creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-10 21:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
Anthropic-Cybersecurity-Skills/skills/detecting-compromised-cloud-credentials/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.5 KiB
Raw Permalink Blame History

Compromised Cloud Credentials Detection API Reference

GuardDuty Credential Findings

Finding Type Description
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS EC2 instance creds used outside AWS
UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B Console login from unusual location
UnauthorizedAccess:IAMUser/MaliciousIPCaller API calls from known malicious IP
Discovery:IAMUser/AnomalousBehavior Unusual reconnaissance API patterns
Persistence:IAMUser/AnomalousBehavior Unusual persistence API calls
InitialAccess:IAMUser/AnomalousBehavior Unusual initial access patterns

CloudTrail - Credential Abuse Investigation

# Lookup events by access key
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=AccessKeyId,AttributeValue=AKIAXXXXXXXXXXXXXXXX \
  --start-time 2024-01-01T00:00:00Z --end-time 2024-01-02T00:00:00Z

# Lookup by username
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=Username,AttributeValue=compromised-user

# Athena query for deep investigation
SELECT eventtime, eventsource, eventname, sourceipaddress,
       useridentity.arn, errorcode
FROM cloudtrail_logs
WHERE useridentity.accesskeyid = 'AKIAXXXXXXXXXXXXXXXX'
  AND eventtime > '2024-01-01'
ORDER BY eventtime DESC

IAM Credential Remediation

# Deactivate access key
aws iam update-access-key --access-key-id AKIAXXXX --user-name user --status Inactive

# Delete access key
aws iam delete-access-key --access-key-id AKIAXXXX --user-name user

# Revoke all sessions (inline deny policy with token age condition)
aws iam put-user-policy --user-name user --policy-name RevokeOldSessions \
  --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"*","Resource":"*","Condition":{"DateLessThan":{"aws:TokenIssueTime":"2024-01-15T00:00:00Z"}}}]}'

# List all access keys for user
aws iam list-access-keys --user-name user

Reconnaissance API Calls to Monitor

GetCallerIdentity, ListBuckets, DescribeInstances,
ListUsers, ListRoles, ListAccessKeys, DescribeRegions,
GetAccountAuthorizationDetails, ListFunctions,
DescribeDBInstances, ListSecrets

Azure - Compromised Credential Detection

# Query risky sign-ins
az rest --method GET --url "https://graph.microsoft.com/v1.0/identityProtection/riskyUsers"

# Revoke user sessions
az rest --method POST --url "https://graph.microsoft.com/v1.0/users/{id}/revokeSignInSessions"
Reference in New Issue View Git Blame Copy Permalink