mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-14 19:55:16 +03:00
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
68 lines
1.7 KiB
Markdown
68 lines
1.7 KiB
Markdown
# API Reference: Hunting for Webshells in Web Servers
|
|
|
|
## Shannon Entropy Calculation
|
|
|
|
```python
|
|
import math
|
|
|
|
def shannon_entropy(data: bytes) -> float:
|
|
freq = {}
|
|
for byte in data:
|
|
freq[byte] = freq.get(byte, 0) + 1
|
|
length = len(data)
|
|
return -sum((c/length) * math.log2(c/length) for c in freq.values())
|
|
|
|
# Thresholds: > 5.5 suspicious, > 6.5 likely obfuscated
|
|
```
|
|
|
|
## Webshell Detection Patterns
|
|
|
|
| Pattern | Language | Risk |
|
|
|---------|----------|------|
|
|
| `eval()` | PHP | HIGH |
|
|
| `base64_decode()` | PHP | HIGH |
|
|
| `system()` / `passthru()` | PHP | CRITICAL |
|
|
| `shell_exec()` / `exec()` | PHP | CRITICAL |
|
|
| `$_GET/$_POST` + `eval` | PHP | CRITICAL |
|
|
| `Runtime.getRuntime().exec` | JSP | CRITICAL |
|
|
| `Server.CreateObject` | ASP | HIGH |
|
|
|
|
## YARA Rule for Webshells
|
|
|
|
```yara
|
|
rule webshell_php_generic {
|
|
meta:
|
|
description = "Generic PHP webshell"
|
|
strings:
|
|
$eval = "eval(" ascii nocase
|
|
$b64 = "base64_decode(" ascii nocase
|
|
$system = "system(" ascii nocase
|
|
$input = /\$_(GET|POST|REQUEST)\s*\[/ ascii
|
|
condition:
|
|
$input and ($eval or $b64 or $system)
|
|
}
|
|
```
|
|
|
|
## File System Scanning
|
|
|
|
```python
|
|
from pathlib import Path
|
|
SCRIPT_EXTS = {".php", ".asp", ".aspx", ".jsp", ".jspx", ".cgi"}
|
|
for f in Path("/var/www/html").rglob("*"):
|
|
if f.suffix.lower() in SCRIPT_EXTS:
|
|
entropy = shannon_entropy(f.read_bytes())
|
|
```
|
|
|
|
## NeoPI (Webshell Detection Tool)
|
|
|
|
```bash
|
|
python neopi.py /var/www/html -a # Run all tests
|
|
# Tests: entropy, longest word, index of coincidence, signature
|
|
```
|
|
|
|
### References
|
|
|
|
- MITRE T1505.003: https://attack.mitre.org/techniques/T1505/003/
|
|
- NeoPI: https://github.com/Neohapsis/NeoPI
|
|
- YARA: https://yara.readthedocs.io/
|