creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 05:34:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
27c6414ca5ae1b96adc7b36e2e486db95cbcb7c0
Anthropic-Cybersecurity-Skills/skills/analyzing-command-and-control-communication/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.7 KiB
Raw Blame History

API Reference: C2 Communication Analysis Tools

Scapy - Packet Analysis Library (Python)

Reading PCAPs

from scapy.all import rdpcap, IP, TCP, UDP, DNS, DNSQR
packets = rdpcap("capture.pcap")

Filtering Packets

# TCP SYN packets (connection initiation)
syn_pkts = [p for p in packets if TCP in p and (p[TCP].flags & 0x02)]

# DNS queries
dns_pkts = [p for p in packets if DNS in p and p[DNS].qr == 0]

# Access fields
pkt[IP].src        # Source IP
pkt[IP].dst        # Destination IP
pkt[TCP].sport     # Source port
pkt[TCP].dport     # Destination port
pkt[TCP].flags     # TCP flags (0x02 = SYN)
float(pkt.time)    # Packet timestamp

dpkt - Packet Parsing Library (Python)

Reading PCAPs

import dpkt
with open("capture.pcap", "rb") as f:
    pcap = dpkt.pcap.Reader(f)
    for timestamp, buf in pcap:
        eth = dpkt.ethernet.Ethernet(buf)
        ip = eth.data
        tcp = ip.data

HTTP Request Parsing

http = dpkt.http.Request(tcp.data)
http.method     # GET, POST
http.uri        # /path
http.headers    # dict of headers
http.body       # POST body

tshark - CLI Wireshark

Beacon Analysis

tshark -r capture.pcap -T fields -e ip.dst -e tcp.dstport -e frame.time_epoch \
  -Y "tcp.flags.syn==1" > syn_times.csv

HTTP Extraction

tshark -r capture.pcap -Y "http.request" -T fields \
  -e http.request.method -e http.host -e http.request.uri -e http.user_agent

DNS Extraction

tshark -r capture.pcap -Y "dns.qr==0" -T fields \
  -e dns.qry.name -e dns.qry.type -e ip.src

JA3 TLS Fingerprinting

tshark -r capture.pcap -Y "tls.handshake.type==1" -T fields \
  -e ip.src -e tls.handshake.ja3

CobaltStrikeParser - Beacon Config Extraction

Usage

from cobalt_strike_parser import BeaconConfig
config = BeaconConfig.from_file("beacon.bin")
for key, value in config.items():
    print(f"{key}: {value}")

Key Config Fields

Field Description
BeaconType HTTP, HTTPS, DNS, SMB
C2Server Primary C2 URL
SleepTime Beacon interval (ms)
Jitter Jitter percentage
UserAgent HTTP User-Agent string
Watermark License watermark ID

Suricata - Network IDS Rules

Rule Syntax

alert <proto> <src> <port> -> <dst> <port> (msg:""; <options>; sid:N; rev:N;)

Key Keywords

Keyword Purpose
http.method Match HTTP method
http.uri Match request URI
http.header Match header content
ja3.hash Match JA3 TLS fingerprint
dns.query Match DNS query name
tls.cert_subject Match TLS certificate CN
threshold Rate-based detection
Reference in New Issue View Git Blame Copy Permalink