mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 12:45:17 +03:00
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
2.1 KiB
2.1 KiB
AWS Credential Exposure Detection API Reference
TruffleHog CLI
# Scan local git repo
trufflehog git file:///path/to/repo --json
# Scan GitHub organization
trufflehog github --org my-org --token $GITHUB_TOKEN --json
# Scan GitHub repo
trufflehog git https://github.com/org/repo.git --json
# Scan filesystem (non-git)
trufflehog filesystem /path/to/dir --json
# Scan S3 bucket
trufflehog s3 --bucket my-bucket --json
# Only show verified credentials
trufflehog git file:///repo --only-verified --json
git-secrets CLI
# Install hooks in repo
git secrets --install
git secrets --register-aws
# Scan repo history
git secrets --scan-history
# Scan specific file
git secrets --scan /path/to/file
# Add custom pattern
git secrets --add 'PRIVATE KEY'
git secrets --add-provider -- cat /path/to/patterns.txt
AWS IAM CLI - Key Management
# Check key last used
aws iam get-access-key-last-used --access-key-id AKIAXXXXXXXXXXXXXXXX
# List access keys for user
aws iam list-access-keys --user-name jsmith
# Deactivate exposed key
aws iam update-access-key --access-key-id AKIAXXXXXXXXXXXXXXXX \
--user-name jsmith --status Inactive
# Delete key
aws iam delete-access-key --access-key-id AKIAXXXXXXXXXXXXXXXX \
--user-name jsmith
# Create new key (after rotation)
aws iam create-access-key --user-name jsmith
AWS Access Key Regex Patterns
Access Key ID: AKIA[A-Z0-9]{16}
Temp Key ID: ASIA[A-Z0-9]{16}
Secret Key: [A-Za-z0-9/+=]{40}
GuardDuty Credential Findings
| Finding Type | Description |
|---|---|
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS |
Instance creds used outside AWS |
UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B |
Console login from unusual IP |
Recon:IAMUser/MaliciousIPCaller.Custom |
API calls from threat intel IPs |
AWS CloudTrail - Credential Abuse Queries (Athena)
SELECT eventtime, useridentity.accesskeyid, sourceipaddress, eventname
FROM cloudtrail_logs
WHERE useridentity.accesskeyid = 'AKIAXXXXXXXXXXXXXXXX'
ORDER BY eventtime DESC
LIMIT 100;