mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-15 20:25:18 +03:00
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
88 lines
2.2 KiB
Markdown
88 lines
2.2 KiB
Markdown
# API Reference: Ransomware Precursor Detection
|
|
|
|
## Zeek (Bro) conn.log Fields
|
|
|
|
### Tab-separated Fields
|
|
| Index | Field | Description |
|
|
|-------|-------|-------------|
|
|
| 0 | ts | Timestamp |
|
|
| 1 | uid | Connection UID |
|
|
| 2 | id.orig_h | Source IP |
|
|
| 3 | id.orig_p | Source port |
|
|
| 4 | id.resp_h | Destination IP |
|
|
| 5 | id.resp_p | Destination port |
|
|
| 6 | proto | Protocol (tcp/udp) |
|
|
| 7 | service | Detected service |
|
|
| 8 | duration | Connection duration |
|
|
| 9 | orig_bytes | Bytes from originator |
|
|
| 10 | resp_bytes | Bytes from responder |
|
|
|
|
## Ransomware-Associated Network Indicators
|
|
|
|
### Ports
|
|
| Port | Service | Risk |
|
|
|------|---------|------|
|
|
| 445 | SMB | Lateral movement, EternalBlue |
|
|
| 3389 | RDP | Brute force, initial access |
|
|
| 4444 | Metasploit default | C2 callback |
|
|
| 135 | RPC | WMI lateral movement |
|
|
| 5985/5986 | WinRM | Remote execution |
|
|
|
|
## Windows Event Log IDs
|
|
|
|
### Security Log
|
|
| Event ID | Description |
|
|
|----------|-------------|
|
|
| 4625 | Failed logon (brute force indicator) |
|
|
| 4624 | Successful logon (type 3 = network) |
|
|
| 4648 | Explicit credential logon |
|
|
| 4672 | Special privileges assigned |
|
|
|
|
### System Log
|
|
| Event ID | Description |
|
|
|----------|-------------|
|
|
| 7036 | Service state change (VSS) |
|
|
| 7045 | New service installed |
|
|
|
|
### PowerShell Operational Log
|
|
| Event ID | Description |
|
|
|----------|-------------|
|
|
| 4104 | Script block logging |
|
|
| 4103 | Module logging |
|
|
|
|
## Shadow Copy Deletion Commands
|
|
```
|
|
vssadmin delete shadows /all /quiet
|
|
wmic shadowcopy delete
|
|
bcdedit /set {default} recoveryenabled no
|
|
bcdedit /set {default} bootstatuspolicy ignoreallfailures
|
|
wbadmin delete catalog -quiet
|
|
```
|
|
|
|
## Suricata Rules for Ransomware Detection
|
|
```
|
|
alert smb any any -> $HOME_NET 445 (msg:"ET EXPLOIT EternalBlue";
|
|
content:"|ff|SMB|73|"; sid:2024217; rev:3;)
|
|
|
|
alert tcp $HOME_NET any -> any 443 (msg:"Ransomware C2 beacon";
|
|
flow:established,to_server; content:"POST";
|
|
pcre:"/\/[a-z]{4,8}\/[a-f0-9]{32}/i"; sid:9000001;)
|
|
```
|
|
|
|
## CrowdStrike Falcon API — IOC Search
|
|
```http
|
|
GET https://api.crowdstrike.com/indicators/queries/iocs/v1
|
|
Authorization: Bearer {token}
|
|
Content-Type: application/json
|
|
|
|
?types=domain&values=malicious-domain.com
|
|
```
|
|
|
|
### Response
|
|
```json
|
|
{
|
|
"resources": ["indicator_id_1"],
|
|
"meta": {"query_time": 0.005}
|
|
}
|
|
```
|