mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 13:39:40 +03:00
886658219f
- Add mitre_f3 frontmatter block to 94 fraud-relevant skills (phishing, account takeover, banking malware, BEC, identity/KYC, payment/card fraud, money-mule/cash-out, ransomware extortion, DFIR, threat intel) - Map each skill to F3 v1.1 tactics + precise technique IDs, including the two F3-specific tactics ATT&CK lacks: Positioning (FA0001) and Monetization (FA0002) - All 123 F3 v1.1 technique IDs validated against the upstream STIX bundle (github.com/center-for-threat-informed-defense/fight-fraud-framework): 0 invalid IDs, 0 invalid tactics, 0 name mismatches, no placeholder IDs - mitre_f3 kept as a separate block from mitre_attack (F3 redefines several ATT&CK tactics for the fraud context) - Add docs/mitre-f3-mapping.md schema reference - Update README: F3 as the 6th framework, dedicated F3 section + badge
93 lines
3.0 KiB
Markdown
93 lines
3.0 KiB
Markdown
---
|
|
name: analyzing-ransomware-network-indicators
|
|
description: Identify ransomware network indicators including C2 beaconing patterns,
|
|
TOR exit node connections, data exfiltration flows, and encryption key exchange
|
|
via Zeek conn.log and NetFlow analysis
|
|
domain: cybersecurity
|
|
subdomain: threat-hunting
|
|
tags:
|
|
- ransomware
|
|
- c2-beaconing
|
|
- zeek
|
|
- netflow
|
|
- tor
|
|
- exfiltration
|
|
- network-forensics
|
|
version: '1.0'
|
|
author: mahipal
|
|
license: Apache-2.0
|
|
d3fend_techniques:
|
|
- File Metadata Consistency Validation
|
|
- Certificate Analysis
|
|
- Application Protocol Command Analysis
|
|
- Content Format Conversion
|
|
- File Content Analysis
|
|
nist_csf:
|
|
- DE.CM-01
|
|
- DE.AE-02
|
|
- DE.AE-07
|
|
- ID.RA-05
|
|
mitre_attack:
|
|
- T1071.001
|
|
- T1573
|
|
- T1048
|
|
- T1567.002
|
|
- T1486
|
|
mitre_f3:
|
|
version: '1.1'
|
|
tactics:
|
|
- positioning
|
|
- monetization
|
|
techniques:
|
|
- id: T1219
|
|
name: Remote Access Tools
|
|
tactic: positioning
|
|
source: attack
|
|
- id: F1018
|
|
name: Convert to Cryptocurrency
|
|
tactic: monetization
|
|
source: f3
|
|
- id: F1047
|
|
name: Transfer of funds
|
|
tactic: monetization
|
|
source: f3
|
|
---
|
|
|
|
# Analyzing Ransomware Network Indicators
|
|
|
|
## Overview
|
|
|
|
Before and during ransomware execution, adversaries establish C2 channels, exfiltrate data, and download encryption keys. This skill analyzes Zeek conn.log and NetFlow data to detect beaconing patterns (regular-interval callbacks), connections to known TOR exit nodes, large outbound data transfers, and suspicious DNS activity associated with ransomware families.
|
|
|
|
|
|
## When to Use
|
|
|
|
- When investigating security incidents that require analyzing ransomware network indicators
|
|
- When building detection rules or threat hunting queries for this domain
|
|
- When SOC analysts need structured procedures for this analysis type
|
|
- When validating security monitoring coverage for related attack techniques
|
|
|
|
## Prerequisites
|
|
|
|
- Zeek conn.log files or NetFlow CSV/JSON exports
|
|
- Python 3.8+ with standard library
|
|
- TOR exit node list (fetched from Tor Project or threat intel feeds)
|
|
- Optional: Known ransomware C2 IOC list
|
|
|
|
## Steps
|
|
|
|
1. **Parse Connection Logs** — Ingest Zeek conn.log (TSV) or NetFlow records into structured format
|
|
2. **Detect Beaconing Patterns** — Calculate connection interval statistics (mean, stddev, coefficient of variation) to identify periodic callbacks
|
|
3. **Check TOR Exit Node Connections** — Cross-reference destination IPs against current TOR exit node list
|
|
4. **Identify Data Exfiltration** — Flag connections with unusually high outbound byte ratios to external IPs
|
|
5. **Analyze DNS Patterns** — Detect DGA-like domain queries and high-entropy subdomains
|
|
6. **Score and Correlate** — Apply composite risk scoring across all indicator types
|
|
7. **Generate Report** — Produce structured report with timeline and MITRE ATT&CK mapping
|
|
|
|
## Expected Output
|
|
|
|
- JSON report with beaconing detections and interval statistics
|
|
- TOR exit node connection alerts
|
|
- Data exfiltration flow analysis
|
|
- Composite ransomware risk score with MITRE mapping (T1071, T1573, T1041)
|