creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
0fbcbdf8ddfc4342277f03b2ddb60be33ca6dcb1
Anthropic-Cybersecurity-Skills/skills/extracting-credentials-from-memory-dump/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.6 KiB
Raw Blame History

API Reference: Memory Dump Credential Extraction Agent

Dependencies

Library Version Purpose
volatility3 >=2.0 Memory forensics framework (invoked via subprocess)
pypykatz >=0.6 Python Mimikatz for LSASS credential extraction

CLI Usage

python scripts/agent.py \
  --dump /cases/case-001/memory.raw \
  --output-dir /cases/case-001/analysis/ \
  --output credential_report.json

Functions

verify_dump(dump_path) -> dict

Checks file existence, computes size and SHA-256 of first 1MB for integrity.

run_vol3(dump_path, plugin, extra_args) -> str

Executes a volatility3 plugin via subprocess with 5-minute timeout. Returns stdout.

get_os_info(dump_path) -> dict

Runs windows.info to identify OS version and build from the memory image.

find_lsass_pid(dump_path) -> int

Runs windows.pslist and locates the LSASS process PID.

extract_hashdump(dump_path) -> list

Runs windows.hashdump to extract SAM database NTLM hashes for local accounts.

extract_lsadump(dump_path) -> list

Runs windows.lsadump to extract LSA secrets (service account passwords).

extract_cachedump(dump_path) -> list

Runs windows.cachedump to extract DCC2 cached domain credential hashes.

run_pypykatz(dump_path, output_dir) -> dict

Invokes pypykatz in JSON mode against LSASS minidump or full memory image.

parse_pypykatz_creds(pypykatz_data) -> list

Parses pypykatz JSON output into structured credential list with NTLM, Kerberos, WDigest, DPAPI.

search_cloud_keys(dump_path) -> list

Uses windows.strings to find AWS keys, JWT tokens, and auth strings in memory.

generate_report(dump_path, output_dir) -> dict

Orchestrates all extraction steps and compiles the final report with summary and actions.

Volatility3 Plugins Used

Plugin Purpose
windows.info OS identification
windows.pslist Process listing (find LSASS PID)
windows.hashdump SAM hash extraction
windows.lsadump LSA secret extraction
windows.cachedump Cached domain credential extraction
windows.strings String search for cloud keys and tokens

Output Schema

{
  "source": "/cases/memory.raw",
  "sam_hashes": [{"user": "Administrator", "rid": 500, "ntlm_hash": "fc52..."}],
  "lsass_creds": [{"user": "CORP\\admin", "cred_types": [{"type": "NTLM", "hash": "..."}]}],
  "cloud_keys": [{"type": "AWS Access Key", "value": "AKIA..."}],
  "summary": {"sam_hashes": 4, "lsass_creds": 3, "cloud_keys": 1},
  "actions": ["Reset passwords for all local accounts..."]
}
Reference in New Issue View Git Blame Copy Permalink