mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 13:15:16 +03:00
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
66 lines
1.8 KiB
Markdown
66 lines
1.8 KiB
Markdown
# API Reference: Hunting for Spearphishing Indicators
|
|
|
|
## Email Header Analysis
|
|
|
|
```python
|
|
import email
|
|
from email import policy
|
|
|
|
msg = email.message_from_file(open("suspect.eml"), policy=policy.default)
|
|
print(msg["From"], msg["Return-Path"], msg["Received"])
|
|
print(msg["Authentication-Results"]) # SPF/DKIM/DMARC
|
|
```
|
|
|
|
## Suspicious Attachment Types
|
|
|
|
| Extension | Risk | Technique |
|
|
|-----------|------|-----------|
|
|
| `.exe`, `.scr`, `.dll` | CRITICAL | T1566.001 |
|
|
| `.xlsm`, `.docm` | HIGH | T1566.001 (macros) |
|
|
| `.iso`, `.img`, `.lnk` | HIGH | T1566.001 (MOTW bypass) |
|
|
| `.html`, `.htm` | HIGH | HTML Smuggling |
|
|
| `.zip`, `.rar` | MEDIUM | Archive with payload |
|
|
|
|
## Splunk SPL - Phishing Detection
|
|
|
|
```spl
|
|
index=email sourcetype=exchange
|
|
| where match(attachment_name, "(?i)\.(exe|scr|iso|lnk|docm|xlsm|hta)$")
|
|
| stats count by sender, recipient, attachment_name, subject
|
|
| where count > 3
|
|
```
|
|
|
|
## KQL - Microsoft Defender for Office 365
|
|
|
|
```kql
|
|
EmailAttachmentInfo
|
|
| where FileType in ("exe", "scr", "iso", "lnk", "docm", "xlsm")
|
|
| join kind=inner EmailEvents on NetworkMessageId
|
|
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, FileName
|
|
```
|
|
|
|
## Phishing URL Patterns
|
|
|
|
```python
|
|
patterns = [
|
|
r"https?://bit\.ly/", # URL shorteners
|
|
r"https?://\d+\.\d+\.\d+\.\d+", # IP-based URLs
|
|
r"https?://[^/]*login[^/]*\.", # Credential harvesting
|
|
r"https?://[^/]*\.(top|xyz)/", # Suspicious TLDs
|
|
]
|
|
```
|
|
|
|
## SPF/DKIM/DMARC Validation
|
|
|
|
```python
|
|
import spf
|
|
result, _, _ = spf.check2(ip="1.2.3.4", sender="user@example.com", helo="mail.example.com")
|
|
# result: 'pass', 'fail', 'softfail', 'neutral', 'none'
|
|
```
|
|
|
|
### References
|
|
|
|
- MITRE T1566: https://attack.mitre.org/techniques/T1566/
|
|
- pyspf: https://pypi.org/project/pyspf/
|
|
- python email: https://docs.python.org/3/library/email.html
|