP addresses, domain names
|
||||
- Base64-encoded strings (decode in CyberChef)
|
||||
- XOR / AES decryption routines with embedded keys
|
||||
- HTTP User-Agent strings, custom headers
|
||||
- Registry keys or file paths used for persistence
|
||||
|
||||
Set breakpoints in dnSpy debugger at decryption functions to capture
|
||||
plaintext config at runtime if static extraction fails.
|
||||
|
||||
### Step 5 — Map capabilities to MITRE ATT&CK
|
||||
|
||||
Document each observed capability:
|
||||
|
||||
- **Execution method** — Process injection, scheduled tasks, WMI
|
||||
- **Persistence** — Registry Run keys, startup folder, services
|
||||
- **Credential access** — Browser credential theft, keylogging
|
||||
- **Exfiltration** — HTTP POST, DNS tunneling, cloud storage APIs
|
||||
- **Evasion** — Anti-VM checks, sleep timers, sandbox detection
|
||||
|
||||
### Step 6 — Extract IOCs and build detections
|
||||
|
||||
Compile all indicators into a structured IOC list:
|
||||
Every skill follows a consistent directory structure:
|
||||
|
||||
```
|
||||
# Network IOCs
|
||||
C2: https://evil-domain[.]com/gate.php
|
||||
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0)
|
||||
DNS: ns1.malware-c2[.]net
|
||||
|
||||
# Host IOCs
|
||||
Mutex: Global\{GUID-HERE}
|
||||
Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost
|
||||
File: %APPDATA%\svchost.exe (SHA256: abc123...)
|
||||
skills/{skill-name}/
|
||||
├── SKILL.md # Skill definition with YAML frontmatter
|
||||
│ ├── Frontmatter # name, description, domain, subdomain, tags
|
||||
│ ├── When to Use # Trigger conditions for AI agents
|
||||
│ ├── Prerequisites # Required tools and access
|
||||
│ ├── Workflow # Step-by-step execution guide
|
||||
│ └── Verification # How to confirm success
|
||||
├── references/
|
||||
│ ├── standards.md # NIST, MITRE ATT&CK, CVE references
|
||||
│ └── workflows.md # Deep technical procedure reference
|
||||
├── scripts/
|
||||
│ └── process.py # Practitioner helper scripts
|
||||
└── assets/
|
||||
└── template.md # Checklists and report templates
|
||||
```
|
||||
|
||||
Write YARA rule targeting unique strings or byte patterns.
|
||||
## Contributing
|
||||
|
||||
## Verification
|
||||
We welcome contributions from the cybersecurity community. See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines on adding new skills, improving existing ones, and our review process.
|
||||
|
||||
- [ ] Sample identified as .NET assembly and hash documented
|
||||
- [ ] Deobfuscation attempted — obfuscator identified and handled
|
||||
- [ ] Entry point traced — full execution flow mapped
|
||||
- [ ] C2 infrastructure extracted (URLs, IPs, domains, ports)
|
||||
- [ ] Encryption keys / decryption routines documented
|
||||
- [ ] Capabilities mapped to MITRE ATT&CK techniques
|
||||
- [ ] IOC list exported in structured format (STIX, OpenIOC, or CSV)
|
||||
- [ ] YARA detection rule written and tested against sample
|
||||
````
|
||||
|
||||
</details>
|
||||
|
||||
---
|
||||
|
||||
## 👥 Contributors
|
||||
|
||||
Thanks to these wonderful people for building the largest open-source cybersecurity skills collection:
|
||||
|
||||
<!-- ALL-CONTRIBUTORS-LIST:START -->
|
||||
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/graphs/contributors">
|
||||
<img src="https://contrib.rocks/image?repo=mukul975/Anthropic-Cybersecurity-Skills" />
|
||||
</a>
|
||||
<!-- ALL-CONTRIBUTORS-LIST:END -->
|
||||
|
||||
Want to see your name here? Check out the [contributing guide](#-contributing-to-cybersecurity-ai-skills) below.
|
||||
|
||||
---
|
||||
|
||||
## 🤝 Contributing to cybersecurity AI skills
|
||||
|
||||
This project hit **3.5k stars in two weeks** — the community momentum is real. With **328 forks**, **9 open PRs**, and security professionals from around the world getting involved, now is the perfect time to contribute.
|
||||
|
||||
We welcome four types of contributions:
|
||||
|
||||
| Type | Description | Good for |
|
||||
|:-----|:------------|:---------|
|
||||
| 🆕 **New skills** | Add skills for uncovered techniques or domains | Security practitioners, pen testers, IR analysts |
|
||||
| 📖 **Improve existing skills** | Enhance workflows, add edge cases, fix errors | Anyone who uses the skills and spots improvements |
|
||||
| 🌍 **Translations & i18n** | Help make skills accessible to non-English speakers | Multilingual security professionals |
|
||||
| 🐛 **Bug reports & feedback** | Report issues, suggest improvements, review PRs | Everyone — all experience levels welcome |
|
||||
|
||||
### How to get started
|
||||
|
||||
1. **Browse [open issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues)** — look for `good first issue` and `help wanted` labels
|
||||
2. **Read [`CONTRIBUTING.md`](CONTRIBUTING.md)** for the full skill template and submission guidelines
|
||||
3. **Fork the repo**, create your skill directory under `skills/`, and submit a PR
|
||||
4. **Title format:** `Add skill: your-skill-name-here`
|
||||
|
||||
> Every PR gets reviewed for technical accuracy and consistency with the agentskills.io standard. We aim to review within 48 hours.
|
||||
|
||||
---
|
||||
|
||||
## ⭐ Star history
|
||||
## Star History
|
||||
|
||||
[](https://star-history.com/#mukul975/Anthropic-Cybersecurity-Skills&Date)
|
||||
|
||||
---
|
||||
## License
|
||||
|
||||
## 🌐 Community
|
||||
<a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache_2.0-blue.svg?style=flat" alt="License"></a>
|
||||
|
||||
<p align="center">
|
||||
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers">⭐ Star this repo</a> ·
|
||||
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/fork">🍴 Fork it</a> ·
|
||||
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions">💬 Discuss</a> ·
|
||||
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new">📝 Open an issue</a>
|
||||
</p>
|
||||
|
||||
If this project saves you time or makes your AI agent more capable, **give it a ⭐** — it helps others discover these skills and keeps the community growing.
|
||||
|
||||
---
|
||||
|
||||
## 📄 License
|
||||
|
||||
This project is licensed under the **Apache License 2.0** — see the [`LICENSE`](LICENSE) file for details.
|
||||
|
||||
You are free to use, modify, and distribute these skills in both personal and commercial projects. Attribution is appreciated but not required.
|
||||
|
||||
---
|
||||
|
||||
<p align="center">
|
||||
<sub>
|
||||
<b>⚠️ Disclaimer:</b> This is an independent, community-created project. <b>Not affiliated with Anthropic PBC.</b><br/>
|
||||
"Anthropic" in the repository name refers to compatibility with the <a href="https://agentskills.io">agentskills.io</a> open standard,<br/>
|
||||
not official Anthropic endorsement or affiliation. All trademarks belong to their respective owners.
|
||||
</sub>
|
||||
</p>
|
||||
This project is licensed under the Apache License 2.0. See [LICENSE](LICENSE) for details.
|
||||
|
||||
+13624
-1
File diff suppressed because one or more lines are too long
@@ -1,6 +1,6 @@
|
||||
# ATT&CK Coverage Summary
|
||||
|
||||
Coverage analysis of the 753 cybersecurity skills mapped to MITRE ATT&CK Enterprise v15 tactics.
|
||||
Coverage analysis of the 607 cybersecurity skills mapped to MITRE ATT&CK Enterprise v15 tactics.
|
||||
|
||||
## Tactic Coverage Matrix
|
||||
|
||||
|
||||
@@ -1,19 +1,17 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Forensic disk image acquisition agent using dd and dcfldd with hash verification."""
|
||||
|
||||
import shlex
|
||||
import subprocess
|
||||
import hashlib
|
||||
import os
|
||||
import sys
|
||||
import datetime
|
||||
import json
|
||||
|
||||
|
||||
def run_cmd(cmd, capture=True):
|
||||
"""Execute a command and return output."""
|
||||
if isinstance(cmd, str):
|
||||
cmd = shlex.split(cmd)
|
||||
result = subprocess.run(cmd, capture_output=capture, text=True, timeout=120)
|
||||
"""Execute a shell command and return output."""
|
||||
result = subprocess.run(cmd, shell=True, capture_output=capture, text=True)
|
||||
return result.stdout.strip(), result.stderr.strip(), result.returncode
|
||||
|
||||
|
||||
@@ -67,22 +65,16 @@ def compute_hash(path, algorithm="sha256", block_size=65536):
|
||||
|
||||
def acquire_with_dd(source, destination, block_size=4096, log_file=None):
|
||||
"""Acquire a forensic image using dd with error handling."""
|
||||
dd_cmd = [
|
||||
"dd", f"if={source}", f"of={destination}",
|
||||
f"bs={block_size}", "conv=noerror,sync", "status=progress"
|
||||
]
|
||||
cmd = (
|
||||
f"dd if={source} of={destination} bs={block_size} "
|
||||
f"conv=noerror,sync status=progress"
|
||||
)
|
||||
if log_file:
|
||||
cmd += f" 2>&1 | tee {log_file}"
|
||||
print(f"[*] Starting dd acquisition: {source} -> {destination}")
|
||||
print(f"[*] Block size: {block_size}")
|
||||
start = datetime.datetime.utcnow()
|
||||
if log_file:
|
||||
dd_proc = subprocess.run(dd_cmd, capture_output=True, text=True, timeout=120)
|
||||
combined = (dd_proc.stdout or "") + (dd_proc.stderr or "")
|
||||
with open(log_file, "w") as lf:
|
||||
lf.write(combined)
|
||||
rc = dd_proc.returncode
|
||||
else:
|
||||
result = subprocess.run(dd_cmd, text=True, timeout=120)
|
||||
rc = result.returncode
|
||||
_, stderr, rc = run_cmd(cmd, capture=False)
|
||||
elapsed = (datetime.datetime.utcnow() - start).total_seconds()
|
||||
print(f"[*] Acquisition completed in {elapsed:.1f} seconds (rc={rc})")
|
||||
return rc == 0
|
||||
@@ -91,21 +83,18 @@ def acquire_with_dd(source, destination, block_size=4096, log_file=None):
|
||||
def acquire_with_dcfldd(source, destination, hash_alg="sha256", hash_log=None,
|
||||
error_log=None, block_size=4096, split_size=None):
|
||||
"""Acquire a forensic image using dcfldd with built-in hashing."""
|
||||
cmd = [
|
||||
"dcfldd", f"if={source}", f"of={destination}",
|
||||
f"bs={block_size}", "conv=noerror,sync",
|
||||
f"hash={hash_alg}", "hashwindow=1G",
|
||||
]
|
||||
cmd = f"dcfldd if={source} of={destination} bs={block_size} conv=noerror,sync"
|
||||
cmd += f" hash={hash_alg}"
|
||||
if hash_log:
|
||||
cmd.append(f"hashlog={hash_log}")
|
||||
cmd += f" hashlog={hash_log}"
|
||||
cmd += " hashwindow=1G"
|
||||
if error_log:
|
||||
cmd.append(f"errlog={error_log}")
|
||||
cmd += f" errlog={error_log}"
|
||||
if split_size:
|
||||
cmd.extend([f"split={split_size}", "splitformat=aa"])
|
||||
cmd += f" split={split_size} splitformat=aa"
|
||||
print(f"[*] Starting dcfldd acquisition: {source} -> {destination}")
|
||||
start = datetime.datetime.utcnow()
|
||||
result = subprocess.run(cmd, text=True, timeout=120)
|
||||
rc = result.returncode
|
||||
_, stderr, rc = run_cmd(cmd, capture=False)
|
||||
elapsed = (datetime.datetime.utcnow() - start).total_seconds()
|
||||
print(f"[*] dcfldd completed in {elapsed:.1f} seconds (rc={rc})")
|
||||
return rc == 0
|
||||
|
||||
@@ -9,23 +9,12 @@ author: mahipal
|
||||
license: Apache-2.0
|
||||
---
|
||||
|
||||
|
||||
# Analyzing Active Directory ACL Abuse
|
||||
|
||||
## Overview
|
||||
|
||||
Active Directory Access Control Lists (ACLs) define permissions on AD objects through Discretionary Access Control Lists (DACLs) containing Access Control Entries (ACEs). Misconfigured ACEs can grant non-privileged users dangerous permissions such as GenericAll (full control), WriteDACL (modify permissions), WriteOwner (take ownership), and GenericWrite (modify attributes) on sensitive objects like Domain Admins groups, domain controllers, or GPOs.
|
||||
|
||||
This skill uses the ldap3 Python library to connect to a Domain Controller, query objects with their nTSecurityDescriptor attribute, parse the binary security descriptor into SDDL (Security Descriptor Definition Language) format, and identify ACEs that grant dangerous permissions to non-administrative principals. These misconfigurations are the basis for ACL-based attack paths discovered by tools like BloodHound.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing active directory acl abuse
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Python 3.9 or later with ldap3 library (`pip install ldap3`)
|
||||
|
||||
@@ -4,8 +4,11 @@
|
||||
import argparse
|
||||
import json
|
||||
import struct
|
||||
import sys
|
||||
from collections import defaultdict
|
||||
|
||||
from ldap3 import Server, Connection, ALL, NTLM, SUBTREE
|
||||
from ldap3.protocol.formatters.formatters import format_sid
|
||||
|
||||
|
||||
DANGEROUS_MASKS = {
|
||||
|
||||
@@ -15,14 +15,6 @@ license: Apache-2.0
|
||||
|
||||
Android malware distributed as APK files can be statically analyzed to extract permissions, activities, services, broadcast receivers, and suspicious API calls without executing the sample. This skill uses androguard for programmatic APK analysis, identifying dangerous permission combinations, obfuscated code patterns, dynamic code loading, reflection-based API calls, and network communication indicators.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing android malware with apktool
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Python 3.9+ with `androguard`
|
||||
|
||||
@@ -15,21 +15,6 @@ license: Apache-2.0
|
||||
|
||||
# Analyzing API Gateway Access Logs
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing api gateway access logs
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Familiarity with security operations concepts and tools
|
||||
- Access to a test or lab environment for safe execution
|
||||
- Python 3.8+ with required dependencies installed
|
||||
- Appropriate authorization for any testing activities
|
||||
|
||||
## Instructions
|
||||
|
||||
Parse API gateway access logs to identify attack patterns including broken object
|
||||
|
||||
@@ -1,12 +1,15 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Agent for analyzing API Gateway access logs for security threats."""
|
||||
|
||||
import os
|
||||
import re
|
||||
import json
|
||||
import argparse
|
||||
from datetime import datetime
|
||||
from collections import defaultdict
|
||||
|
||||
import pandas as pd
|
||||
import numpy as np
|
||||
|
||||
|
||||
def load_api_logs(log_path):
|
||||
|
||||
@@ -1,27 +1,12 @@
|
||||
---
|
||||
name: analyzing-apt-group-with-mitre-navigator
|
||||
description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps
|
||||
of adversary TTPs for detection gap analysis and threat-informed defense.
|
||||
description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
|
||||
domain: cybersecurity
|
||||
subdomain: threat-intelligence
|
||||
tags:
|
||||
- mitre-attack
|
||||
- navigator
|
||||
- apt
|
||||
- threat-actor
|
||||
- ttp-analysis
|
||||
- heatmap
|
||||
- detection-gap
|
||||
- threat-intelligence
|
||||
version: '1.0'
|
||||
tags: [mitre-attack, navigator, apt, threat-actor, ttp-analysis, heatmap, detection-gap, threat-intelligence]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
d3fend_techniques:
|
||||
- Executable Denylisting
|
||||
- Execution Isolation
|
||||
- File Metadata Consistency Validation
|
||||
- Content Format Conversion
|
||||
- File Content Analysis
|
||||
---
|
||||
# Analyzing APT Group with MITRE ATT&CK Navigator
|
||||
|
||||
@@ -29,14 +14,6 @@ d3fend_techniques:
|
||||
|
||||
MITRE ATT&CK Navigator is a web-based tool for annotating and exploring ATT&CK matrices, enabling analysts to visualize threat actor technique coverage, compare multiple APT groups, identify detection gaps, and build threat-informed defense strategies. This skill covers querying ATT&CK data programmatically, mapping APT group TTPs to Navigator layers, creating multi-layer overlays for gap analysis, and generating actionable intelligence reports for detection engineering teams.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing apt group with mitre navigator
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Python 3.9+ with `attackcti`, `mitreattack-python`, `stix2`, `requests` libraries
|
||||
@@ -59,7 +36,7 @@ ATT&CK catalogs over 140 threat groups with documented technique usage. Each gro
|
||||
|
||||
The Navigator supports loading multiple layers simultaneously, allowing analysts to overlay threat actor TTPs against detection coverage to identify gaps, compare multiple APT groups to find common techniques worth prioritizing, and track technique coverage changes over time.
|
||||
|
||||
## Workflow
|
||||
## Practical Steps
|
||||
|
||||
### Step 1: Query ATT&CK Data for APT Group
|
||||
|
||||
|
||||
@@ -8,6 +8,7 @@ performs detection gap analysis, and generates threat-informed reports.
|
||||
import json
|
||||
import os
|
||||
import sys
|
||||
import hashlib
|
||||
from collections import Counter
|
||||
|
||||
try:
|
||||
|
||||
@@ -15,21 +15,6 @@ license: Apache-2.0
|
||||
|
||||
# Analyzing Azure Activity Logs for Threats
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing azure activity logs for threats
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Familiarity with security operations concepts and tools
|
||||
- Access to a test or lab environment for safe execution
|
||||
- Python 3.8+ with required dependencies installed
|
||||
- Appropriate authorization for any testing activities
|
||||
|
||||
## Instructions
|
||||
|
||||
Use azure-monitor-query to execute KQL queries against Azure Log Analytics workspaces,
|
||||
|
||||
@@ -112,11 +112,8 @@ def analyze_boot_code(mbr_data):
|
||||
|
||||
def run_volatility_rootkit_scan(memory_dump, plugin):
|
||||
"""Run a Volatility 3 plugin for rootkit detection via subprocess."""
|
||||
result = subprocess.run(
|
||||
["vol3", "-f", memory_dump, plugin],
|
||||
capture_output=True, text=True,
|
||||
timeout=120,
|
||||
)
|
||||
cmd = f"vol3 -f {memory_dump} {plugin}"
|
||||
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
|
||||
return result.stdout, result.stderr, result.returncode
|
||||
|
||||
|
||||
|
||||
@@ -15,14 +15,6 @@ license: Apache-2.0
|
||||
|
||||
Hindsight is an open-source browser forensics tool designed to parse artifacts from Google Chrome and other Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi). It extracts and correlates data from multiple browser database files to create a unified timeline of web activity. Hindsight can parse URLs, download history, cache records, bookmarks, autofill records, saved passwords, preferences, browser extensions, HTTP cookies, Local Storage (HTML5 cookies), login data, and session/tab information. The tool produces chronological timelines in multiple output formats (XLSX, JSON, SQLite) that enable investigators to reconstruct user web activity for incident response, insider threat investigations, and criminal cases.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing browser forensics with hindsight
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Python 3.8+ with Hindsight installed (`pip install pyhindsight`)
|
||||
@@ -221,60 +213,3 @@ if __name__ == "__main__":
|
||||
- Chrome Forensics Guide: https://allenace.medium.com/hindsight-chrome-forensics-made-simple-425db99fa5ed
|
||||
- Browser Forensics Tools: https://www.cyberforensicacademy.com/blog/browser-forensics-tools-how-to-extract-user-activity
|
||||
- Chromium Source (History): https://source.chromium.org/chromium/chromium/src/+/main:components/history/
|
||||
|
||||
## Example Output
|
||||
|
||||
```text
|
||||
$ python hindsight.py -i /evidence/chrome-profile -o /analysis/hindsight_output
|
||||
|
||||
Hindsight v2024.01 - Chrome/Chromium Browser Forensic Analysis
|
||||
================================================================
|
||||
|
||||
Profile: /evidence/chrome-profile (Chrome 120.0.6099.130)
|
||||
OS: Windows 10
|
||||
|
||||
[+] Parsing History database...
|
||||
URL records: 12,456
|
||||
Download records: 234
|
||||
Search terms: 567
|
||||
|
||||
[+] Parsing Cookies database...
|
||||
Cookie records: 8,923
|
||||
Encrypted cookies: 6,712
|
||||
|
||||
[+] Parsing Web Data (Autofill)...
|
||||
Autofill entries: 1,234
|
||||
Credit card entries: 2 (encrypted)
|
||||
|
||||
[+] Parsing Login Data...
|
||||
Saved credentials: 45 (encrypted)
|
||||
|
||||
[+] Parsing Bookmarks...
|
||||
Bookmark entries: 189
|
||||
|
||||
--- Browsing History (Last 10 Entries) ---
|
||||
Timestamp (UTC) | URL | Title | Visit Count
|
||||
2024-01-15 14:32:05.123 | https://mail.corporate.com/inbox | Corporate Mail | 45
|
||||
2024-01-15 14:33:12.456 | https://drive.google.com/file/d/1aBcDe... | Q4_Financial_Report.xlsx | 1
|
||||
2024-01-15 14:35:44.789 | https://mega.nz/folder/xYz123 | MEGA - Secure Cloud | 3
|
||||
2024-01-15 14:36:01.234 | https://mega.nz/folder/xYz123#upload | MEGA - Upload | 8
|
||||
2024-01-15 14:42:15.567 | https://pastebin.com/raw/kL9mN2pQ | Pastebin (raw) | 1
|
||||
2024-01-15 15:01:33.890 | https://192.168.1.50:8443/admin | Admin Panel | 12
|
||||
2024-01-15 15:15:22.111 | https://transfer.sh/upload | transfer.sh | 2
|
||||
2024-01-15 15:30:45.222 | https://vpn-gateway.corporate.com | VPN Login | 5
|
||||
2024-01-15 16:00:00.333 | https://whatismyipaddress.com | What Is My IP | 1
|
||||
2024-01-15 16:05:12.444 | https://protonmail.com/inbox | ProtonMail | 3
|
||||
|
||||
--- Downloads (Suspicious) ---
|
||||
Timestamp (UTC) | Filename | URL Source | Size
|
||||
2024-01-15 14:33:15.000 | Q4_Financial_Report.xlsm | https://phish-domain.com/docs/report | 245 KB
|
||||
2024-01-15 14:34:02.000 | update_client.exe | https://cdn.evil-updates.com/client.exe | 1.2 MB
|
||||
|
||||
--- Cookies (Session Tokens) ---
|
||||
Domain | Name | Expires | Secure | HttpOnly
|
||||
.corporate.com | SESSION_ID | 2024-01-16 14:32 | Yes | Yes
|
||||
.mega.nz | session | Session | Yes | Yes
|
||||
.protonmail.com | AUTH-TOKEN | 2024-02-15 00:00 | Yes | Yes
|
||||
|
||||
Report saved to: /analysis/hindsight_output/Hindsight_Report.xlsx
|
||||
```
|
||||
|
||||
@@ -10,6 +10,8 @@ import sys
|
||||
import json
|
||||
import sqlite3
|
||||
import datetime
|
||||
import hashlib
|
||||
from collections import defaultdict
|
||||
|
||||
|
||||
def chrome_time_to_datetime(chrome_time):
|
||||
|
||||
@@ -14,14 +14,6 @@ license: Apache-2.0
|
||||
|
||||
Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attribution indicators using the Diamond Model and ACH (Analysis of Competing Hypotheses), analyzing infrastructure overlaps, TTP consistency, malware code similarities, operational timing patterns, and language artifacts to build confidence-weighted attribution assessments.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing campaign attribution evidence
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Python 3.9+ with `attackcti`, `stix2`, `networkx` libraries
|
||||
@@ -48,7 +40,7 @@ Campaign attribution analysis involves systematically evaluating evidence to det
|
||||
### Analysis of Competing Hypotheses (ACH)
|
||||
Structured analytical method that evaluates evidence against multiple competing hypotheses. Each piece of evidence is scored as consistent, inconsistent, or neutral with respect to each hypothesis. The hypothesis with the least inconsistent evidence is favored.
|
||||
|
||||
## Workflow
|
||||
## Practical Steps
|
||||
|
||||
### Step 1: Collect Attribution Evidence
|
||||
|
||||
|
||||
@@ -6,6 +6,9 @@ malware code similarity, timing patterns, and language artifacts.
|
||||
"""
|
||||
|
||||
import json
|
||||
import os
|
||||
import sys
|
||||
import hashlib
|
||||
import re
|
||||
from collections import defaultdict
|
||||
from datetime import datetime
|
||||
|
||||
@@ -1,23 +1,12 @@
|
||||
---
|
||||
name: analyzing-certificate-transparency-for-phishing
|
||||
description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates,
|
||||
and unauthorized certificate issuance targeting your organization.
|
||||
description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.
|
||||
domain: cybersecurity
|
||||
subdomain: threat-intelligence
|
||||
tags:
|
||||
- certificate-transparency
|
||||
- ct-logs
|
||||
- phishing
|
||||
- crt-sh
|
||||
- certstream
|
||||
- ssl
|
||||
- domain-monitoring
|
||||
- threat-intelligence
|
||||
version: '1.0'
|
||||
tags: [certificate-transparency, ct-logs, phishing, crt-sh, certstream, ssl, domain-monitoring, threat-intelligence]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
atlas_techniques:
|
||||
- AML.T0052
|
||||
---
|
||||
# Analyzing Certificate Transparency for Phishing
|
||||
|
||||
@@ -25,14 +14,6 @@ atlas_techniques:
|
||||
|
||||
Certificate Transparency (CT) is an Internet security standard that creates a public, append-only log of all issued SSL/TLS certificates. Monitoring CT logs enables early detection of phishing domains that register certificates mimicking legitimate brands, unauthorized certificate issuance for owned domains, and certificate-based attack infrastructure. This skill covers querying CT logs via crt.sh, real-time monitoring with Certstream, building automated alerting for suspicious certificates, and integrating findings into threat intelligence workflows.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing certificate transparency for phishing
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Python 3.9+ with `requests`, `certstream`, `tldextract`, `Levenshtein` libraries
|
||||
@@ -55,7 +36,7 @@ Attackers register lookalike domains and obtain free certificates (often from Le
|
||||
|
||||
crt.sh is a free web interface and PostgreSQL database operated by Sectigo that indexes CT logs. It supports wildcard searches (`%.example.com`), direct SQL queries, and JSON API responses. It tracks certificate issuance, expiration, and revocation across all major CT logs.
|
||||
|
||||
## Workflow
|
||||
## Practical Steps
|
||||
|
||||
### Step 1: Query crt.sh for Certificate History
|
||||
|
||||
|
||||
@@ -6,7 +6,10 @@ certificates, and identifies potential phishing infrastructure.
|
||||
"""
|
||||
|
||||
import json
|
||||
import os
|
||||
import sys
|
||||
import re
|
||||
from datetime import datetime
|
||||
from collections import defaultdict
|
||||
|
||||
try:
|
||||
|
||||
@@ -1,45 +1,18 @@
|
||||
---
|
||||
name: analyzing-cloud-storage-access-patterns
|
||||
description: Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS
|
||||
audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API
|
||||
calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.
|
||||
description: >-
|
||||
Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail
|
||||
Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads,
|
||||
access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration
|
||||
using statistical baselines and time-series anomaly detection.
|
||||
domain: cybersecurity
|
||||
subdomain: cloud-security
|
||||
tags:
|
||||
- analyzing
|
||||
- cloud
|
||||
- storage
|
||||
- access
|
||||
version: '1.0'
|
||||
tags: [analyzing, cloud, storage, access]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
atlas_techniques:
|
||||
- AML.T0024
|
||||
- AML.T0056
|
||||
nist_ai_rmf:
|
||||
- MEASURE-2.7
|
||||
- MAP-5.1
|
||||
- MANAGE-2.4
|
||||
---
|
||||
|
||||
|
||||
# Analyzing Cloud Storage Access Patterns
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing cloud storage access patterns
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Familiarity with cloud security concepts and tools
|
||||
- Access to a test or lab environment for safe execution
|
||||
- Python 3.8+ with required dependencies installed
|
||||
- Appropriate authorization for any testing activities
|
||||
|
||||
## Instructions
|
||||
|
||||
1. Install dependencies: `pip install boto3 requests`
|
||||
|
||||
@@ -21,7 +21,7 @@ def query_cloudtrail_s3_events(bucket_name, hours_back=24):
|
||||
"--start-time", start_time,
|
||||
"--output", "json",
|
||||
]
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
|
||||
result = subprocess.run(cmd, capture_output=True, text=True)
|
||||
if result.returncode != 0:
|
||||
logger.error("CloudTrail query failed: %s", result.stderr[:200])
|
||||
return []
|
||||
|
||||
@@ -14,14 +14,6 @@ license: Apache-2.0
|
||||
|
||||
Cobalt Strike is a commercial adversary simulation tool widely abused by threat actors for post-exploitation operations. Beacon payloads contain embedded configuration data that reveals C2 server addresses, communication protocols, sleep intervals, jitter values, malleable C2 profile settings, watermark identifiers, and encryption keys. Extracting this configuration from PE files, shellcode, or memory dumps is critical for incident responders to map attacker infrastructure and attribute campaigns. The beacon configuration is XOR-encoded using a single byte (0x69 for version 3, 0x2e for version 4) and stored in a Type-Length-Value (TLV) format within the .data section.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing cobalt strike beacon configuration
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Python 3.9+ with `dissect.cobaltstrike`, `pefile`, `yara-python`
|
||||
@@ -45,7 +37,7 @@ The beacon configuration encodes the malleable C2 profile that dictates HTTP req
|
||||
|
||||
Each Cobalt Strike license embeds a unique watermark (4-byte integer) into generated beacons. Extracting the watermark can link multiple beacons to the same operator or cracked license. Known watermark databases maintained by threat intelligence providers map watermarks to specific threat actors or leaked license keys.
|
||||
|
||||
## Workflow
|
||||
## Practical Steps
|
||||
|
||||
### Step 1: Extract Configuration with CobaltStrikeParser
|
||||
|
||||
|
||||
@@ -8,7 +8,9 @@ communication settings, malleable C2 profile details, and watermark values.
|
||||
import struct
|
||||
import os
|
||||
import sys
|
||||
import json
|
||||
import hashlib
|
||||
import re
|
||||
from collections import OrderedDict
|
||||
|
||||
# Cobalt Strike beacon configuration field IDs (Type-Length-Value format)
|
||||
|
||||
@@ -0,0 +1,60 @@
|
||||
---
|
||||
name: analyzing-cobalt-strike-malleable-profiles
|
||||
description: >
|
||||
Parses Cobalt Strike malleable C2 profiles using pyMalleableC2 to extract beacon
|
||||
configuration, HTTP communication patterns, and sleep/jitter settings. Combines with
|
||||
JARM TLS fingerprinting to detect C2 servers on the network. Use when investigating
|
||||
suspected Cobalt Strike infrastructure or building detection signatures for C2 traffic.
|
||||
domain: cybersecurity
|
||||
subdomain: security-operations
|
||||
tags: [analyzing, cobalt, strike, malleable]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
---
|
||||
|
||||
# Analyzing Cobalt Strike Malleable Profiles
|
||||
|
||||
## Instructions
|
||||
|
||||
Parse malleable C2 profiles to extract IOCs and detection opportunities using the
|
||||
pyMalleableC2 library. Combine with JARM fingerprinting to identify C2 servers.
|
||||
|
||||
```python
|
||||
from malleablec2 import Profile
|
||||
|
||||
# Parse a malleable profile from file
|
||||
profile = Profile.from_file("amazon.profile")
|
||||
|
||||
# Extract global options (sleep, jitter, user-agent)
|
||||
print(profile.ast.pretty())
|
||||
|
||||
# Access HTTP-GET block URIs and headers for network signatures
|
||||
# Access HTTP-POST block for data exfiltration patterns
|
||||
# Generate JARM fingerprints for known C2 infrastructure
|
||||
```
|
||||
|
||||
Key analysis steps:
|
||||
1. Parse the malleable profile to extract HTTP-GET/POST URI patterns
|
||||
2. Extract User-Agent strings and custom headers for IDS signatures
|
||||
3. Identify sleep time and jitter for beaconing detection thresholds
|
||||
4. Scan suspect IPs with JARM to match known C2 fingerprint hashes
|
||||
5. Cross-reference extracted IOCs with network traffic logs
|
||||
|
||||
## Examples
|
||||
|
||||
```python
|
||||
# Parse profile and extract detection indicators
|
||||
from malleablec2 import Profile
|
||||
p = Profile.from_file("cobaltstrike.profile")
|
||||
print(p) # Reconstructed source
|
||||
|
||||
# JARM scan a suspect C2 server
|
||||
import subprocess
|
||||
result = subprocess.run(
|
||||
["python3", "jarm.py", "suspect-server.com"],
|
||||
capture_output=True, text=True
|
||||
)
|
||||
print(result.stdout)
|
||||
# Compare fingerprint against known CS JARM hashes
|
||||
```
|
||||
@@ -0,0 +1,69 @@
|
||||
# API Reference: Analyzing Cobalt Strike Malleable Profiles
|
||||
|
||||
## pyMalleableC2
|
||||
|
||||
```python
|
||||
from malleablec2 import Profile
|
||||
from malleablec2.components import HttpGetBlock, HttpPostBlock, ClientBlock, ServerBlock
|
||||
|
||||
# Parse from file or string
|
||||
p = Profile.from_file("amazon.profile")
|
||||
p = Profile.from_string(code_string)
|
||||
p = Profile.from_scratch()
|
||||
|
||||
# Set global options
|
||||
p.set_option("sleeptime", "3000")
|
||||
p.set_option("jitter", "0")
|
||||
p.set_option("pipename", "mojo__##")
|
||||
|
||||
# HTTP blocks
|
||||
http_get = HttpGetBlock()
|
||||
http_get.set_option("uri", "/updates")
|
||||
client = ClientBlock()
|
||||
client.add_statement("header", "Accept", "*/*")
|
||||
http_get.add_code_block(client)
|
||||
p.add_code_block(http_get)
|
||||
|
||||
# AST and reconstruction
|
||||
print(p.ast.pretty()) # Display AST
|
||||
print(p) # Reconstruct source
|
||||
```
|
||||
|
||||
## JARM TLS Fingerprinting
|
||||
|
||||
```bash
|
||||
# Scan a single host
|
||||
python3 jarm.py www.example.com
|
||||
|
||||
# Scan with specific port
|
||||
python3 jarm.py 192.168.1.1 -p 8443
|
||||
|
||||
# Batch scan from file
|
||||
python3 jarm.py -i targets.txt -o results.csv
|
||||
```
|
||||
|
||||
Fingerprint format: 62-char hybrid hash
|
||||
- First 30 chars: cipher + TLS version (10 handshakes x 3 chars)
|
||||
- Last 32 chars: truncated SHA256 of cumulative extensions
|
||||
|
||||
## Known Cobalt Strike JARM Hashes
|
||||
|
||||
| JARM Hash | Description |
|
||||
|-----------|-------------|
|
||||
| `07d14d16d21d21d07c42d41d00041d...` | CS default config |
|
||||
| `07d14d16d21d21d00042d41d00041d...` | CS with Java 11 |
|
||||
|
||||
## dissect.cobaltstrike (Alternative)
|
||||
|
||||
```python
|
||||
from dissect.cobaltstrike import beacon
|
||||
b = beacon.BeaconConfig.from_file("beacon.bin")
|
||||
print(b.protocol, b.port, b.sleeptime)
|
||||
```
|
||||
|
||||
### References
|
||||
|
||||
- pyMalleableC2: https://github.com/byt3bl33d3r/pyMalleableC2
|
||||
- JARM scanner: https://github.com/salesforce/jarm
|
||||
- dissect.cobaltstrike: https://github.com/fox-it/dissect.cobaltstrike
|
||||
- C2 JARM list: https://github.com/cedowens/C2-JARM
|
||||
@@ -0,0 +1,174 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Agent for analyzing Cobalt Strike malleable C2 profiles and JARM fingerprinting."""
|
||||
|
||||
import os
|
||||
import json
|
||||
import subprocess
|
||||
import argparse
|
||||
from pathlib import Path
|
||||
from datetime import datetime
|
||||
|
||||
from malleablec2 import Profile
|
||||
|
||||
|
||||
def extract_profile_indicators(profile_path):
|
||||
"""Extract detection indicators from a malleable C2 profile."""
|
||||
with open(profile_path) as f:
|
||||
content = f.read()
|
||||
profile = Profile.from_string(content)
|
||||
indicators = {
|
||||
"file": str(profile_path),
|
||||
"source_lines": len(content.splitlines()),
|
||||
"reconstructed": str(profile),
|
||||
}
|
||||
keywords = ["sleeptime", "jitter", "useragent", "pipename", "host_stage",
|
||||
"dns_idle", "dns_sleep", "spawnto_x86", "spawnto_x64"]
|
||||
options = {}
|
||||
for kw in keywords:
|
||||
for line in content.splitlines():
|
||||
stripped = line.strip().rstrip(";").strip()
|
||||
if kw in stripped.lower() and "set " in stripped.lower():
|
||||
parts = stripped.split('"')
|
||||
if len(parts) >= 2:
|
||||
options[kw] = parts[1]
|
||||
indicators["global_options"] = options
|
||||
uris = []
|
||||
for line in content.splitlines():
|
||||
if "set uri" in line.strip().lower():
|
||||
parts = line.strip().split('"')
|
||||
if len(parts) >= 2:
|
||||
uris.append(parts[1])
|
||||
indicators["uris"] = uris
|
||||
headers = []
|
||||
for line in content.splitlines():
|
||||
stripped = line.strip()
|
||||
if "header " in stripped.lower() and '"' in stripped:
|
||||
parts = stripped.split('"')
|
||||
if len(parts) >= 4:
|
||||
headers.append({"name": parts[1], "value": parts[3]})
|
||||
indicators["custom_headers"] = headers
|
||||
return indicators
|
||||
|
||||
|
||||
def scan_directory_profiles(directory):
|
||||
"""Scan a directory for malleable C2 profiles and extract indicators."""
|
||||
results = []
|
||||
for path in Path(directory).rglob("*.profile"):
|
||||
try:
|
||||
indicators = extract_profile_indicators(str(path))
|
||||
results.append(indicators)
|
||||
except Exception as e:
|
||||
results.append({"file": str(path), "error": str(e)})
|
||||
return results
|
||||
|
||||
|
||||
KNOWN_CS_JARM = {
|
||||
"07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1":
|
||||
"Cobalt Strike (default)",
|
||||
"07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2":
|
||||
"Cobalt Strike (Java 11)",
|
||||
}
|
||||
|
||||
|
||||
def compute_jarm_fingerprint(host, port=443):
|
||||
"""Compute JARM fingerprint by invoking the salesforce/jarm scanner."""
|
||||
jarm_script = os.getenv("JARM_SCRIPT", "jarm.py")
|
||||
try:
|
||||
result = subprocess.run(
|
||||
["python3", jarm_script, host, "-p", str(port)],
|
||||
capture_output=True, text=True, timeout=30,
|
||||
)
|
||||
for line in result.stdout.splitlines():
|
||||
if len(line.strip()) >= 62:
|
||||
return line.strip().split()[-1]
|
||||
return result.stdout.strip()
|
||||
except Exception as e:
|
||||
return f"Error: {e}"
|
||||
|
||||
|
||||
def check_jarm_against_known(fingerprint):
|
||||
"""Check a JARM fingerprint against known Cobalt Strike signatures."""
|
||||
for jarm_hash, description in KNOWN_CS_JARM.items():
|
||||
if fingerprint.strip() == jarm_hash:
|
||||
return {"match": True, "description": description, "fingerprint": fingerprint}
|
||||
return {"match": False, "fingerprint": fingerprint}
|
||||
|
||||
|
||||
def batch_jarm_scan(targets, port=443):
|
||||
"""Scan multiple targets for JARM fingerprints and check against known CS hashes."""
|
||||
results = []
|
||||
for target in targets:
|
||||
fp = compute_jarm_fingerprint(target, port)
|
||||
match = check_jarm_against_known(fp)
|
||||
match["target"] = target
|
||||
results.append(match)
|
||||
return results
|
||||
|
||||
|
||||
def generate_snort_rules(indicators_list):
|
||||
"""Generate Snort/Suricata rules from extracted profile indicators."""
|
||||
rules = []
|
||||
sid = 1000001
|
||||
for ind in indicators_list:
|
||||
for uri in ind.get("uris", []):
|
||||
rules.append(
|
||||
f'alert http $HOME_NET any -> $EXTERNAL_NET any '
|
||||
f'(msg:"CS Beacon URI {uri}"; '
|
||||
f'content:"{uri}"; http_uri; sid:{sid}; rev:1;)'
|
||||
)
|
||||
sid += 1
|
||||
ua = ind.get("global_options", {}).get("useragent", "")
|
||||
if ua:
|
||||
rules.append(
|
||||
f'alert http $HOME_NET any -> $EXTERNAL_NET any '
|
||||
f'(msg:"CS Beacon User-Agent"; '
|
||||
f'content:"{ua}"; http_header; sid:{sid}; rev:1;)'
|
||||
)
|
||||
sid += 1
|
||||
return rules
|
||||
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser(description="Cobalt Strike Malleable Profile Analyzer")
|
||||
parser.add_argument("--profile", help="Path to a single malleable C2 profile")
|
||||
parser.add_argument("--directory", help="Directory of malleable profiles")
|
||||
parser.add_argument("--jarm-targets", nargs="*", help="Hosts to JARM fingerprint")
|
||||
parser.add_argument("--output", default="cs_analysis_report.json")
|
||||
parser.add_argument("--action", choices=[
|
||||
"parse", "scan_dir", "jarm", "generate_rules", "full_analysis"
|
||||
], default="full_analysis")
|
||||
args = parser.parse_args()
|
||||
|
||||
report = {"generated_at": datetime.utcnow().isoformat(), "findings": {}}
|
||||
|
||||
if args.action in ("parse", "full_analysis") and args.profile:
|
||||
indicators = extract_profile_indicators(args.profile)
|
||||
report["findings"]["profile_indicators"] = indicators
|
||||
print(f"[+] Parsed: {args.profile} ({len(indicators.get('uris', []))} URIs)")
|
||||
|
||||
if args.action in ("scan_dir", "full_analysis") and args.directory:
|
||||
results = scan_directory_profiles(args.directory)
|
||||
report["findings"]["directory_scan"] = results
|
||||
print(f"[+] Scanned {len(results)} profiles in {args.directory}")
|
||||
|
||||
if args.action in ("jarm", "full_analysis") and args.jarm_targets:
|
||||
jarm_results = batch_jarm_scan(args.jarm_targets)
|
||||
report["findings"]["jarm_scan"] = jarm_results
|
||||
matches = [r for r in jarm_results if r.get("match")]
|
||||
print(f"[+] JARM: {len(jarm_results)} scanned, {len(matches)} CS matches")
|
||||
|
||||
if args.action in ("generate_rules", "full_analysis"):
|
||||
profiles = report["findings"].get("directory_scan", [])
|
||||
if not profiles and args.profile:
|
||||
profiles = [report["findings"].get("profile_indicators", {})]
|
||||
rules = generate_snort_rules(profiles)
|
||||
report["findings"]["snort_rules"] = rules
|
||||
print(f"[+] Generated {len(rules)} Snort rules")
|
||||
|
||||
with open(args.output, "w") as f:
|
||||
json.dump(report, f, indent=2, default=str)
|
||||
print(f"[+] Report saved to {args.output}")
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
@@ -14,14 +14,6 @@ license: Apache-2.0
|
||||
|
||||
Cobalt Strike Malleable C2 profiles are domain-specific language scripts that customize how Beacon communicates with the team server, defining HTTP request/response transformations, sleep intervals, jitter values, user agents, URI paths, and process injection behavior. Threat actors use malleable profiles to disguise C2 traffic as legitimate services (Amazon, Google, Slack). Analyzing these profiles reveals network indicators for detection: URI patterns, HTTP headers, POST/GET transforms, DNS settings, and process injection techniques. The `dissect.cobaltstrike` library can parse both profile files and extract configurations from beacon payloads, while `pyMalleableC2` provides AST-based parsing using Lark grammar for programmatic profile manipulation and validation.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing cobaltstrike malleable c2 profiles
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Python 3.9+ with `dissect.cobaltstrike` and/or `pyMalleableC2`
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
import argparse
|
||||
import json
|
||||
import re
|
||||
import sys
|
||||
from collections import Counter
|
||||
from datetime import datetime
|
||||
from pathlib import Path
|
||||
|
||||
@@ -3,12 +3,13 @@
|
||||
|
||||
import statistics
|
||||
import base64
|
||||
import json
|
||||
import os
|
||||
import sys
|
||||
from collections import defaultdict
|
||||
|
||||
try:
|
||||
from scapy.all import rdpcap, IP, TCP, DNS, DNSQR
|
||||
from scapy.all import rdpcap, IP, TCP, UDP, DNS, DNSQR, Raw
|
||||
HAS_SCAPY = True
|
||||
except ImportError:
|
||||
HAS_SCAPY = False
|
||||
|
||||
@@ -1,6 +1,9 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Cyber Kill Chain analysis agent for mapping incidents to Lockheed Martin kill chain phases."""
|
||||
|
||||
import json
|
||||
import os
|
||||
import sys
|
||||
import datetime
|
||||
|
||||
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Forensic disk image analysis agent using The Sleuth Kit (TSK) command-line tools."""
|
||||
|
||||
import shlex
|
||||
import subprocess
|
||||
import os
|
||||
import sys
|
||||
@@ -11,10 +10,8 @@ import datetime
|
||||
|
||||
|
||||
def run_cmd(cmd):
|
||||
"""Execute a command and return output."""
|
||||
if isinstance(cmd, str):
|
||||
cmd = shlex.split(cmd)
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
|
||||
"""Execute a shell command and return output."""
|
||||
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
|
||||
return result.stdout.strip(), result.stderr.strip(), result.returncode
|
||||
|
||||
|
||||
@@ -96,15 +93,9 @@ def list_deleted_files(image_path, offset):
|
||||
|
||||
def recover_file(image_path, offset, inode, output_path):
|
||||
"""Recover a file by inode using icat."""
|
||||
result = subprocess.run(
|
||||
["icat", "-o", str(offset), image_path, str(inode)],
|
||||
capture_output=True,
|
||||
timeout=120,
|
||||
)
|
||||
if result.returncode == 0:
|
||||
with open(output_path, "wb") as f:
|
||||
f.write(result.stdout)
|
||||
return result.returncode == 0
|
||||
cmd = f"icat -o {offset} {image_path} {inode} > {output_path}"
|
||||
_, _, rc = run_cmd(cmd)
|
||||
return rc == 0
|
||||
|
||||
|
||||
def get_file_metadata(image_path, offset, inode):
|
||||
@@ -115,40 +106,26 @@ def get_file_metadata(image_path, offset, inode):
|
||||
|
||||
def create_bodyfile(image_path, offset, output_path):
|
||||
"""Generate a TSK bodyfile for timeline creation."""
|
||||
result = subprocess.run(
|
||||
["fls", "-r", "-m", "/", "-o", str(offset), image_path],
|
||||
capture_output=True, text=True,
|
||||
timeout=120,
|
||||
)
|
||||
if result.returncode == 0:
|
||||
with open(output_path, "w") as f:
|
||||
f.write(result.stdout)
|
||||
return result.returncode == 0
|
||||
cmd = f'fls -r -m "/" -o {offset} {image_path} > {output_path}'
|
||||
_, _, rc = run_cmd(cmd)
|
||||
return rc == 0
|
||||
|
||||
|
||||
def generate_timeline(bodyfile_path, output_csv, start_date=None, end_date=None):
|
||||
"""Generate a timeline from a bodyfile using mactime."""
|
||||
cmd = ["mactime", "-b", bodyfile_path, "-d"]
|
||||
cmd = f"mactime -b {bodyfile_path} -d"
|
||||
if start_date and end_date:
|
||||
cmd.append(f"{start_date}..{end_date}")
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
|
||||
if result.returncode == 0:
|
||||
with open(output_csv, "w") as f:
|
||||
f.write(result.stdout)
|
||||
return result.returncode == 0
|
||||
cmd += f" {start_date}..{end_date}"
|
||||
cmd += f" > {output_csv}"
|
||||
_, _, rc = run_cmd(cmd)
|
||||
return rc == 0
|
||||
|
||||
|
||||
def search_keywords(image_path, offset, keyword):
|
||||
"""Search for keyword strings in the disk image."""
|
||||
result = subprocess.run(
|
||||
["srch_strings", "-a", "-o", str(offset), image_path],
|
||||
capture_output=True, text=True,
|
||||
timeout=120,
|
||||
)
|
||||
if result.returncode != 0 or not result.stdout:
|
||||
return []
|
||||
keyword_lower = keyword.lower()
|
||||
return [line for line in result.stdout.splitlines() if keyword_lower in line.lower()]
|
||||
cmd = f'srch_strings -a -o {offset} {image_path} | grep -i "{keyword}"'
|
||||
stdout, _, rc = run_cmd(cmd)
|
||||
return stdout.splitlines() if rc == 0 else []
|
||||
|
||||
|
||||
def find_file_signature(image_path, offset, hex_signature):
|
||||
@@ -202,8 +179,7 @@ if __name__ == "__main__":
|
||||
|
||||
if len(sys.argv) > 1:
|
||||
image = sys.argv[1]
|
||||
import tempfile
|
||||
case = sys.argv[2] if len(sys.argv) > 2 else os.environ.get("AUTOPSY_CASE_DIR", os.path.join(tempfile.gettempdir(), "autopsy_case"))
|
||||
case = sys.argv[2] if len(sys.argv) > 2 else "/tmp/autopsy_case"
|
||||
if os.path.exists(image):
|
||||
analyze_image(image, case)
|
||||
else:
|
||||
|
||||
@@ -1,28 +1,16 @@
|
||||
---
|
||||
name: analyzing-dns-logs-for-exfiltration
|
||||
description: 'Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication, and covert
|
||||
C2 channels using entropy analysis, query volume anomalies, and subdomain length detection in SIEM platforms. Use when SOC
|
||||
teams need to identify DNS-based threats that bypass traditional network security controls.
|
||||
|
||||
'
|
||||
description: >
|
||||
Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication,
|
||||
and covert C2 channels using entropy analysis, query volume anomalies, and subdomain length
|
||||
detection in SIEM platforms. Use when SOC teams need to identify DNS-based threats that bypass
|
||||
traditional network security controls.
|
||||
domain: cybersecurity
|
||||
subdomain: soc-operations
|
||||
tags:
|
||||
- soc
|
||||
- dns
|
||||
- exfiltration
|
||||
- dns-tunneling
|
||||
- dga
|
||||
- c2-detection
|
||||
- splunk
|
||||
- threat-detection
|
||||
version: '1.0'
|
||||
tags: [soc, dns, exfiltration, dns-tunneling, dga, c2-detection, splunk, threat-detection]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
atlas_techniques:
|
||||
- AML.T0024
|
||||
- AML.T0056
|
||||
- AML.T0086
|
||||
---
|
||||
# Analyzing DNS Logs for Exfiltration
|
||||
|
||||
|
||||
@@ -2,6 +2,11 @@
|
||||
"""DNS exfiltration detection agent using entropy analysis and query pattern detection."""
|
||||
|
||||
import math
|
||||
import os
|
||||
import sys
|
||||
import json
|
||||
import csv
|
||||
import datetime
|
||||
from collections import Counter, defaultdict
|
||||
|
||||
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Docker container forensics agent for investigating compromised containers."""
|
||||
|
||||
import shlex
|
||||
import subprocess
|
||||
import json
|
||||
import os
|
||||
@@ -11,10 +10,8 @@ import datetime
|
||||
|
||||
|
||||
def run_cmd(cmd):
|
||||
"""Execute a command and return output."""
|
||||
if isinstance(cmd, str):
|
||||
cmd = shlex.split(cmd)
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
|
||||
"""Execute a shell command and return output."""
|
||||
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
|
||||
return result.stdout.strip(), result.stderr.strip(), result.returncode
|
||||
|
||||
|
||||
@@ -137,13 +134,9 @@ def detect_suspicious_files(changes):
|
||||
|
||||
def export_container(container_id, output_path):
|
||||
"""Export container filesystem as a tarball for offline analysis."""
|
||||
with open(output_path, "wb") as out_f:
|
||||
result = subprocess.run(
|
||||
["docker", "export", container_id],
|
||||
stdout=out_f, stderr=subprocess.PIPE,
|
||||
timeout=120,
|
||||
)
|
||||
if result.returncode == 0 and os.path.exists(output_path):
|
||||
cmd = f"docker export {container_id} > {output_path}"
|
||||
_, _, rc = run_cmd(cmd)
|
||||
if rc == 0 and os.path.exists(output_path):
|
||||
sha256 = hashlib.sha256()
|
||||
with open(output_path, "rb") as f:
|
||||
for chunk in iter(lambda: f.read(65536), b""):
|
||||
|
||||
@@ -1,22 +1,12 @@
|
||||
---
|
||||
name: analyzing-email-headers-for-phishing-investigation
|
||||
description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify
|
||||
spoofing through SPF, DKIM, and DMARC validation.
|
||||
description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
|
||||
domain: cybersecurity
|
||||
subdomain: digital-forensics
|
||||
tags:
|
||||
- forensics
|
||||
- email-analysis
|
||||
- phishing
|
||||
- spf
|
||||
- dkim
|
||||
- dmarc
|
||||
- header-analysis
|
||||
version: '1.0'
|
||||
tags: [forensics, email-analysis, phishing, spf, dkim, dmarc, header-analysis]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
atlas_techniques:
|
||||
- AML.T0052
|
||||
---
|
||||
|
||||
# Analyzing Email Headers for Phishing Investigation
|
||||
|
||||
@@ -8,6 +8,7 @@ import hashlib
|
||||
import os
|
||||
import sys
|
||||
import subprocess
|
||||
import json
|
||||
from email import policy
|
||||
|
||||
|
||||
@@ -146,10 +147,9 @@ def extract_attachments(msg, output_dir=None):
|
||||
|
||||
def dns_lookup(domain, record_type="TXT"):
|
||||
"""Perform DNS lookup for SPF/DKIM/DMARC records."""
|
||||
stdout, _, rc = subprocess.run(
|
||||
["dig", record_type, domain, "+short"],
|
||||
capture_output=True, text=True, timeout=10
|
||||
).stdout, "", 0
|
||||
cmd = f"dig {record_type} {domain} +short"
|
||||
stdout, _, rc = subprocess.run(cmd, shell=True, capture_output=True, text=True,
|
||||
timeout=10).stdout, "", 0
|
||||
return stdout.strip() if stdout else ""
|
||||
|
||||
|
||||
|
||||
@@ -15,14 +15,6 @@ license: Apache-2.0
|
||||
|
||||
Smart contract vulnerabilities have led to billions of dollars in losses across DeFi protocols. Unlike traditional software, deployed smart contracts are immutable and handle real financial assets, making pre-deployment security analysis critical. Slither performs fast static analysis using an intermediate representation to detect over 90 vulnerability patterns in seconds, while Mythril uses symbolic execution and SMT solving to discover complex execution path vulnerabilities like reentrancy and integer overflows. This skill covers running both tools against Solidity contracts, interpreting results, triaging findings by severity, and generating audit reports.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing ethereum smart contract vulnerabilities
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Python 3.10+ with pip
|
||||
|
||||
@@ -5,6 +5,7 @@ import json
|
||||
import argparse
|
||||
import logging
|
||||
import subprocess
|
||||
import os
|
||||
from collections import defaultdict
|
||||
from datetime import datetime
|
||||
|
||||
|
||||
@@ -14,14 +14,6 @@ license: Apache-2.0
|
||||
|
||||
Go (Golang) has become a popular language for malware authors due to its cross-compilation capabilities, static linking that produces self-contained binaries, and the complexity it introduces for reverse engineering. Go binaries contain the entire runtime, standard library, and all dependencies statically linked, resulting in large binaries (often 5-15MB) with thousands of functions. Ghidra struggles with Go-specific string formats (non-null-terminated), stripped function names, and goroutine concurrency patterns. Specialized tools like GoResolver (Volexity, 2025) use control-flow graph similarity to automatically deobfuscate and recover function names in stripped or obfuscated Go binaries.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing golang malware with ghidra
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Ghidra 11.0+ with JDK 17+
|
||||
@@ -45,7 +37,7 @@ Despite stripping symbol tables, Go binaries retain function names within the pc
|
||||
|
||||
Go's dependency management embeds module paths and version strings in the binary. Extracting these reveals the malware's third-party dependencies (HTTP libraries, encryption packages, C2 frameworks), which provides insight into capabilities without full reverse engineering.
|
||||
|
||||
## Workflow
|
||||
## Practical Steps
|
||||
|
||||
### Step 1: Initial Binary Analysis
|
||||
|
||||
|
||||
@@ -5,6 +5,7 @@ Analyzes Go binaries to extract function names, strings, build metadata,
|
||||
package information, and detects common Go malware characteristics.
|
||||
"""
|
||||
|
||||
import struct
|
||||
import os
|
||||
import sys
|
||||
import json
|
||||
|
||||
@@ -14,14 +14,6 @@ license: Apache-2.0
|
||||
|
||||
Heap spraying is an exploitation technique that fills large regions of a process's heap with attacker-controlled data (typically NOP sleds followed by shellcode) to increase the reliability of code execution exploits. This skill covers detecting heap spray artifacts in memory dumps using Volatility3's malfind, vadinfo, and memmap plugins, identifying suspicious contiguous memory allocations, scanning for NOP sled patterns (0x90, 0x0c0c0c0c), and extracting embedded shellcode for analysis.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing heap spray exploitation
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Python 3.9+ with `volatility3` framework installed
|
||||
|
||||
@@ -1,27 +1,17 @@
|
||||
---
|
||||
name: analyzing-indicators-of-compromise
|
||||
description: 'Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, and email artifacts
|
||||
to determine maliciousness confidence, campaign attribution, and blocking priority. Use when triaging IOCs from phishing
|
||||
emails, security alerts, or external threat feeds; enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist
|
||||
decisions. Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
|
||||
|
||||
'
|
||||
description: >
|
||||
Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs,
|
||||
and email artifacts to determine maliciousness confidence, campaign attribution, and blocking
|
||||
priority. Use when triaging IOCs from phishing emails, security alerts, or external threat feeds;
|
||||
enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist decisions.
|
||||
Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
|
||||
domain: cybersecurity
|
||||
subdomain: threat-intelligence
|
||||
tags:
|
||||
- IOC
|
||||
- VirusTotal
|
||||
- AbuseIPDB
|
||||
- MalwareBazaar
|
||||
- MISP
|
||||
- threat-intelligence
|
||||
- STIX
|
||||
- NIST-CSF
|
||||
tags: [IOC, VirusTotal, AbuseIPDB, MalwareBazaar, MISP, threat-intelligence, STIX, NIST-CSF]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
atlas_techniques:
|
||||
- AML.T0052
|
||||
---
|
||||
# Analyzing Indicators of Compromise
|
||||
|
||||
|
||||
@@ -3,7 +3,9 @@
|
||||
|
||||
import re
|
||||
import os
|
||||
import sys
|
||||
import json
|
||||
import hashlib
|
||||
import datetime
|
||||
|
||||
try:
|
||||
@@ -67,7 +69,7 @@ def is_private_ip(ip):
|
||||
def query_virustotal_hash(sha256, api_key):
|
||||
"""Query VirusTotal for a file hash."""
|
||||
url = f"https://www.virustotal.com/api/v3/files/{sha256}"
|
||||
resp = requests.get(url, headers={"x-apikey": api_key}, timeout=30)
|
||||
resp = requests.get(url, headers={"x-apikey": api_key})
|
||||
if resp.status_code == 200:
|
||||
data = resp.json().get("data", {}).get("attributes", {})
|
||||
stats = data.get("last_analysis_stats", {})
|
||||
@@ -86,7 +88,7 @@ def query_virustotal_hash(sha256, api_key):
|
||||
def query_virustotal_domain(domain, api_key):
|
||||
"""Query VirusTotal for domain reputation."""
|
||||
url = f"https://www.virustotal.com/api/v3/domains/{domain}"
|
||||
resp = requests.get(url, headers={"x-apikey": api_key}, timeout=30)
|
||||
resp = requests.get(url, headers={"x-apikey": api_key})
|
||||
if resp.status_code == 200:
|
||||
data = resp.json().get("data", {}).get("attributes", {})
|
||||
stats = data.get("last_analysis_stats", {})
|
||||
@@ -105,7 +107,7 @@ def query_abuseipdb(ip, api_key, max_age_days=90):
|
||||
"""Query AbuseIPDB for IP reputation."""
|
||||
url = "https://api.abuseipdb.com/api/v2/check"
|
||||
resp = requests.get(url, headers={"Key": api_key, "Accept": "application/json"},
|
||||
params={"ipAddress": ip, "maxAgeInDays": max_age_days}, timeout=30)
|
||||
params={"ipAddress": ip, "maxAgeInDays": max_age_days})
|
||||
if resp.status_code == 200:
|
||||
data = resp.json().get("data", {})
|
||||
return {
|
||||
@@ -123,7 +125,7 @@ def query_abuseipdb(ip, api_key, max_age_days=90):
|
||||
def query_malwarebazaar(sha256):
|
||||
"""Query MalwareBazaar for file hash information."""
|
||||
url = "https://mb-api.abuse.ch/api/v1/"
|
||||
resp = requests.post(url, data={"query": "get_info", "hash": sha256}, timeout=30)
|
||||
resp = requests.post(url, data={"query": "get_info", "hash": sha256})
|
||||
if resp.status_code == 200:
|
||||
result = resp.json()
|
||||
if result.get("query_status") == "ok" and result.get("data"):
|
||||
|
||||
@@ -1,31 +1,18 @@
|
||||
---
|
||||
name: analyzing-ios-app-security-with-objection
|
||||
description: 'Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered toolkit that
|
||||
enables security testers to interact with app internals without jailbreaking. Use when assessing iOS app security posture,
|
||||
bypassing client-side protections, dumping keychain items, inspecting filesystem storage, and evaluating runtime behavior.
|
||||
Activates for requests involving iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile
|
||||
runtime exploration.
|
||||
|
||||
'
|
||||
description: >
|
||||
Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered
|
||||
toolkit that enables security testers to interact with app internals without jailbreaking. Use when
|
||||
assessing iOS app security posture, bypassing client-side protections, dumping keychain items,
|
||||
inspecting filesystem storage, and evaluating runtime behavior. Activates for requests involving
|
||||
iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile runtime
|
||||
exploration.
|
||||
domain: cybersecurity
|
||||
subdomain: mobile-security
|
||||
author: mahipal
|
||||
tags:
|
||||
- mobile-security
|
||||
- ios
|
||||
- objection
|
||||
- frida
|
||||
- owasp-mobile
|
||||
- penetration-testing
|
||||
tags: [mobile-security, ios, objection, frida, owasp-mobile, penetration-testing]
|
||||
version: 1.0.0
|
||||
license: Apache-2.0
|
||||
atlas_techniques:
|
||||
- AML.T0054
|
||||
nist_ai_rmf:
|
||||
- MEASURE-2.7
|
||||
- MANAGE-2.4
|
||||
- GOVERN-6.2
|
||||
- MAP-5.1
|
||||
---
|
||||
# Analyzing iOS App Security with Objection
|
||||
|
||||
|
||||
@@ -7,7 +7,9 @@ keychain dumping, filesystem inspection, and jailbreak detection bypass.
|
||||
|
||||
import subprocess
|
||||
import json
|
||||
import os
|
||||
import sys
|
||||
import re
|
||||
|
||||
|
||||
def run_objection(command, app_id=None, timeout=30):
|
||||
|
||||
@@ -15,21 +15,6 @@ license: Apache-2.0
|
||||
|
||||
# Analyzing Kubernetes Audit Logs
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing kubernetes audit logs
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Familiarity with container security concepts and tools
|
||||
- Access to a test or lab environment for safe execution
|
||||
- Python 3.8+ with required dependencies installed
|
||||
- Appropriate authorization for any testing activities
|
||||
|
||||
## Instructions
|
||||
|
||||
Parse Kubernetes audit log files (JSON lines format) to detect security-relevant
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Agent for analyzing Kubernetes audit logs for security threats."""
|
||||
|
||||
import os
|
||||
import json
|
||||
import argparse
|
||||
from collections import defaultdict
|
||||
|
||||
@@ -1,257 +1,18 @@
|
||||
---
|
||||
name: analyzing-linux-audit-logs-for-intrusion
|
||||
description: >
|
||||
Uses the Linux Audit framework (auditd) with ausearch and aureport utilities
|
||||
to detect intrusion attempts, unauthorized access, privilege escalation, and
|
||||
suspicious system activity. Covers audit rule configuration, log querying,
|
||||
timeline reconstruction, and integration with SIEM platforms. Activates for
|
||||
requests involving auditd analysis, Linux audit log investigation, ausearch
|
||||
queries, aureport summaries, or host-based intrusion detection on Linux.
|
||||
Parse and analyze Linux auditd logs to detect intrusion indicators
|
||||
including unauthorized file access, privilege escalation, syscall
|
||||
anomalies, and suspicious process execution using ausearch and Python.
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [auditd, ausearch, aureport, linux-security, intrusion-detection, HIDS, forensics]
|
||||
version: 1.0.0
|
||||
subdomain: log-analysis
|
||||
tags: [auditd, linux-forensics, syscall-monitoring, intrusion-detection]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
---
|
||||
|
||||
# Analyzing Linux Audit Logs for Intrusion
|
||||
|
||||
## When to Use
|
||||
|
||||
- Investigating suspected unauthorized access or privilege escalation on Linux hosts
|
||||
- Hunting for evidence of exploitation, backdoor installation, or persistence mechanisms
|
||||
- Auditing compliance with security baselines (CIS, STIG, PCI-DSS) that require system call monitoring
|
||||
- Reconstructing a timeline of attacker actions during incident response
|
||||
- Detecting file tampering on critical system files such as `/etc/passwd`, `/etc/shadow`, or SSH keys
|
||||
|
||||
**Do not use** for network-level intrusion detection; use Suricata or Zeek for network traffic analysis. Auditd operates at the kernel level on individual hosts.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Linux system with `auditd` package installed and the audit daemon running (`systemctl status auditd`)
|
||||
- Root or sudo access to configure audit rules and query logs
|
||||
- Audit rules deployed via `/etc/audit/rules.d/*.rules` or loaded with `auditctl`
|
||||
- Recommended: Neo23x0/auditd ruleset from GitHub for comprehensive baseline coverage
|
||||
- Familiarity with Linux syscalls (`execve`, `open`, `connect`, `ptrace`, etc.)
|
||||
- Log storage with sufficient retention (default location: `/var/log/audit/audit.log`)
|
||||
|
||||
## Workflow
|
||||
|
||||
### Step 1: Verify Audit Daemon Status and Configuration
|
||||
|
||||
Confirm the audit system is running and check the current rule set:
|
||||
|
||||
```bash
|
||||
# Check auditd service status
|
||||
systemctl status auditd
|
||||
|
||||
# Show current audit rules loaded in the kernel
|
||||
auditctl -l
|
||||
|
||||
# Show audit daemon configuration
|
||||
cat /etc/audit/auditd.conf | grep -E "log_file|max_log_file|num_logs|space_left_action"
|
||||
|
||||
# Check if the audit backlog is being exceeded (dropped events)
|
||||
auditctl -s
|
||||
```
|
||||
|
||||
If the backlog limit is being reached, increase it:
|
||||
|
||||
```bash
|
||||
auditctl -b 8192
|
||||
```
|
||||
|
||||
### Step 2: Deploy Intrusion-Focused Audit Rules
|
||||
|
||||
Add rules that target common intrusion indicators. Place these in `/etc/audit/rules.d/intrusion.rules`:
|
||||
|
||||
```bash
|
||||
# Monitor credential files for unauthorized reads or modifications
|
||||
-w /etc/passwd -p wa -k credential_access
|
||||
-w /etc/shadow -p rwa -k credential_access
|
||||
-w /etc/gshadow -p rwa -k credential_access
|
||||
-w /etc/sudoers -p wa -k privilege_escalation
|
||||
-w /etc/sudoers.d/ -p wa -k privilege_escalation
|
||||
|
||||
# Monitor SSH configuration and authorized keys
|
||||
-w /etc/ssh/sshd_config -p wa -k sshd_config_change
|
||||
-w /root/.ssh/authorized_keys -p wa -k ssh_key_tampering
|
||||
|
||||
# Monitor user and group management commands
|
||||
-w /usr/sbin/useradd -p x -k user_management
|
||||
-w /usr/sbin/usermod -p x -k user_management
|
||||
-w /usr/sbin/groupadd -p x -k user_management
|
||||
|
||||
# Detect process injection via ptrace
|
||||
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k process_injection
|
||||
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k process_injection
|
||||
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k process_injection
|
||||
|
||||
# Monitor execution of programs from unusual directories
|
||||
-a always,exit -F arch=b64 -S execve -F exe=/tmp -k exec_from_tmp
|
||||
-a always,exit -F arch=b64 -S execve -F exe=/dev/shm -k exec_from_shm
|
||||
|
||||
# Detect kernel module loading (rootkit installation)
|
||||
-a always,exit -F arch=b64 -S init_module -S finit_module -k kernel_module_load
|
||||
-a always,exit -F arch=b64 -S delete_module -k kernel_module_remove
|
||||
-w /sbin/insmod -p x -k kernel_module_tool
|
||||
-w /sbin/modprobe -p x -k kernel_module_tool
|
||||
|
||||
# Monitor network socket creation for reverse shells
|
||||
-a always,exit -F arch=b64 -S socket -F a0=2 -k network_socket_created
|
||||
-a always,exit -F arch=b64 -S connect -F a0=2 -k network_connection
|
||||
|
||||
# Detect cron job modifications (persistence)
|
||||
-w /etc/crontab -p wa -k cron_persistence
|
||||
-w /etc/cron.d/ -p wa -k cron_persistence
|
||||
-w /var/spool/cron/ -p wa -k cron_persistence
|
||||
|
||||
# Monitor log deletion or tampering
|
||||
-w /var/log/ -p wa -k log_tampering
|
||||
```
|
||||
|
||||
Reload rules after editing:
|
||||
|
||||
```bash
|
||||
augenrules --load
|
||||
auditctl -l | wc -l # Confirm rule count
|
||||
```
|
||||
|
||||
### Step 3: Search for Intrusion Indicators with ausearch
|
||||
|
||||
Use `ausearch` to query the audit log for specific events:
|
||||
|
||||
```bash
|
||||
# Search for all failed login attempts in the last 24 hours
|
||||
ausearch -m USER_LOGIN --success no -ts recent
|
||||
|
||||
# Search for commands executed by a specific user
|
||||
ausearch -ua 1001 -m EXECVE -ts today
|
||||
|
||||
# Search for all file access events on /etc/shadow
|
||||
ausearch -f /etc/shadow -ts this-week
|
||||
|
||||
# Search for privilege escalation via sudo
|
||||
ausearch -m USER_CMD -ts today
|
||||
|
||||
# Search for kernel module loading events
|
||||
ausearch -k kernel_module_load -ts this-month
|
||||
|
||||
# Search for processes executed from /tmp (common attack staging)
|
||||
ausearch -k exec_from_tmp -ts this-week
|
||||
|
||||
# Search for SSH key modifications
|
||||
ausearch -k ssh_key_tampering -ts this-month
|
||||
|
||||
# Search for a specific event by audit event ID
|
||||
ausearch -a 12345
|
||||
|
||||
# Search events in a specific time range
|
||||
ausearch -ts 03/15/2026 08:00:00 -te 03/15/2026 18:00:00
|
||||
|
||||
# Interpret syscall numbers and format output readably
|
||||
ausearch -k credential_access -i -ts today
|
||||
```
|
||||
|
||||
### Step 4: Generate Summary Reports with aureport
|
||||
|
||||
Use `aureport` to produce aggregate summaries for triage:
|
||||
|
||||
```bash
|
||||
# Summary of all authentication events
|
||||
aureport -au -ts this-week --summary
|
||||
|
||||
# Report of all failed events (login, access, etc.)
|
||||
aureport --failed --summary -ts today
|
||||
|
||||
# Report of executable runs
|
||||
aureport -x --summary -ts today
|
||||
|
||||
# Report of all anomaly events (segfaults, promiscuous mode, etc.)
|
||||
aureport --anomaly -ts this-week
|
||||
|
||||
# Report of file access events
|
||||
aureport -f --summary -ts today
|
||||
|
||||
# Report of all events by key (maps to your custom rule keys)
|
||||
aureport -k --summary -ts this-month
|
||||
|
||||
# Report of all system calls
|
||||
aureport -s --summary -ts today
|
||||
|
||||
# Report of events grouped by user
|
||||
aureport -u --summary -ts this-week
|
||||
|
||||
# Detailed time-based event report for timeline building
|
||||
aureport -ts 03/15/2026 08:00:00 -te 03/15/2026 18:00:00 --summary
|
||||
```
|
||||
|
||||
### Step 5: Reconstruct the Attack Timeline
|
||||
|
||||
Combine ausearch queries to build a chronological narrative:
|
||||
|
||||
```bash
|
||||
# Step 5a: Identify the initial access timestamp
|
||||
ausearch -m USER_LOGIN -ua 0 --success yes -ts this-week -i | head -50
|
||||
|
||||
# Step 5b: Trace what the attacker did after gaining access
|
||||
# Get all events from the compromised account within the incident window
|
||||
ausearch -ua <UID> -ts "03/15/2026 14:00:00" -te "03/15/2026 18:00:00" -i \
|
||||
| aureport -f -i
|
||||
|
||||
# Step 5c: Extract all commands executed during the incident window
|
||||
ausearch -m EXECVE -ts "03/15/2026 14:00:00" -te "03/15/2026 18:00:00" -i
|
||||
|
||||
# Step 5d: Check for persistence mechanisms installed
|
||||
ausearch -k cron_persistence -ts "03/15/2026 14:00:00" -i
|
||||
ausearch -k ssh_key_tampering -ts "03/15/2026 14:00:00" -i
|
||||
|
||||
# Step 5e: Check for lateral movement (outbound connections)
|
||||
ausearch -k network_connection -ts "03/15/2026 14:00:00" -i
|
||||
```
|
||||
|
||||
### Step 6: Forward Audit Logs to SIEM
|
||||
|
||||
Configure `audisp-remote` or `auditbeat` to ship logs to a central SIEM for correlation:
|
||||
|
||||
```bash
|
||||
# Option A: Using audisp-remote plugin
|
||||
# Edit /etc/audit/plugins.d/au-remote.conf
|
||||
active = yes
|
||||
direction = out
|
||||
path = /sbin/audisp-remote
|
||||
type = always
|
||||
|
||||
# Configure remote target in /etc/audit/audisp-remote.conf
|
||||
remote_server = siem.internal.corp
|
||||
port = 6514
|
||||
transport = tcp
|
||||
|
||||
# Option B: Using Elastic Auditbeat
|
||||
# Install auditbeat and configure /etc/auditbeat/auditbeat.yml
|
||||
# Auditbeat reads directly from the kernel audit framework
|
||||
```
|
||||
|
||||
## Key Concepts
|
||||
|
||||
| Term | Definition |
|
||||
|------|------------|
|
||||
| **auditd** | The Linux Audit daemon that receives audit events from the kernel and writes them to `/var/log/audit/audit.log` |
|
||||
| **auditctl** | Command-line utility to control the audit system: add/remove rules, check status, set backlog size |
|
||||
| **ausearch** | Query tool that searches audit logs by message type, user, file, key, time range, or event ID |
|
||||
| **aureport** | Reporting tool that generates aggregate summaries of audit events for triage and compliance |
|
||||
| **audit rule key (-k)** | A user-defined label attached to an audit rule, enabling fast filtering of related events with ausearch and aureport |
|
||||
| **syscall auditing** | Kernel-level monitoring of system calls (execve, open, connect, ptrace) that captures process and file activity |
|
||||
| **augenrules** | Utility that merges all files in `/etc/audit/rules.d/` into `/etc/audit/audit.rules` and loads them into the kernel |
|
||||
|
||||
## Verification
|
||||
|
||||
- [ ] auditd is running and rules are loaded (`auditctl -l` returns expected rule count)
|
||||
- [ ] No audit backlog overflow (`auditctl -s` shows `backlog: 0` or low value, lost: 0)
|
||||
- [ ] ausearch returns events for each custom key (`ausearch -k <key> -ts today` returns results)
|
||||
- [ ] aureport generates non-empty summaries for authentication, executable, and file events
|
||||
- [ ] Timeline reconstruction produces a coherent chronological sequence of attacker actions
|
||||
- [ ] Critical file watches trigger alerts on test modifications (`touch /etc/shadow` generates an event)
|
||||
- [ ] Logs are forwarding to central SIEM (verify with a test event and confirm receipt)
|
||||
- [ ] Audit rules persist across reboot (rules in `/etc/audit/rules.d/`, not only via `auditctl`)
|
||||
Parse auditd logs to detect file access violations, privilege escalation,
|
||||
suspicious syscalls, and unauthorized process execution.
|
||||
|
||||
@@ -7,6 +7,7 @@ unauthorized file access, suspicious syscalls, and process execution anomalies.
|
||||
|
||||
import argparse
|
||||
import json
|
||||
import os
|
||||
import re
|
||||
import sys
|
||||
import datetime
|
||||
|
||||
@@ -6,10 +6,12 @@ import math
|
||||
import os
|
||||
import sys
|
||||
import subprocess
|
||||
import struct
|
||||
from collections import Counter
|
||||
|
||||
try:
|
||||
from elftools.elf.elffile import ELFFile
|
||||
from elftools.elf.sections import SymbolTableSection
|
||||
HAS_ELFTOOLS = True
|
||||
except ImportError:
|
||||
HAS_ELFTOOLS = False
|
||||
@@ -83,8 +85,8 @@ def analyze_sections(filepath):
|
||||
def extract_strings(filepath, min_length=6):
|
||||
"""Extract ASCII strings from the binary and categorize by type."""
|
||||
stdout, _, rc = subprocess.run(
|
||||
["strings", "-n", str(min_length), filepath],
|
||||
capture_output=True, text=True, timeout=120
|
||||
f"strings -n {min_length} {filepath}", shell=True,
|
||||
capture_output=True, text=True
|
||||
).stdout, "", 0
|
||||
if not stdout:
|
||||
return {}
|
||||
@@ -124,9 +126,8 @@ def check_packing(filepath):
|
||||
indicators.append("UPX packer detected (UPX! magic)")
|
||||
if b"UPX0" in data or b"UPX1" in data:
|
||||
indicators.append("UPX section names found")
|
||||
stdout, _, _ = subprocess.run(["upx", "-t", filepath],
|
||||
capture_output=True, text=True,
|
||||
stderr=subprocess.STDOUT, timeout=120).stdout, "", 0
|
||||
stdout, _, _ = subprocess.run(f"upx -t {filepath} 2>&1", shell=True,
|
||||
capture_output=True, text=True).stdout, "", 0
|
||||
if stdout and "packed" in stdout.lower():
|
||||
indicators.append("UPX verification confirms packing")
|
||||
return indicators
|
||||
@@ -134,8 +135,8 @@ def check_packing(filepath):
|
||||
|
||||
def analyze_dynamic_linking(filepath):
|
||||
"""Analyze dynamic linking information and imported functions."""
|
||||
stdout, _, rc = subprocess.run(["readelf", "-d", filepath],
|
||||
capture_output=True, text=True, timeout=120).stdout, "", 0
|
||||
stdout, _, rc = subprocess.run(f"readelf -d {filepath}", shell=True,
|
||||
capture_output=True, text=True).stdout, "", 0
|
||||
dynamic_info = {"libraries": [], "rpath": None}
|
||||
if stdout:
|
||||
for line in stdout.splitlines():
|
||||
@@ -145,17 +146,10 @@ def analyze_dynamic_linking(filepath):
|
||||
if "RPATH" in line or "RUNPATH" in line:
|
||||
dynamic_info["rpath"] = line.split("[")[-1].rstrip("]")
|
||||
|
||||
readelf_proc = subprocess.run(
|
||||
["readelf", "-r", filepath],
|
||||
capture_output=True, text=True,
|
||||
timeout=120,
|
||||
)
|
||||
import re as _re
|
||||
suspicious_funcs = _re.compile(r'socket|connect|exec|fork|open|write|bind|listen|send|recv')
|
||||
stdout2 = "\n".join(
|
||||
line for line in (readelf_proc.stdout or "").splitlines()
|
||||
if suspicious_funcs.search(line)
|
||||
)
|
||||
stdout2, _, _ = subprocess.run(
|
||||
f"readelf -r {filepath} | grep -E 'socket|connect|exec|fork|open|write|bind|listen|send|recv'",
|
||||
shell=True, capture_output=True, text=True
|
||||
).stdout, "", 0
|
||||
dynamic_info["suspicious_imports"] = [
|
||||
line.strip() for line in (stdout2 or "").splitlines() if line.strip()
|
||||
]
|
||||
|
||||
@@ -15,14 +15,6 @@ license: Apache-2.0
|
||||
|
||||
Linux kernel rootkits operate at ring 0, modifying kernel data structures to hide processes, files, network connections, and kernel modules from userspace tools. Detection requires either memory forensics (analyzing physical memory dumps with Volatility3) or cross-view analysis (comparing /proc, /sys, and kernel data structures for inconsistencies). This skill covers using Volatility3 Linux plugins to detect syscall table hooks, hidden kernel modules, and modified function pointers, supplemented by live system scanning with rkhunter and chkrootkit.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing linux kernel rootkits
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Volatility3 installed (pip install volatility3)
|
||||
@@ -48,73 +40,3 @@ Run rkhunter and chkrootkit to detect known rootkit signatures, suspicious files
|
||||
## Expected Output
|
||||
|
||||
JSON report containing detected syscall hooks, hidden kernel modules, modified IDT entries, suspicious /proc discrepancies, and rkhunter findings.
|
||||
|
||||
## Example Output
|
||||
|
||||
```text
|
||||
$ sudo python3 rootkit_analyzer.py --memory /evidence/linux-mem.lime --profile Ubuntu2204
|
||||
|
||||
Linux Kernel Rootkit Analysis Report
|
||||
=====================================
|
||||
Memory Image: /evidence/linux-mem.lime
|
||||
Kernel Version: 5.15.0-91-generic (Ubuntu 22.04 LTS)
|
||||
Analysis Time: 2024-01-18 09:15:32 UTC
|
||||
|
||||
[+] Scanning syscall table for hooks...
|
||||
Syscall Table Base: 0xffffffff82200300
|
||||
Total syscalls checked: 449
|
||||
|
||||
HOOKED SYSCALLS DETECTED:
|
||||
┌─────────┬──────────────────┬──────────────────────┬──────────────────────┐
|
||||
│ NR │ Syscall │ Expected Address │ Current Address │
|
||||
├─────────┼──────────────────┼──────────────────────┼──────────────────────┤
|
||||
│ 0 │ sys_read │ 0xffffffff8139a0e0 │ 0xffffffffc0a12000 │
|
||||
│ 2 │ sys_open │ 0xffffffff8139b340 │ 0xffffffffc0a12180 │
|
||||
│ 78 │ sys_getdents64 │ 0xffffffff813f5210 │ 0xffffffffc0a12300 │
|
||||
│ 62 │ sys_kill │ 0xffffffff8110c4a0 │ 0xffffffffc0a12480 │
|
||||
└─────────┴──────────────────┴──────────────────────┴──────────────────────┘
|
||||
WARNING: 4 syscall hooks detected - rootkit behavior confirmed
|
||||
|
||||
[+] Checking for hidden kernel modules...
|
||||
Loaded modules (lsmod): 147
|
||||
Modules in kobject list: 149
|
||||
HIDDEN MODULES:
|
||||
- "netfilter_helper" at 0xffffffffc0a10000 (size: 12288)
|
||||
- "kworker_sched" at 0xffffffffc0a14000 (size: 8192)
|
||||
|
||||
[+] Scanning /proc for discrepancies...
|
||||
Processes in task_struct list: 234
|
||||
Processes visible in /proc: 231
|
||||
HIDDEN PROCESSES:
|
||||
- PID 31337 cmd: "[kworker/0:3]" (disguised as kernel thread)
|
||||
- PID 31442 cmd: "rsyslogd" (fake, real rsyslogd is PID 892)
|
||||
- PID 31500 cmd: "" (unnamed process)
|
||||
|
||||
[+] Checking IDT entries...
|
||||
IDT entries scanned: 256
|
||||
Modified entries: 0 (clean)
|
||||
|
||||
[+] Running rkhunter scan...
|
||||
Checking for known rootkits: 68 variants checked
|
||||
Diamorphine rootkit: WARNING - signatures match
|
||||
System binary checks:
|
||||
/usr/bin/ps: MODIFIED (SHA-256 mismatch)
|
||||
/usr/bin/netstat: MODIFIED (SHA-256 mismatch)
|
||||
/usr/bin/ls: MODIFIED (SHA-256 mismatch)
|
||||
/usr/sbin/ss: OK
|
||||
|
||||
[+] Network analysis...
|
||||
Hidden connections (not in /proc/net/tcp):
|
||||
ESTABLISHED 0.0.0.0:0 -> 198.51.100.47:4443 (PID 31337)
|
||||
ESTABLISHED 0.0.0.0:0 -> 198.51.100.47:8080 (PID 31442)
|
||||
|
||||
Summary:
|
||||
Rootkit Type: Loadable Kernel Module (LKM)
|
||||
Probable Family: Diamorphine variant
|
||||
Syscall Hooks: 4 (read, open, getdents64, kill)
|
||||
Hidden Modules: 2
|
||||
Hidden Processes: 3
|
||||
Hidden Connections: 2 (C2: 198.51.100.47)
|
||||
Modified Binaries: 3 (/usr/bin/ps, netstat, ls)
|
||||
Risk Level: CRITICAL
|
||||
```
|
||||
|
||||
@@ -6,6 +6,7 @@ import argparse
|
||||
import logging
|
||||
import subprocess
|
||||
import os
|
||||
from collections import defaultdict
|
||||
from datetime import datetime
|
||||
|
||||
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
|
||||
|
||||
@@ -4,15 +4,15 @@
|
||||
import os
|
||||
import sys
|
||||
import glob
|
||||
import shlex
|
||||
import json
|
||||
import re
|
||||
import datetime
|
||||
import subprocess
|
||||
|
||||
|
||||
def run_cmd(cmd):
|
||||
"""Execute a command and return output."""
|
||||
if isinstance(cmd, str):
|
||||
cmd = shlex.split(cmd)
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
|
||||
"""Execute a shell command and return output."""
|
||||
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
|
||||
return result.stdout.strip(), result.stderr.strip(), result.returncode
|
||||
|
||||
|
||||
@@ -196,12 +196,10 @@ def check_ld_preload(evidence_root):
|
||||
|
||||
def find_suid_binaries(evidence_root):
|
||||
"""Find SUID/SGID binaries (potential privilege escalation)."""
|
||||
result = subprocess.run(
|
||||
["find", evidence_root, "-perm", "-4000", "-type", "f"],
|
||||
capture_output=True, text=True, timeout=30
|
||||
stdout, _, rc = run_cmd(
|
||||
f"find {evidence_root} -perm -4000 -type f 2>/dev/null"
|
||||
)
|
||||
stdout = result.stdout.strip()
|
||||
return stdout.splitlines() if result.returncode == 0 and stdout else []
|
||||
return stdout.splitlines() if rc == 0 and stdout else []
|
||||
|
||||
|
||||
def find_suspicious_tmp_files(evidence_root):
|
||||
|
||||
@@ -15,14 +15,6 @@ license: Apache-2.0
|
||||
|
||||
Windows LNK (shortcut) files and Jump Lists are critical forensic artifacts that provide evidence of file access, program execution, and user behavior. LNK files are created automatically when a user opens a file through Windows Explorer or the Open/Save dialog, storing metadata about the target file including its original path, timestamps, volume serial number, NetBIOS name, and MAC address of the host system. Jump Lists, introduced in Windows 7, extend this by maintaining per-application lists of recently and frequently accessed files. These artifacts persist even after the target files are deleted, making them invaluable for establishing that a user accessed specific files at specific times.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing lnk file and jump list artifacts
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- LECmd (Eric Zimmerman) for LNK file parsing
|
||||
@@ -197,74 +189,3 @@ Recent research (IEEE 2025) shows that Windows 11 produces different LNK and Jum
|
||||
- Magnet Forensics LNK Analysis: https://www.magnetforensics.com/blog/forensic-analysis-of-lnk-files/
|
||||
- Jump Lists Forensics 2025: https://www.cybertriage.com/blog/jump-list-forensics-2025/
|
||||
- Eric Zimmerman's LECmd/JLECmd: https://ericzimmerman.github.io/
|
||||
|
||||
## Example Output
|
||||
|
||||
```text
|
||||
$ LECmd.exe -d "C:\Evidence\Users\jsmith\AppData\Roaming\Microsoft\Windows\Recent" --csv /analysis/lnk_output
|
||||
|
||||
LECmd v1.11.0 - LNK File Parser
|
||||
================================
|
||||
|
||||
Processing 47 LNK files...
|
||||
|
||||
--- LNK File: Q4_Report.xlsx.lnk ---
|
||||
Source: C:\Evidence\Users\jsmith\Recent\Q4_Report.xlsx.lnk
|
||||
Target Path: C:\Users\jsmith\Downloads\Q4_Report.xlsm
|
||||
Target Created: 2024-01-15 14:33:45 UTC
|
||||
Target Modified: 2024-01-15 14:33:45 UTC
|
||||
Target Accessed: 2024-01-15 14:35:12 UTC
|
||||
File Size: 251,904 bytes
|
||||
Drive Type: Fixed (C:)
|
||||
Volume Serial: A4E7-3F21
|
||||
Machine ID: DESKTOP-J5M1TH
|
||||
MAC Address: 48:2A:E3:5C:9B:01
|
||||
|
||||
--- LNK File: update_client.exe.lnk ---
|
||||
Source: C:\Evidence\Users\jsmith\Recent\update_client.exe.lnk
|
||||
Target Path: C:\ProgramData\Updates\update_client.exe
|
||||
Target Created: 2024-01-15 14:34:02 UTC
|
||||
Target Modified: 2024-01-15 14:34:02 UTC
|
||||
Target Accessed: 2024-01-15 14:36:30 UTC
|
||||
File Size: 1,258,496 bytes
|
||||
Drive Type: Fixed (C:)
|
||||
Volume Serial: A4E7-3F21
|
||||
Machine ID: DESKTOP-J5M1TH
|
||||
Working Dir: C:\ProgramData\Updates
|
||||
Arguments: --silent --no-update-check
|
||||
Run Window: Hidden
|
||||
|
||||
======================================================================
|
||||
|
||||
$ JLECmd.exe -d "C:\Evidence\Users\jsmith\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv /analysis/jumplist_output
|
||||
|
||||
JLECmd v1.5.0 - Jump List Parser
|
||||
==================================
|
||||
|
||||
Processing 23 AutomaticDestinations files...
|
||||
|
||||
--- Application: Microsoft Excel (AppID: 12dc1ea8e34b5a6) ---
|
||||
Entries: 15
|
||||
Most Recent:
|
||||
Entry 0: C:\Users\jsmith\Downloads\Q4_Report.xlsm (2024-01-15 14:35:12 UTC)
|
||||
Entry 1: \\FILESERV01\Finance\Budget_2024.xlsx (2024-01-14 09:22:30 UTC)
|
||||
Entry 2: C:\Users\jsmith\Documents\Expenses\Dec2023.xlsx (2024-01-10 16:45:00 UTC)
|
||||
|
||||
--- Application: Windows Explorer (AppID: f01b4d95cf55d32a) ---
|
||||
Entries: 28
|
||||
Most Recent:
|
||||
Entry 0: C:\ProgramData\Updates\ (2024-01-15 14:36:25 UTC)
|
||||
Entry 1: E:\Backup\ (2024-01-15 15:30:00 UTC)
|
||||
Entry 2: \\FILESERV01\HR\Employees\ (2024-01-15 16:12:45 UTC)
|
||||
|
||||
--- Application: cmd.exe (AppID: 9b9cdc69c1c24e2b) ---
|
||||
Entries: 5
|
||||
Most Recent:
|
||||
Entry 0: C:\Windows\System32\cmd.exe (2024-01-15 14:36:00 UTC)
|
||||
|
||||
Summary:
|
||||
Total LNK files processed: 47
|
||||
Total Jump List entries: 156
|
||||
Suspicious artifacts: 3 (hidden window execution, USB drive access, network shares)
|
||||
CSV exported to: /analysis/lnk_output/ and /analysis/jumplist_output/
|
||||
```
|
||||
|
||||
@@ -1,31 +1,17 @@
|
||||
---
|
||||
name: analyzing-macro-malware-in-office-documents
|
||||
description: 'Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint) to identify download
|
||||
cradles, payload execution, persistence mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation
|
||||
to extract the attack chain. Activates for requests involving Office macro analysis, VBA malware investigation, maldoc analysis,
|
||||
or document-based threat examination.
|
||||
|
||||
'
|
||||
description: >
|
||||
Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint)
|
||||
to identify download cradles, payload execution, persistence mechanisms, and anti-analysis
|
||||
techniques. Uses olevba, oledump, and VBA deobfuscation to extract the attack chain.
|
||||
Activates for requests involving Office macro analysis, VBA malware investigation,
|
||||
maldoc analysis, or document-based threat examination.
|
||||
domain: cybersecurity
|
||||
subdomain: malware-analysis
|
||||
tags:
|
||||
- malware
|
||||
- macro
|
||||
- Office
|
||||
- VBA
|
||||
- document-malware
|
||||
tags: [malware, macro, Office, VBA, document-malware]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
atlas_techniques:
|
||||
- AML.T0068
|
||||
- AML.T0067
|
||||
d3fend_techniques:
|
||||
- File Metadata Consistency Validation
|
||||
- Application Protocol Command Analysis
|
||||
- Identifier Analysis
|
||||
- Content Format Conversion
|
||||
- Message Analysis
|
||||
---
|
||||
|
||||
# Analyzing Macro Malware in Office Documents
|
||||
|
||||
@@ -5,11 +5,12 @@ import re
|
||||
import os
|
||||
import sys
|
||||
import hashlib
|
||||
import subprocess
|
||||
import json
|
||||
import zipfile
|
||||
|
||||
try:
|
||||
from oletools.olevba import VBA_Parser
|
||||
from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML
|
||||
from oletools import oleid
|
||||
HAS_OLETOOLS = True
|
||||
except ImportError:
|
||||
|
||||
@@ -37,9 +37,9 @@ def run_pdfid(filepath):
|
||||
"""Run pdfid.py to triage PDF for suspicious keywords."""
|
||||
cmd = ["python3", "-m", "pdfid", filepath]
|
||||
alt_cmd = ["pdfid.py", filepath]
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
|
||||
result = subprocess.run(cmd, capture_output=True, text=True)
|
||||
if result.returncode != 0:
|
||||
result = subprocess.run(alt_cmd, capture_output=True, text=True, timeout=120)
|
||||
result = subprocess.run(alt_cmd, capture_output=True, text=True)
|
||||
keywords = {}
|
||||
for line in result.stdout.strip().split("\n"):
|
||||
line = line.strip()
|
||||
@@ -59,9 +59,9 @@ def run_peepdf_analysis(filepath):
|
||||
"""Run peepdf for detailed PDF object analysis."""
|
||||
cmd = ["peepdf", "-f", "-l", filepath]
|
||||
alt_cmd = ["python3", "-m", "peepdf", "-f", "-l", filepath]
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
|
||||
result = subprocess.run(cmd, capture_output=True, text=True)
|
||||
if result.returncode != 0:
|
||||
result = subprocess.run(alt_cmd, capture_output=True, text=True, timeout=120)
|
||||
result = subprocess.run(alt_cmd, capture_output=True, text=True)
|
||||
analysis = {
|
||||
"versions": 0,
|
||||
"objects": 0,
|
||||
@@ -98,7 +98,7 @@ def run_pdf_parser(filepath, object_id=None):
|
||||
cmd = ["pdf-parser.py", "-o", str(object_id), "-f", "-d", filepath]
|
||||
else:
|
||||
cmd = ["pdf-parser.py", "--stats", filepath]
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
|
||||
result = subprocess.run(cmd, capture_output=True, text=True)
|
||||
return result.stdout[:3000]
|
||||
|
||||
|
||||
@@ -107,7 +107,7 @@ def extract_javascript(filepath, peepdf_analysis):
|
||||
js_content = []
|
||||
for obj_id in peepdf_analysis.get("js_objects", []):
|
||||
cmd = ["pdf-parser.py", "-o", str(obj_id), "-f", "-w", filepath]
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
|
||||
result = subprocess.run(cmd, capture_output=True, text=True)
|
||||
if result.stdout:
|
||||
js_content.append({
|
||||
"object_id": obj_id,
|
||||
|
||||
@@ -1,36 +1,18 @@
|
||||
---
|
||||
name: analyzing-malicious-url-with-urlscan
|
||||
description: URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content,
|
||||
HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
|
||||
description: URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
|
||||
domain: cybersecurity
|
||||
subdomain: phishing-defense
|
||||
tags:
|
||||
- phishing
|
||||
- email-security
|
||||
- social-engineering
|
||||
- dmarc
|
||||
- awareness
|
||||
- url-analysis
|
||||
- threat-intelligence
|
||||
version: '1.0'
|
||||
tags: [phishing, email-security, social-engineering, dmarc, awareness, url-analysis, threat-intelligence]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
atlas_techniques:
|
||||
- AML.T0052
|
||||
---
|
||||
# Analyzing Malicious URL with URLScan
|
||||
|
||||
## Overview
|
||||
URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolated environment. This skill covers using URLScan's web interface and API to investigate phishing URLs, credential harvesting pages, and malicious redirects without exposing the analyst's system to risk.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing malicious url with urlscan
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
- URLScan.io account (free tier available, API key for automation)
|
||||
- Python 3.8+ with requests library
|
||||
@@ -59,7 +41,7 @@ URLScan.io is a free service for scanning and analyzing suspicious URLs. It capt
|
||||
- Data URIs or base64-encoded content
|
||||
- JavaScript-heavy pages with minimal HTML
|
||||
|
||||
## Workflow
|
||||
## Implementation Steps
|
||||
|
||||
### Step 1: Submit URL to URLScan
|
||||
```
|
||||
|
||||
@@ -4,7 +4,9 @@
|
||||
import json
|
||||
import os
|
||||
import sys
|
||||
import subprocess
|
||||
import hashlib
|
||||
import datetime
|
||||
|
||||
try:
|
||||
import requests
|
||||
@@ -28,7 +30,7 @@ def submit_file(filepath, timeout=300, machine=None, package=None):
|
||||
data["machine"] = machine
|
||||
if package:
|
||||
data["package"] = package
|
||||
resp = requests.post(url, files=files, data=data, timeout=30)
|
||||
resp = requests.post(url, files=files, data=data)
|
||||
if resp.status_code == 200:
|
||||
return resp.json().get("task_id")
|
||||
return None
|
||||
@@ -40,7 +42,7 @@ def submit_url(url_to_analyze, timeout=300):
|
||||
return None
|
||||
url = f"{CUCKOO_API}/tasks/create/url"
|
||||
data = {"url": url_to_analyze, "timeout": timeout}
|
||||
resp = requests.post(url, data=data, timeout=30)
|
||||
resp = requests.post(url, data=data)
|
||||
if resp.status_code == 200:
|
||||
return resp.json().get("task_id")
|
||||
return None
|
||||
@@ -51,7 +53,7 @@ def get_task_status(task_id):
|
||||
if not HAS_REQUESTS:
|
||||
return None
|
||||
url = f"{CUCKOO_API}/tasks/view/{task_id}"
|
||||
resp = requests.get(url, timeout=30)
|
||||
resp = requests.get(url)
|
||||
if resp.status_code == 200:
|
||||
return resp.json().get("task", {}).get("status")
|
||||
return None
|
||||
|
||||
@@ -14,14 +14,6 @@ license: Apache-2.0
|
||||
|
||||
Malpedia is a collaborative platform maintained by Fraunhofer FKIE that catalogs malware families with their aliases, YARA rules, threat actor associations, and reference reports. With over 2,600 malware families documented, it serves as the definitive resource for understanding malware lineages, tracking variant evolution, and linking malware to specific threat groups. This skill covers querying the Malpedia API, mapping malware family relationships, extracting YARA rules for detection, and building intelligence on malware ecosystems used by adversaries.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing malware family relationships with malpedia
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Python 3.9+ with `requests`, `yara-python`, `stix2` libraries
|
||||
@@ -44,7 +36,7 @@ Malpedia uses the format `platform.family_name` (e.g., `win.emotet`, `elf.mirai`
|
||||
|
||||
Malware families have relationships including: parent-child (code reuse, forks), loader-payload (Emotet loads TrickBot loads Ryuk), shared authorship (same threat actor develops multiple tools), and infrastructure sharing (common C2 frameworks).
|
||||
|
||||
## Workflow
|
||||
## Practical Steps
|
||||
|
||||
### Step 1: Query Malpedia API for Malware Families
|
||||
|
||||
|
||||
@@ -1,12 +1,92 @@
|
||||
---
|
||||
{}
|
||||
---tags:
|
||||
- autoruns
|
||||
- persistence
|
||||
- malware-analysis
|
||||
- sysinternals
|
||||
- windows
|
||||
- registry
|
||||
- startup
|
||||
- incident-response
|
||||
version: '1.0'
|
||||
name: analyzing-malware-persistence-with-autoruns
|
||||
description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems.
|
||||
domain: cybersecurity
|
||||
subdomain: malware-analysis
|
||||
tags: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
---
|
||||
# Analyzing Malware Persistence with Autoruns
|
||||
|
||||
## Overview
|
||||
|
||||
Sysinternals Autoruns extracts data from hundreds of Auto-Start Extensibility Points (ASEPs) on Windows, scanning 18+ categories including Run/RunOnce keys, services, scheduled tasks, drivers, Winlogon entries, LSA providers, print monitors, WMI subscriptions, and AppInit DLLs. Digital signature verification filters Microsoft-signed entries. The compare function identifies newly added persistence via baseline diffing. VirusTotal integration checks hash reputation. Offline analysis via -z flag enables forensic disk image examination.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Sysinternals Autoruns (GUI) and Autorunsc (CLI)
|
||||
- Administrative privileges on target system
|
||||
- Python 3.9+ for automated analysis
|
||||
- VirusTotal API key for reputation checks
|
||||
- Clean baseline export for comparison
|
||||
|
||||
## Practical Steps
|
||||
|
||||
### Step 1: Automated Persistence Scanning
|
||||
|
||||
```python
|
||||
#!/usr/bin/env python3
|
||||
"""Automate Autoruns-based persistence analysis."""
|
||||
import subprocess
|
||||
import csv
|
||||
import json
|
||||
import sys
|
||||
|
||||
|
||||
def scan_and_analyze(autorunsc_path="autorunsc64.exe", csv_path="scan.csv"):
|
||||
cmd = [autorunsc_path, "-a", "*", "-c", "-h", "-s", "-nobanner", "*"]
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
|
||||
with open(csv_path, 'w') as f:
|
||||
f.write(result.stdout)
|
||||
return parse_and_flag(csv_path)
|
||||
|
||||
|
||||
def parse_and_flag(csv_path):
|
||||
suspicious = []
|
||||
with open(csv_path, 'r', errors='replace') as f:
|
||||
for row in csv.DictReader(f):
|
||||
reasons = []
|
||||
signer = row.get("Signer", "")
|
||||
if not signer or signer == "(Not verified)":
|
||||
reasons.append("Unsigned binary")
|
||||
if not row.get("Description") and not row.get("Company"):
|
||||
reasons.append("Missing metadata")
|
||||
path = row.get("Image Path", "").lower()
|
||||
for sp in ["\temp\\", "\appdata\local\temp", "\users\public\\"]:
|
||||
if sp in path:
|
||||
reasons.append(f"Suspicious path")
|
||||
launch = row.get("Launch String", "").lower()
|
||||
for kw in ["powershell", "cmd /c", "wscript", "mshta", "regsvr32"]:
|
||||
if kw in launch:
|
||||
reasons.append(f"LOLBin: {kw}")
|
||||
if reasons:
|
||||
row["reasons"] = reasons
|
||||
suspicious.append(row)
|
||||
return suspicious
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
if len(sys.argv) > 1:
|
||||
results = parse_and_flag(sys.argv[1])
|
||||
print(f"[!] {len(results)} suspicious entries")
|
||||
for r in results:
|
||||
print(f" {r.get('Entry','')} - {r.get('Image Path','')}")
|
||||
for reason in r.get('reasons', []):
|
||||
print(f" - {reason}")
|
||||
```
|
||||
|
||||
## Validation Criteria
|
||||
|
||||
- All ASEP categories scanned and cataloged
|
||||
- Unsigned entries flagged for investigation
|
||||
- Suspicious paths and LOLBin launch strings highlighted
|
||||
- Baseline comparison identifies new persistence mechanisms
|
||||
|
||||
## References
|
||||
|
||||
- [Sysinternals Autoruns](https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns)
|
||||
- [SANS - Offline Autoruns Revisited](https://www.sans.org/blog/offline-autoruns-revisited-auditing-malware-persistence/)
|
||||
- [Hunting Malware with Autoruns](https://nasbench.medium.com/hunting-malware-with-windows-sysinternals-autoruns-19cbfe4103c2)
|
||||
- [MITRE ATT&CK T1547 - Boot or Logon Autostart](https://attack.mitre.org/techniques/T1547/)
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
|
||||
import json
|
||||
import csv
|
||||
import os
|
||||
import re
|
||||
import logging
|
||||
import argparse
|
||||
|
||||
@@ -1,26 +1,19 @@
|
||||
---
|
||||
name: analyzing-malware-sandbox-evasion-techniques
|
||||
description: Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction
|
||||
detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
|
||||
description: Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
|
||||
domain: cybersecurity
|
||||
subdomain: malware-analysis
|
||||
tags:
|
||||
- sandbox-evasion
|
||||
- malware-analysis
|
||||
- cuckoo
|
||||
- anyrun
|
||||
- mitre-attack
|
||||
- virtualization-detection
|
||||
- behavioral-analysis
|
||||
version: '1.0'
|
||||
- sandbox-evasion
|
||||
- malware-analysis
|
||||
- cuckoo
|
||||
- anyrun
|
||||
- mitre-attack
|
||||
- virtualization-detection
|
||||
- behavioral-analysis
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
d3fend_techniques:
|
||||
- Platform Hardening
|
||||
- Restore Object
|
||||
- Process Analysis
|
||||
- System Call Filtering
|
||||
- Restore Software
|
||||
---
|
||||
|
||||
# Analyzing Malware Sandbox Evasion Techniques
|
||||
@@ -29,14 +22,6 @@ d3fend_techniques:
|
||||
|
||||
Sandbox evasion (MITRE ATT&CK T1497) allows malware to detect analysis environments and alter behavior to avoid detection. This skill analyzes behavioral reports from Cuckoo Sandbox and AnyRun for evasion indicators including timing-based checks (GetTickCount, QueryPerformanceCounter, sleep inflation), VM artifact detection (registry keys, MAC address prefixes, process names like vmtoolsd.exe), user interaction checks (mouse movement, keyboard input), and environment fingerprinting (disk size, CPU count, RAM). Detection rules flag samples exhibiting these behaviors for deeper manual analysis.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing malware sandbox evasion techniques
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Cuckoo Sandbox 2.0+ or AnyRun account for behavioral analysis reports
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
import json
|
||||
import argparse
|
||||
from datetime import datetime
|
||||
from collections import defaultdict
|
||||
|
||||
TIMING_APIS = {
|
||||
"GetTickCount", "GetTickCount64", "QueryPerformanceCounter",
|
||||
|
||||
@@ -9,7 +9,6 @@ description: >
|
||||
domain: cybersecurity
|
||||
subdomain: malware-analysis
|
||||
tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response]
|
||||
mitre_attack: ["T1055", "T1003", "T1059", "T1620"]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -1,18 +1,19 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Memory forensics agent using Volatility 3 for malware detection in RAM dumps."""
|
||||
|
||||
import shlex
|
||||
import subprocess
|
||||
import os
|
||||
import sys
|
||||
import json
|
||||
import csv
|
||||
import re
|
||||
import io
|
||||
|
||||
|
||||
def run_vol3(memory_dump, plugin, extra_args=""):
|
||||
"""Execute a Volatility 3 plugin and return output."""
|
||||
cmd = ["vol3", "-f", memory_dump, plugin]
|
||||
if extra_args:
|
||||
cmd.extend(shlex.split(extra_args))
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
|
||||
cmd = f"vol3 -f {memory_dump} {plugin} {extra_args}"
|
||||
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=300)
|
||||
return result.stdout.strip(), result.stderr.strip(), result.returncode
|
||||
|
||||
|
||||
|
||||
@@ -15,21 +15,6 @@ license: Apache-2.0
|
||||
|
||||
# Analyzing Memory Forensics with LiME and Volatility
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing memory forensics with lime and volatility
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Familiarity with security operations concepts and tools
|
||||
- Access to a test or lab environment for safe execution
|
||||
- Python 3.8+ with required dependencies installed
|
||||
- Appropriate authorization for any testing activities
|
||||
|
||||
## Instructions
|
||||
|
||||
Acquire Linux memory using LiME kernel module, then analyze with Volatility 3
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Agent for Linux memory forensics using LiME acquisition and Volatility 3."""
|
||||
|
||||
import os
|
||||
import json
|
||||
import subprocess
|
||||
import argparse
|
||||
@@ -11,13 +12,13 @@ from pathlib import Path
|
||||
def acquire_memory_lime(output_path, lime_format="lime"):
|
||||
"""Acquire memory using LiME kernel module."""
|
||||
kernel_version = subprocess.run(
|
||||
["uname", "-r"], capture_output=True, text=True, timeout=120
|
||||
["uname", "-r"], capture_output=True, text=True
|
||||
).stdout.strip()
|
||||
lime_module = f"lime-{kernel_version}.ko"
|
||||
if not Path(lime_module).exists():
|
||||
lime_module = "lime.ko"
|
||||
cmd = ["insmod", lime_module, f"path={output_path}", f"format={lime_format}"]
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
|
||||
result = subprocess.run(cmd, capture_output=True, text=True)
|
||||
return {
|
||||
"status": "success" if result.returncode == 0 else "failed",
|
||||
"output_path": output_path,
|
||||
|
||||
@@ -15,14 +15,6 @@ license: Apache-2.0
|
||||
|
||||
The NTFS Master File Table ($MFT) is the central metadata repository for every file and directory on an NTFS volume. Each file is represented by at least one 1024-byte MFT record containing attributes such as $STANDARD_INFORMATION (timestamps, permissions), $FILE_NAME (name, parent directory, timestamps), and $DATA (file content or cluster run pointers). When a file is deleted, its MFT record is marked as inactive (InUse flag cleared) but the metadata remains until the entry is reallocated by a new file. This persistence makes MFT analysis a primary technique for recovering deleted file evidence, reconstructing file system timelines, and detecting anti-forensic activity such as timestomping.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing mft for deleted file recovery
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Forensic disk image (E01, raw/dd, VMDK, or VHDX format)
|
||||
@@ -194,46 +186,3 @@ vssadmin list shadows
|
||||
- MFT Slack Space Forensic Value: https://www.sygnia.co/blog/the-forensic-value-of-mft-slack-space/
|
||||
- MFTECmd Documentation: https://ericzimmerman.github.io/
|
||||
- SANS FOR500: Windows Forensic Analysis
|
||||
|
||||
## Example Output
|
||||
|
||||
```text
|
||||
$ MFTECmd.exe -f "C:\Evidence\$MFT" --csv /analysis/mft_output
|
||||
|
||||
MFTECmd v1.2.2 - MFT Parser
|
||||
==============================
|
||||
Input: C:\Evidence\$MFT (Size: 384 MB)
|
||||
Total MFT Entries: 395,264
|
||||
|
||||
Parsing MFT entries... Done (12.4 seconds)
|
||||
|
||||
--- Deleted File Recovery Summary ---
|
||||
Total Entries: 395,264
|
||||
Active Files: 245,832
|
||||
Deleted Files: 149,432
|
||||
Recoverable: 87,234 (resident data or clusters not reallocated)
|
||||
Partially Recoverable: 31,456 (some clusters overwritten)
|
||||
Unrecoverable: 30,742 (all clusters reallocated)
|
||||
|
||||
--- Recently Deleted Files (Incident Window: 2024-01-15 to 2024-01-18) ---
|
||||
MFT Entry | Filename | Path | Size | Deleted (UTC) | Recoverable
|
||||
----------|-----------------------------------|------------------------------------|-----------|-----------------------|------------
|
||||
148923 | exfil_tool.exe | C:\ProgramData\Updates\ | 1,258,496 | 2024-01-17 02:45:12 | YES
|
||||
148924 | exfil_tool.log | C:\ProgramData\Updates\ | 45,312 | 2024-01-17 02:45:14 | YES
|
||||
149001 | passwords.txt | C:\Users\jsmith\Desktop\ | 2,048 | 2024-01-17 02:50:33 | YES
|
||||
149150 | scan_results.csv | C:\Users\jsmith\AppData\Local\Temp | 892,416 | 2024-01-17 03:00:01 | PARTIAL
|
||||
149200 | mimikatz.exe | C:\Windows\Temp\ | 1,250,816 | 2024-01-18 01:15:22 | YES
|
||||
149201 | sekurlsa.log | C:\Windows\Temp\ | 32,768 | 2024-01-18 01:15:25 | YES
|
||||
149302 | .bash_history | C:\Users\jsmith\ | 4,096 | 2024-01-18 03:00:00 | NO
|
||||
149400 | ClearEventLogs.ps1 | C:\Windows\Temp\ | 1,536 | 2024-01-18 03:01:12 | YES
|
||||
|
||||
--- $STANDARD_INFORMATION vs $FILE_NAME Timestamp Analysis (Timestomping Detection) ---
|
||||
MFT Entry | Filename | $SI Created | $FN Created | Delta | Verdict
|
||||
----------|---------------------|----------------------|----------------------|-----------|----------
|
||||
148923 | exfil_tool.exe | 2023-06-15 10:00:00 | 2024-01-15 14:34:02 | -214 days | TIMESTOMPED
|
||||
149200 | mimikatz.exe | 2022-01-01 00:00:00 | 2024-01-16 02:30:15 | -745 days | TIMESTOMPED
|
||||
|
||||
Recovered files exported to: /analysis/mft_output/recovered/
|
||||
Full CSV report: /analysis/mft_output/mft_analysis.csv (395,264 rows)
|
||||
Timeline CSV: /analysis/mft_output/mft_timeline.csv
|
||||
```
|
||||
|
||||
@@ -1,26 +1,12 @@
|
||||
---
|
||||
name: analyzing-network-covert-channels-in-malware
|
||||
description: Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration,
|
||||
steganographic HTTP, and protocol abuse for C2 and data exfiltration.
|
||||
description: Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2 and data exfiltration.
|
||||
domain: cybersecurity
|
||||
subdomain: malware-analysis
|
||||
tags:
|
||||
- covert-channels
|
||||
- dns-tunneling
|
||||
- icmp-exfiltration
|
||||
- malware-analysis
|
||||
- network-forensics
|
||||
- c2-detection
|
||||
- data-exfiltration
|
||||
version: '1.0'
|
||||
tags: [covert-channels, dns-tunneling, icmp-exfiltration, malware-analysis, network-forensics, c2-detection, data-exfiltration]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
d3fend_techniques:
|
||||
- File Metadata Consistency Validation
|
||||
- Certificate Analysis
|
||||
- Application Protocol Command Analysis
|
||||
- Content Format Conversion
|
||||
- File Content Analysis
|
||||
---
|
||||
# Analyzing Network Covert Channels in Malware
|
||||
|
||||
@@ -28,14 +14,6 @@ d3fend_techniques:
|
||||
|
||||
Malware uses covert channels to disguise C2 communication and data exfiltration within legitimate-looking network traffic. DNS tunneling encodes data in DNS queries and responses (used by tools like iodine, dnscat2, and malware families like FrameworkPOS). ICMP tunneling hides data in echo request/reply payloads (icmpsh, ptunnel). HTTP covert channels embed C2 data in headers, cookies, or steganographic images. Protocol abuse exploits allowed protocols to bypass firewalls. DNS tunneling detection achieves 99%+ recall with modern ML-based approaches, though low-throughput exfiltration remains challenging. Palo Alto Unit42 tracked three major DNS tunneling campaigns (TrkCdn, SecShow, Savvy Seahorse) through 2024, showing the technique's continued prevalence.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing network covert channels in malware
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Python 3.9+ with `scapy`, `dpkt`, `dnslib`
|
||||
@@ -44,7 +22,7 @@ Malware uses covert channels to disguise C2 communication and data exfiltration
|
||||
- DNS query logging infrastructure
|
||||
- Understanding of DNS, ICMP, HTTP protocols at packet level
|
||||
|
||||
## Workflow
|
||||
## Practical Steps
|
||||
|
||||
### Step 1: DNS Tunneling Detection
|
||||
|
||||
|
||||
@@ -9,10 +9,11 @@ import os
|
||||
import sys
|
||||
import json
|
||||
import math
|
||||
import hashlib
|
||||
from collections import Counter, defaultdict
|
||||
|
||||
try:
|
||||
from scapy.all import rdpcap, DNS, DNSQR, ICMP, IP, TCP, Raw
|
||||
from scapy.all import rdpcap, DNS, DNSQR, DNSRR, ICMP, IP, TCP, UDP, Raw
|
||||
HAS_SCAPY = True
|
||||
except ImportError:
|
||||
HAS_SCAPY = False
|
||||
|
||||
@@ -13,24 +13,6 @@ author: mahipal
|
||||
license: Apache-2.0
|
||||
---
|
||||
|
||||
|
||||
# Analyzing Network Flow Data with Netflow
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing network flow data with netflow
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Familiarity with network security concepts and tools
|
||||
- Access to a test or lab environment for safe execution
|
||||
- Python 3.8+ with required dependencies installed
|
||||
- Appropriate authorization for any testing activities
|
||||
|
||||
## Instructions
|
||||
|
||||
1. Install dependencies: `pip install netflow`
|
||||
|
||||
@@ -21,14 +21,6 @@ license: Apache-2.0
|
||||
|
||||
Scapy is a Python packet manipulation library that enables crafting, sending, sniffing, and dissecting network packets at granular protocol layers. This skill covers using Scapy for security-relevant tasks including TCP/UDP/ICMP packet crafting, pcap file analysis, protocol field extraction, SYN scan implementation, DNS query analysis, and detecting anomalous traffic patterns such as unusually fragmented packets or malformed headers.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing network packets with scapy
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Python 3.8+ with `scapy` library installed (`pip install scapy`)
|
||||
|
||||
@@ -7,7 +7,7 @@ import argparse
|
||||
from collections import defaultdict, Counter
|
||||
from datetime import datetime
|
||||
|
||||
from scapy.all import rdpcap, IP, TCP, UDP, DNS, DNSQR, ICMP
|
||||
from scapy.all import rdpcap, IP, TCP, UDP, DNS, DNSQR, ICMP, Raw
|
||||
|
||||
|
||||
def load_pcap(filepath):
|
||||
|
||||
@@ -10,7 +10,6 @@ description: >
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [network-forensics, PCAP-analysis, Wireshark, Zeek, traffic-analysis]
|
||||
mitre_attack: ["T1071", "T1095", "T1573", "T1572"]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -6,10 +6,10 @@ import os
|
||||
import sys
|
||||
import json
|
||||
import statistics
|
||||
from collections import defaultdict
|
||||
from collections import defaultdict, Counter
|
||||
|
||||
try:
|
||||
from scapy.all import rdpcap, IP, TCP, DNS
|
||||
from scapy.all import rdpcap, IP, TCP, UDP, DNS, DNSQR, Raw, ARP
|
||||
HAS_SCAPY = True
|
||||
except ImportError:
|
||||
HAS_SCAPY = False
|
||||
@@ -17,11 +17,9 @@ except ImportError:
|
||||
|
||||
def run_tshark(pcap_path, display_filter, fields):
|
||||
"""Run tshark with a display filter and extract specific fields."""
|
||||
cmd = ["tshark", "-r", pcap_path, "-Y", display_filter, "-T", "fields"]
|
||||
for f in fields:
|
||||
cmd += ["-e", f]
|
||||
cmd += ["-E", "separator=|"]
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
|
||||
field_args = " ".join(f"-e {f}" for f in fields)
|
||||
cmd = f'tshark -r {pcap_path} -Y "{display_filter}" -T fields {field_args} -E separator="|"'
|
||||
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=120)
|
||||
rows = []
|
||||
if result.returncode == 0:
|
||||
for line in result.stdout.strip().splitlines():
|
||||
@@ -33,8 +31,8 @@ def run_tshark(pcap_path, display_filter, fields):
|
||||
|
||||
def get_pcap_summary(pcap_path):
|
||||
"""Get high-level PCAP statistics."""
|
||||
cmd = ["tshark", "-r", pcap_path, "-q", "-z", "conv,ip"]
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
|
||||
cmd = f"tshark -r {pcap_path} -q -z conv,ip"
|
||||
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=60)
|
||||
return result.stdout if result.returncode == 0 else ""
|
||||
|
||||
|
||||
@@ -59,8 +57,8 @@ def detect_lateral_movement(pcap_path):
|
||||
|
||||
def detect_data_exfiltration(pcap_path, threshold_mb=10):
|
||||
"""Detect potential data exfiltration based on outbound data volume."""
|
||||
cmd = ["tshark", "-r", pcap_path, "-q", "-z", "conv,ip"]
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
|
||||
cmd = f'tshark -r {pcap_path} -q -z conv,ip'
|
||||
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=60)
|
||||
suspects = []
|
||||
if result.returncode == 0:
|
||||
for line in result.stdout.splitlines():
|
||||
@@ -122,13 +120,10 @@ def extract_dns_queries(pcap_path):
|
||||
|
||||
def detect_ids_alerts(pcap_path):
|
||||
"""Run Suricata on the PCAP and extract alerts."""
|
||||
import tempfile
|
||||
suricata_output = os.environ.get("SURICATA_OUTPUT_DIR", os.path.join(tempfile.gettempdir(), "suricata_output"))
|
||||
os.makedirs(suricata_output, exist_ok=True)
|
||||
cmd = ["suricata", "-r", pcap_path, "-l", suricata_output, "-k", "none"]
|
||||
subprocess.run(cmd, capture_output=True, timeout=120)
|
||||
cmd = f"suricata -r {pcap_path} -l /tmp/suricata_output -k none 2>/dev/null"
|
||||
subprocess.run(cmd, shell=True, timeout=120)
|
||||
alerts = []
|
||||
alert_file = os.path.join(suricata_output, "fast.log")
|
||||
alert_file = "/tmp/suricata_output/fast.log"
|
||||
if os.path.exists(alert_file):
|
||||
with open(alert_file, "r") as f:
|
||||
for line in f:
|
||||
@@ -139,8 +134,8 @@ def detect_ids_alerts(pcap_path):
|
||||
def extract_http_objects(pcap_path, output_dir):
|
||||
"""Extract HTTP objects (files) from the PCAP."""
|
||||
os.makedirs(output_dir, exist_ok=True)
|
||||
cmd = ["tshark", "-r", pcap_path, "--export-objects", f"http,{output_dir}"]
|
||||
subprocess.run(cmd, capture_output=True, timeout=60)
|
||||
cmd = f'tshark -r {pcap_path} --export-objects "http,{output_dir}"'
|
||||
subprocess.run(cmd, shell=True, timeout=60)
|
||||
exported = []
|
||||
if os.path.exists(output_dir):
|
||||
for f in os.listdir(output_dir):
|
||||
|
||||
@@ -3,7 +3,9 @@
|
||||
|
||||
import os
|
||||
import sys
|
||||
import json
|
||||
import math
|
||||
import subprocess
|
||||
from collections import defaultdict, Counter
|
||||
|
||||
try:
|
||||
@@ -13,7 +15,7 @@ except ImportError:
|
||||
HAS_DPKT = False
|
||||
|
||||
try:
|
||||
from scapy.all import rdpcap, IP, TCP, DNS, DNSQR
|
||||
from scapy.all import rdpcap, IP, TCP, UDP, DNS, DNSQR, Raw
|
||||
HAS_SCAPY = True
|
||||
except ImportError:
|
||||
HAS_SCAPY = False
|
||||
|
||||
@@ -2,24 +2,26 @@
|
||||
"""Wireshark/tshark packet analysis agent for network security investigations."""
|
||||
|
||||
import subprocess
|
||||
import shlex
|
||||
import os
|
||||
import sys
|
||||
import json
|
||||
import re
|
||||
from collections import defaultdict
|
||||
|
||||
|
||||
def run_tshark(pcap_path, args):
|
||||
"""Execute tshark with custom arguments."""
|
||||
cmd = ["tshark", "-r", pcap_path] + shlex.split(args)
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
|
||||
cmd = f"tshark -r {pcap_path} {args}"
|
||||
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=120)
|
||||
return result.stdout.strip(), result.stderr.strip(), result.returncode
|
||||
|
||||
|
||||
def capture_live(interface, output_path, duration=60, capture_filter=None):
|
||||
"""Start a live packet capture using tshark."""
|
||||
cmd = ["tshark", "-i", interface, "-w", output_path, "-a", f"duration:{duration}"]
|
||||
cmd = f"tshark -i {interface} -w {output_path} -a duration:{duration}"
|
||||
if capture_filter:
|
||||
cmd += ["-f", capture_filter]
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=duration + 10)
|
||||
cmd += f' -f "{capture_filter}"'
|
||||
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=duration + 10)
|
||||
return result.returncode == 0
|
||||
|
||||
|
||||
|
||||
@@ -15,14 +15,6 @@ license: Apache-2.0
|
||||
|
||||
Business Email Compromise (BEC) attacks often leave traces in Office 365 audit logs: suspicious inbox rule creation, email forwarding to external addresses, mailbox delegation changes, and unauthorized OAuth application consent grants. This skill uses the Microsoft Graph API to query the Unified Audit Log, enumerate inbox rules across mailboxes, detect forwarding configurations, and identify compromised account indicators.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing office365 audit logs for compromise
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Azure AD app registration with `AuditLog.Read.All`, `MailboxSettings.Read`, `Mail.Read` (application permissions)
|
||||
|
||||
@@ -1,28 +1,12 @@
|
||||
---
|
||||
name: analyzing-outlook-pst-for-email-forensics
|
||||
description: Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments,
|
||||
deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident
|
||||
response.
|
||||
description: Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments, deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident response.
|
||||
domain: cybersecurity
|
||||
subdomain: digital-forensics
|
||||
tags:
|
||||
- email-forensics
|
||||
- pst
|
||||
- ost
|
||||
- outlook
|
||||
- mapi
|
||||
- email-headers
|
||||
- attachments
|
||||
- deleted-emails
|
||||
- libpff
|
||||
- eml-extraction
|
||||
version: '1.0'
|
||||
tags: [email-forensics, pst, ost, outlook, mapi, email-headers, attachments, deleted-emails, libpff, eml-extraction]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
nist_ai_rmf:
|
||||
- MANAGE-2.4
|
||||
- MANAGE-3.1
|
||||
- MEASURE-3.1
|
||||
---
|
||||
|
||||
# Analyzing Outlook PST for Email Forensics
|
||||
@@ -31,14 +15,6 @@ nist_ai_rmf:
|
||||
|
||||
Microsoft Outlook PST (Personal Storage Table) and OST (Offline Storage Table) files are critical evidence sources in digital forensics investigations. PST files store email messages, calendar events, contacts, tasks, and notes in a proprietary binary format based on the MAPI (Messaging Application Programming Interface) property system. Forensic analysis of these files enables recovery of deleted emails (from the Recoverable Items folder), extraction of email headers for tracing message routes, analysis of attachments for malware or exfiltrated data, and reconstruction of communication patterns. Modern PST files use Unicode format with 4KB pages and can grow up to 50GB, while legacy ANSI format is limited to 2GB.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When investigating security incidents that require analyzing outlook pst for email forensics
|
||||
- When building detection rules or threat hunting queries for this domain
|
||||
- When SOC analysts need structured procedures for this analysis type
|
||||
- When validating security monitoring coverage for related attack techniques
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- libpff/pffexport (open-source PST parser)
|
||||
@@ -263,86 +239,3 @@ Key headers for forensic investigation:
|
||||
- libpff Documentation: https://github.com/libyal/libpff
|
||||
- PST File Format Specification: https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-pst/
|
||||
- SANS Email Forensics: https://www.sans.org/blog/email-forensics/
|
||||
|
||||
## Example Output
|
||||
|
||||
```text
|
||||
$ pffexport /evidence/jsmith_archive.pst -t /analysis/pst_output
|
||||
|
||||
pffexport 20231205 - libpff PST/OST Export Tool
|
||||
=================================================
|
||||
Input: /evidence/jsmith_archive.pst (2.3 GB)
|
||||
|
||||
Exporting PST contents...
|
||||
Folders: 45
|
||||
Messages: 12,456
|
||||
Attachments: 3,234
|
||||
Contacts: 567
|
||||
Calendar: 234
|
||||
Tasks: 89
|
||||
|
||||
Export completed in 3m 42s.
|
||||
|
||||
$ python3 pst_analyzer.py /analysis/pst_output /analysis/email_report
|
||||
|
||||
PST Forensic Analysis Report
|
||||
==============================
|
||||
Source: jsmith_archive.pst (john.smith@corporate.com)
|
||||
Date Range: 2023-06-01 to 2024-01-18
|
||||
|
||||
--- Mailbox Statistics ---
|
||||
Total Emails: 12,456
|
||||
Sent: 4,567
|
||||
Received: 7,889
|
||||
With Attachments: 3,234
|
||||
Deleted (recovered): 234
|
||||
|
||||
--- Phishing / Suspicious Emails ---
|
||||
Email #8923
|
||||
Date: 2024-01-15 14:30:22 UTC
|
||||
From: "IT Support" <it-support@c0rporate-help.com>
|
||||
To: john.smith@corporate.com
|
||||
Subject: Urgent: Password Reset Required
|
||||
Headers:
|
||||
Return-Path: bounce@mail-relay.c0rporate-help.com
|
||||
X-Originating-IP: 203.0.113.55
|
||||
Received: from mail-relay.c0rporate-help.com (203.0.113.55)
|
||||
SPF: FAIL (domain c0rporate-help.com)
|
||||
DKIM: NONE
|
||||
DMARC: FAIL
|
||||
Attachments:
|
||||
- Password_Reset_Form.xlsm (245 KB) SHA-256: 7a3b8c9d...e1f2a3b4
|
||||
Body Preview: "Dear Employee, Your password will expire in 24 hours.
|
||||
Please open the attached form to reset your credentials..."
|
||||
|
||||
--- Data Exfiltration Indicators ---
|
||||
Email #9102
|
||||
Date: 2024-01-16 03:15:45 UTC
|
||||
From: john.smith@corporate.com
|
||||
To: j.smith.personal8842@protonmail.com
|
||||
Subject: (no subject)
|
||||
Attachments:
|
||||
- archive_part1.7z (24.5 MB) - encrypted
|
||||
- archive_part2.7z (24.5 MB) - encrypted
|
||||
|
||||
Email #9103
|
||||
Date: 2024-01-16 03:18:22 UTC
|
||||
From: john.smith@corporate.com
|
||||
To: j.smith.personal8842@protonmail.com
|
||||
Subject: Re:
|
||||
Attachments:
|
||||
- archive_part3.7z (18.2 MB) - encrypted
|
||||
|
||||
--- Keyword Hits ---
|
||||
"confidential": 45 emails
|
||||
"password": 23 emails
|
||||
"transfer": 12 emails
|
||||
"resign": 3 emails
|
||||
"delete evidence": 1 email (Email #9200, 2024-01-17 22:30:00 UTC)
|
||||
|
||||
Summary:
|
||||
Phishing emails detected: 1 (initial compromise vector)
|
||||
Suspicious sent emails: 5 (to personal accounts with attachments)
|
||||
Encrypted attachments: 3 (67.2 MB total - possible exfiltration)
|
||||
Report: /analysis/email_report/pst_forensic_report.json
|
||||
```
|
||||
|
||||
@@ -10,6 +10,8 @@ import sys
|
||||
import json
|
||||
import hashlib
|
||||
import re
|
||||
from datetime import datetime
|
||||
from collections import defaultdict
|
||||
|
||||
try:
|
||||
import pypff
|
||||
|
||||
@@ -5,6 +5,7 @@ import subprocess
|
||||
import os
|
||||
import sys
|
||||
import hashlib
|
||||
import struct
|
||||
import math
|
||||
from collections import Counter
|
||||
|
||||
@@ -128,8 +129,8 @@ def unpack_upx(filepath, output_path=None):
|
||||
if output_path is None:
|
||||
output_path = filepath + ".unpacked"
|
||||
# First try standard UPX decompression
|
||||
cmd = ["upx", "-d", "-o", output_path, filepath]
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
|
||||
cmd = f"upx -d -o {output_path} {filepath}"
|
||||
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
|
||||
if result.returncode == 0:
|
||||
return True, "Standard UPX unpack succeeded", output_path
|
||||
|
||||
|
||||
@@ -5,7 +5,9 @@ import re
|
||||
import os
|
||||
import sys
|
||||
import hashlib
|
||||
import json
|
||||
import zlib
|
||||
import struct
|
||||
|
||||
|
||||
def compute_hash(filepath):
|
||||
|
||||
@@ -1,11 +1,40 @@
|
||||
---
|
||||
{}
|
||||
---tags:
|
||||
- linux-persistence
|
||||
- crontab
|
||||
- systemd
|
||||
- ld-preload
|
||||
- auditd
|
||||
- threat-hunting
|
||||
- incident-response
|
||||
version: '1.0'
|
||||
name: analyzing-persistence-mechanisms-in-linux
|
||||
description: Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring
|
||||
domain: cybersecurity
|
||||
subdomain: threat-hunting
|
||||
tags: [linux-persistence, crontab, systemd, ld-preload, auditd, threat-hunting, incident-response]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
---
|
||||
|
||||
# Analyzing Persistence Mechanisms in Linux
|
||||
|
||||
## Overview
|
||||
|
||||
Adversaries establish persistence on Linux systems through crontab jobs, systemd service/timer units, LD_PRELOAD library injection, shell profile modifications (.bashrc, .profile), SSH authorized_keys backdoors, and init script manipulation. This skill scans for all known persistence vectors, checks file timestamps and integrity, and correlates findings with auditd logs to build a timeline of persistence installation.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Root or sudo access on target Linux system (or forensic image)
|
||||
- auditd configured with file watch rules on persistence paths
|
||||
- Python 3.8+ with standard library (os, subprocess, json)
|
||||
- Optional: OSSEC/Wazuh agent for file integrity monitoring alerts
|
||||
|
||||
## Steps
|
||||
|
||||
1. **Scan Crontab Entries** — Enumerate all user crontabs, /etc/cron.d/, /etc/cron.daily/, and anacron jobs for suspicious commands
|
||||
2. **Audit Systemd Units** — Check /etc/systemd/system/ and ~/.config/systemd/user/ for non-package-managed service and timer units
|
||||
3. **Detect LD_PRELOAD Hijacking** — Check /etc/ld.so.preload and LD_PRELOAD environment variable for injected shared libraries
|
||||
4. **Inspect Shell Profiles** — Scan .bashrc, .bash_profile, .profile, /etc/profile.d/ for injected commands or reverse shells
|
||||
5. **Check SSH Authorized Keys** — Audit all authorized_keys files for unauthorized public keys with command restrictions
|
||||
6. **Correlate Auditd Logs** — Search auditd logs for file modification events on persistence paths to build an installation timeline
|
||||
7. **Generate Persistence Report** — Produce a risk-scored report of all discovered persistence mechanisms
|
||||
|
||||
## Expected Output
|
||||
|
||||
- JSON report of all persistence mechanisms found with risk scores
|
||||
- Timeline of persistence installation from auditd correlation
|
||||
- MITRE ATT&CK technique mapping (T1053, T1543, T1574, T1546)
|
||||
- Remediation commands for each detected persistence mechanism
|
||||
|
||||
@@ -44,8 +44,7 @@ def scan_crontabs():
|
||||
findings.extend(_scan_cron_file(full_path))
|
||||
user_crontabs = subprocess.run(
|
||||
["bash", "-c", "for u in $(cut -d: -f1 /etc/passwd); do crontab -l -u $u 2>/dev/null && echo \"__USER:$u\"; done"],
|
||||
capture_output=True, text=True,
|
||||
timeout=120,
|
||||
capture_output=True, text=True
|
||||
)
|
||||
if user_crontabs.returncode == 0:
|
||||
current_user = None
|
||||
@@ -113,8 +112,7 @@ def scan_systemd_units():
|
||||
if re.search(pattern, ex, re.IGNORECASE):
|
||||
risk = "critical"
|
||||
dpkg_check = subprocess.run(
|
||||
["dpkg", "-S", unit_file], capture_output=True, text=True,
|
||||
timeout=120,
|
||||
["dpkg", "-S", unit_file], capture_output=True, text=True
|
||||
)
|
||||
package_managed = dpkg_check.returncode == 0
|
||||
if not package_managed:
|
||||
@@ -143,7 +141,7 @@ def scan_ld_preload():
|
||||
"libraries": content.splitlines(), "risk": "critical",
|
||||
"mitre": "T1574.006",
|
||||
})
|
||||
env_check = subprocess.run(["env"], capture_output=True, text=True, timeout=120)
|
||||
env_check = subprocess.run(["env"], capture_output=True, text=True)
|
||||
for line in env_check.stdout.splitlines():
|
||||
if line.startswith("LD_PRELOAD="):
|
||||
findings.append({
|
||||
@@ -176,7 +174,7 @@ def scan_shell_profiles():
|
||||
continue
|
||||
etc_profiles = glob.glob("/etc/profile.d/*.sh")
|
||||
for filepath in etc_profiles:
|
||||
dpkg = subprocess.run(["dpkg", "-S", filepath], capture_output=True, text=True, timeout=120)
|
||||
dpkg = subprocess.run(["dpkg", "-S", filepath], capture_output=True, text=True)
|
||||
if dpkg.returncode != 0:
|
||||
findings.append({
|
||||
"type": "etc_profile_d", "path": filepath,
|
||||
|
||||
@@ -0,0 +1,78 @@
|
||||
---
|
||||
name: analyzing-phishing-email-headers
|
||||
description: Email headers contain critical metadata that reveals the true origin, routing path, and authentication status of emails. Analyzing these headers is a foundational skill for identifying phishing attemp
|
||||
domain: cybersecurity
|
||||
subdomain: phishing-defense
|
||||
tags: [phishing, email-security, social-engineering, dmarc, awareness, header-analysis, forensics]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
---
|
||||
# Analyzing Phishing Email Headers
|
||||
|
||||
## Overview
|
||||
Email headers contain critical metadata that reveals the true origin, routing path, and authentication status of emails. Analyzing these headers is a foundational skill for identifying phishing attempts, verifying sender authenticity, and gathering threat intelligence. This skill covers systematic extraction and interpretation of email headers using both manual techniques and automated tools.
|
||||
|
||||
## Prerequisites
|
||||
- Basic understanding of SMTP protocol and email delivery
|
||||
- Familiarity with DNS records (MX, TXT, SPF, DKIM, DMARC)
|
||||
- Python 3.8+ installed
|
||||
- Access to email client that can export raw headers (Outlook, Gmail, Thunderbird)
|
||||
|
||||
## Key Concepts
|
||||
|
||||
### Critical Header Fields
|
||||
1. **Received**: Chain of mail servers the message passed through (read bottom to top)
|
||||
2. **From / Return-Path / Reply-To**: Sender identity fields (often spoofed)
|
||||
3. **Authentication-Results**: SPF, DKIM, DMARC verification outcomes
|
||||
4. **X-Originating-IP**: Original sender IP address
|
||||
5. **Message-ID**: Unique identifier; anomalies indicate spoofing
|
||||
6. **X-Mailer / User-Agent**: Email client used to compose the message
|
||||
|
||||
### Red Flags in Headers
|
||||
- Mismatched `From` and `Return-Path` domains
|
||||
- SPF/DKIM/DMARC failures in `Authentication-Results`
|
||||
- Suspicious `Received` chains with unfamiliar relay servers
|
||||
- `X-Originating-IP` from unexpected geographies
|
||||
- Missing or malformed `Message-ID`
|
||||
- Unusual `X-Mailer` values (e.g., mass-mailing tools)
|
||||
|
||||
## Implementation Steps
|
||||
|
||||
### Step 1: Extract Raw Email Headers
|
||||
```
|
||||
Gmail: Open email -> Three dots -> "Show original"
|
||||
Outlook: Open email -> File -> Properties -> Internet Headers
|
||||
Thunderbird: View -> Message Source (Ctrl+U)
|
||||
```
|
||||
|
||||
### Step 2: Parse Headers with Python
|
||||
Use the `scripts/process.py` script to automate header analysis including IP geolocation, authentication validation, and anomaly detection.
|
||||
|
||||
### Step 3: Validate Authentication Chain
|
||||
- Check SPF alignment: Does the sending IP match the domain's SPF record?
|
||||
- Check DKIM signature: Is the cryptographic signature valid?
|
||||
- Check DMARC policy: Does the message pass DMARC alignment?
|
||||
|
||||
### Step 4: Trace Mail Route
|
||||
- Read `Received` headers from bottom to top
|
||||
- Map each hop's IP to organization/location
|
||||
- Identify unexpected relays or delays
|
||||
|
||||
### Step 5: Correlate with Threat Intelligence
|
||||
- Look up originating IP on AbuseIPDB, VirusTotal
|
||||
- Check sending domain age on WHOIS
|
||||
- Search for known phishing infrastructure patterns
|
||||
|
||||
## Tools & Resources
|
||||
- **MXToolbox Header Analyzer**: https://mxtoolbox.com/EmailHeaders.aspx
|
||||
- **Google Admin Toolbox**: https://toolbox.googleapps.com/apps/messageheader/
|
||||
- **AbuseIPDB**: https://www.abuseipdb.com/
|
||||
- **VirusTotal**: https://www.virustotal.com/
|
||||
- **PhishTank**: https://phishtank.org/
|
||||
|
||||
## Validation
|
||||
- Successfully parse headers from 3 different email providers
|
||||
- Correctly identify authentication pass/fail status
|
||||
- Accurately trace email routing path
|
||||
- Detect at least 3 phishing indicators in a sample phishing email
|
||||
@@ -0,0 +1,86 @@
|
||||
# Phishing Email Header Analysis Report Template
|
||||
|
||||
## Report Information
|
||||
- **Analyst**: [Name]
|
||||
- **Date**: [YYYY-MM-DD]
|
||||
- **Case ID**: [CASE-XXXX]
|
||||
- **Classification**: [Phishing / Spear-phishing / BEC / Legitimate]
|
||||
|
||||
## Email Summary
|
||||
| Field | Value |
|
||||
|---|---|
|
||||
| From | |
|
||||
| To | |
|
||||
| Subject | |
|
||||
| Date Received | |
|
||||
| Message-ID | |
|
||||
|
||||
## Authentication Results
|
||||
| Check | Result | Domain | Notes |
|
||||
|---|---|---|---|
|
||||
| SPF | pass/fail/none | | |
|
||||
| DKIM | pass/fail/none | | |
|
||||
| DMARC | pass/fail/none | | |
|
||||
|
||||
## Sender Analysis
|
||||
| Field | Value | Match From? |
|
||||
|---|---|---|
|
||||
| From (header) | | N/A |
|
||||
| Return-Path (envelope) | | Yes/No |
|
||||
| Reply-To | | Yes/No |
|
||||
| X-Originating-IP | | |
|
||||
| X-Mailer | | |
|
||||
|
||||
## Routing Analysis
|
||||
| Hop | Server From | Server By | IP | Location | Time |
|
||||
|---|---|---|---|---|---|
|
||||
| 1 | | | | | |
|
||||
| 2 | | | | | |
|
||||
| 3 | | | | | |
|
||||
|
||||
## Indicators of Compromise (IOCs)
|
||||
### IP Addresses
|
||||
| IP | Source | Reputation | Location |
|
||||
|---|---|---|---|
|
||||
| | | | |
|
||||
|
||||
### Domains
|
||||
| Domain | Source | Age | Reputation |
|
||||
|---|---|---|---|
|
||||
| | | | |
|
||||
|
||||
### URLs
|
||||
| URL | Context | Status |
|
||||
|---|---|---|
|
||||
| | | |
|
||||
|
||||
## Phishing Indicators Found
|
||||
| # | Category | Description | Severity |
|
||||
|---|---|---|---|
|
||||
| 1 | | | |
|
||||
| 2 | | | |
|
||||
| 3 | | | |
|
||||
|
||||
## Risk Assessment
|
||||
- **Risk Score**: [0-100]
|
||||
- **Risk Level**: [CLEAN / LOW / MEDIUM / HIGH / CRITICAL]
|
||||
- **Confidence**: [Low / Medium / High]
|
||||
|
||||
## Recommended Actions
|
||||
- [ ] Block sender domain at email gateway
|
||||
- [ ] Add originating IP to blocklist
|
||||
- [ ] Submit IOCs to threat intelligence platform
|
||||
- [ ] Notify affected users
|
||||
- [ ] Check for similar messages in mail logs
|
||||
- [ ] Update email filtering rules
|
||||
- [ ] Report to anti-phishing databases (PhishTank, APWG)
|
||||
|
||||
## Evidence Chain
|
||||
| Item | Hash (SHA-256) | Description |
|
||||
|---|---|---|
|
||||
| Original .eml | | Raw email file |
|
||||
| Headers export | | Extracted headers |
|
||||
| Screenshots | | Visual evidence |
|
||||
|
||||
## Notes
|
||||
[Additional observations, context, or analysis notes]
|
||||
@@ -0,0 +1,90 @@
|
||||
# API Reference: Phishing Email Header Analysis
|
||||
|
||||
## Python email Module
|
||||
|
||||
### Parsing Email Files
|
||||
```python
|
||||
import email
|
||||
with open("message.eml", "r") as f:
|
||||
msg = email.message_from_string(f.read())
|
||||
|
||||
print(msg["From"])
|
||||
print(msg["Subject"])
|
||||
print(msg.get_all("Received"))
|
||||
print(msg["Authentication-Results"])
|
||||
```
|
||||
|
||||
### Extracting Body
|
||||
```python
|
||||
if msg.is_multipart():
|
||||
for part in msg.walk():
|
||||
if part.get_content_type() == "text/html":
|
||||
body = part.get_payload(decode=True).decode()
|
||||
```
|
||||
|
||||
## Key Email Headers for Forensics
|
||||
|
||||
| Header | Purpose |
|
||||
|--------|---------|
|
||||
| `Received` | Mail server routing chain (bottom = origin) |
|
||||
| `From` | Claimed sender (can be spoofed) |
|
||||
| `Return-Path` | Envelope sender for bounces |
|
||||
| `Reply-To` | Where replies go (phishing: often different from From) |
|
||||
| `Authentication-Results` | SPF/DKIM/DMARC verdicts |
|
||||
| `Received-SPF` | SPF check result |
|
||||
| `DKIM-Signature` | DKIM cryptographic signature |
|
||||
| `X-Mailer` | Sending software |
|
||||
| `Message-ID` | Unique message identifier |
|
||||
| `X-Originating-IP` | Original sender IP |
|
||||
|
||||
## Authentication Checks
|
||||
|
||||
### SPF Status Values
|
||||
| Value | Meaning |
|
||||
|-------|---------|
|
||||
| `pass` | Sender IP authorized |
|
||||
| `fail` | Sender IP not authorized |
|
||||
| `softfail` | Not authorized but not rejected |
|
||||
| `neutral` | No SPF policy for domain |
|
||||
| `none` | No SPF record exists |
|
||||
|
||||
### DKIM Verification
|
||||
```bash
|
||||
opendkim-testmsg < message.eml
|
||||
# Or in Authentication-Results: dkim=pass header.d=example.com
|
||||
```
|
||||
|
||||
### DMARC Policy Check
|
||||
```bash
|
||||
dig _dmarc.example.com TXT
|
||||
# v=DMARC1; p=reject; rua=mailto:dmarc@example.com
|
||||
```
|
||||
|
||||
## Phishing Detection Indicators
|
||||
|
||||
| Indicator | Severity | Description |
|
||||
|-----------|----------|-------------|
|
||||
| SPF fail | HIGH | Sender IP not in domain's SPF record |
|
||||
| Reply-To mismatch | HIGH | Reply-To different from From address |
|
||||
| Email in display name | HIGH | Display name contains email address |
|
||||
| IP-based URL | HIGH | Links point to raw IP addresses |
|
||||
| Urgency keywords | MEDIUM | Subject contains "urgent", "action required" |
|
||||
| URL shortener | MEDIUM | Links use bit.ly, tinyurl, etc. |
|
||||
| New domain | MEDIUM | Sending domain registered recently |
|
||||
| PHPMailer X-Mailer | MEDIUM | Bulk mailer software |
|
||||
|
||||
## msgconvert (Perl)
|
||||
|
||||
### Convert MSG to EML
|
||||
```bash
|
||||
msgconvert message.msg # Outputs message.eml
|
||||
msgconvert --outfile out.eml msg.msg # Specify output
|
||||
```
|
||||
|
||||
## emlAnalyzer (Python)
|
||||
|
||||
### Installation and Usage
|
||||
```bash
|
||||
pip install eml-analyzer
|
||||
emlAnalyzer -i message.eml --header --html --attachments
|
||||
```
|
||||
@@ -0,0 +1,42 @@
|
||||
# Standards & References: Analyzing Phishing Email Headers
|
||||
|
||||
## RFC Standards
|
||||
- **RFC 5321 (SMTP)**: Simple Mail Transfer Protocol - defines how email is transmitted and the structure of Received headers
|
||||
- **RFC 5322 (Internet Message Format)**: Defines the syntax of email header fields including From, To, Date, Message-ID
|
||||
- **RFC 7208 (SPF)**: Sender Policy Framework - mechanism for validating email sender IP against domain policy
|
||||
- **RFC 6376 (DKIM)**: DomainKeys Identified Mail - cryptographic authentication of email messages
|
||||
- **RFC 7489 (DMARC)**: Domain-based Message Authentication, Reporting and Conformance
|
||||
- **RFC 8601 (Authentication-Results)**: Message Header Field for Indicating Message Authentication Status
|
||||
|
||||
## NIST Guidelines
|
||||
- **NIST SP 800-177 Rev.1**: Trustworthy Email - comprehensive guide to email security including header authentication
|
||||
- **NIST SP 800-45 Ver.2**: Guidelines on Electronic Mail Security
|
||||
|
||||
## MITRE ATT&CK References
|
||||
- **T1566.001**: Phishing: Spearphishing Attachment
|
||||
- **T1566.002**: Phishing: Spearphishing Link
|
||||
- **T1566.003**: Phishing: Spearphishing via Service
|
||||
- **T1534**: Internal Spearphishing
|
||||
|
||||
## Industry Standards
|
||||
- **M3AAWG Best Practices**: Messaging, Malware and Mobile Anti-Abuse Working Group email authentication recommendations
|
||||
- **DMARC.org**: Industry consortium for DMARC deployment guidance
|
||||
- **Anti-Phishing Working Group (APWG)**: Phishing Activity Trends Reports
|
||||
|
||||
## Key Header Fields Reference
|
||||
|
||||
| Header Field | RFC | Purpose |
|
||||
|---|---|---|
|
||||
| Received | RFC 5321 | Records each SMTP hop |
|
||||
| From | RFC 5322 | Display sender address |
|
||||
| Return-Path | RFC 5321 | Envelope sender (bounce address) |
|
||||
| Authentication-Results | RFC 8601 | SPF/DKIM/DMARC results |
|
||||
| DKIM-Signature | RFC 6376 | Cryptographic signature |
|
||||
| Message-ID | RFC 5322 | Unique message identifier |
|
||||
| X-Originating-IP | Non-standard | Sender's IP (provider-specific) |
|
||||
| X-Mailer | Non-standard | Email client identification |
|
||||
|
||||
## Compliance Frameworks
|
||||
- **PCI DSS 4.0**: Requirement 5 - Protect All Systems and Networks from Malicious Software
|
||||
- **ISO 27001:2022**: A.8.23 - Web filtering; A.5.14 - Information transfer
|
||||
- **SOC 2**: CC6.1 - Logical and Physical Access Controls
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user