mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-12 22:24:56 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
2.0 KiB
2.0 KiB
API Reference: Detecting Privilege Escalation Attempts
Windows Security Event IDs
| Event ID | Description |
|---|---|
| 4672 | Special privileges assigned to new logon |
| 4673 | A privileged service was called |
| 4674 | Operation attempted on a privileged object |
| 4688 | New process created (token elevation check) |
| 4703 | User right was adjusted |
Sysmon Event IDs
| Event ID | Description |
|---|---|
| 1 | Process Create with IntegrityLevel field |
| 10 | ProcessAccess (token duplication detection) |
| 13 | RegistryEvent (UAC bypass registry keys) |
Key Libraries
- pywin32 (
pip install pywin32):win32evtlog.OpenEventLog(),ReadEventLog(),CloseEventLog() - python-evtx (
pip install python-evtx): Parse EVTX files offline withEvtx.Evtx(path) - re (stdlib): Pattern matching for UAC bypass indicators in command lines
UAC Bypass Detection Patterns
| Binary | Registry Key |
|---|---|
fodhelper.exe |
HKCU\Software\Classes\ms-settings\shell\open\command |
eventvwr.exe |
HKCU\Software\Classes\mscfile\shell\open\command |
sdclt.exe |
HKCU\Software\Classes\exefile\shell\runas\command |
computerdefaults.exe |
HKCU\Software\Classes\ms-settings\shell\open\command |
Configuration
| Variable | Description |
|---|---|
PRIV_ESC_EVENT_IDS |
Map of Security event IDs to descriptions |
SUSPICIOUS_PROCESSES |
List of processes to flag when running elevated |
UAC_BYPASS_INDICATORS |
Regex patterns for known UAC bypass techniques |