creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
7135f0cfe3f2e782932edfd30bc8a5cb3f44d9d2
Anthropic-Cybersecurity-Skills/skills/detecting-cloud-cryptomining-activity/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.1 KiB
Raw Blame History

Cloud Cryptomining Detection API Reference

GuardDuty - Cryptocurrency Finding Types

Finding Type Signal
CryptoCurrency:EC2/BitcoinTool.B!DNS EC2 querying crypto domains
CryptoCurrency:EC2/BitcoinTool.B EC2 communicating with mining pools
CryptoCurrency:Runtime/BitcoinTool.B!DNS Container DNS to mining domain
CryptoCurrency:Runtime/BitcoinTool.B Container network to mining pool
Impact:EC2/BitcoinDomainRequest.Reputation Known mining domain access

GuardDuty CLI

# Get detector ID
aws guardduty list-detectors --query 'DetectorIds[0]' --output text

# List crypto findings
aws guardduty list-findings --detector-id $DET \
  --finding-criteria '{"Criterion":{"type":{"Eq":["CryptoCurrency:EC2/BitcoinTool.B!DNS"]}}}'

# Get finding details
aws guardduty get-findings --detector-id $DET --finding-ids id1 id2

AWS Cost Anomaly Detection

# Create cost anomaly monitor
aws ce create-anomaly-monitor --anomaly-monitor '{
  "MonitorName": "EC2CostSpike",
  "MonitorType": "DIMENSIONAL",
  "MonitorDimension": "SERVICE"
}'

# Create alert subscription
aws ce create-anomaly-subscription --anomaly-subscription '{
  "SubscriptionName": "CryptoAlert",
  "MonitorArnList": ["arn:aws:ce::123456789012:anomalymonitor/monitor-id"],
  "Subscribers": [{"Address": "soc@company.com", "Type": "EMAIL"}],
  "Threshold": 100.0,
  "Frequency": "IMMEDIATE"
}'

Known Mining Pool Ports

3333   - Stratum protocol (common)
4444   - Mining proxy
5555   - Monero (XMR)
7777   - Alt-coin mining
8888   - Multi-pool
9999   - Mining proxy
14444  - XMRig default
45700  - MoneroOcean

VPC Flow Logs Query (CloudWatch Insights)

fields @timestamp, srcaddr, dstaddr, dstport, action
| filter dstport in [3333, 4444, 5555, 7777, 14444, 45700]
| sort @timestamp desc
| limit 50

EC2 Instance Remediation

# Terminate mining instance
aws ec2 terminate-instances --instance-ids i-0123456789abcdef0

# Revoke security group ingress on mining ports
aws ec2 revoke-security-group-ingress --group-id sg-xxx \
  --protocol tcp --port 3333 --cidr 0.0.0.0/0
Reference in New Issue View Git Blame Copy Permalink