creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
757f1c8eae4e288d20f7dfde7f7a42a4d30cffc7
Anthropic-Cybersecurity-Skills/skills/detecting-cryptomining-in-cloud/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.1 KiB
Raw Blame History

Detecting Cryptomining in Cloud API Reference

Detection Signal Categories

Signal Source Indicator
Cost spike AWS Cost Explorer Sudden EC2/GPU cost increase
High CPU CloudWatch Sustained >95% CPU utilization
Mining ports VPC Flow Logs Traffic on 3333, 4444, 14444
DNS queries GuardDuty / Route53 Queries to pool domains
Process Runtime Monitoring xmrig, ccminer, ethminer

GuardDuty Crypto Findings

# List crypto findings
aws guardduty list-findings --detector-id $DET \
  --finding-criteria '{"Criterion":{"type":{"Eq":["CryptoCurrency:EC2/BitcoinTool.B!DNS","CryptoCurrency:Runtime/BitcoinTool.B"]}}}'

CloudWatch CPU Alarm

aws cloudwatch put-metric-alarm \
  --alarm-name "HighCPU-Mining" \
  --metric-name CPUUtilization \
  --namespace AWS/EC2 \
  --statistic Average \
  --period 300 --threshold 95 \
  --comparison-operator GreaterThanThreshold \
  --evaluation-periods 6 \
  --alarm-actions arn:aws:sns:us-east-1:123456:SOCAlerts

AWS Cost Anomaly Detection

# Create monitor
aws ce create-anomaly-monitor --anomaly-monitor '{
  "MonitorName": "EC2CostSpike", "MonitorType": "DIMENSIONAL",
  "MonitorDimension": "SERVICE"
}'

# Get anomalies
aws ce get-anomalies --date-interval '{"StartDate":"2024-01-01","EndDate":"2024-01-31"}'

VPC Flow Logs Mining Port Query

fields @timestamp, srcaddr, dstaddr, dstport, bytes
| filter dstport in [3333, 4444, 5555, 14444, 45700]
| stats sum(bytes) as total_bytes by srcaddr, dstaddr, dstport
| sort total_bytes desc

Known Mining Pool Domains

pool.minexmr.com, xmr.pool.minergate.com, monerohash.com,
xmrpool.eu, supportxmr.com, pool.hashvault.pro,
gulf.moneroocean.stream, rx.unmineable.com

Instance Remediation

# Terminate mining instance
aws ec2 terminate-instances --instance-ids i-0123456789abcdef0

# Isolate via security group
aws ec2 modify-instance-attribute --instance-id i-xxx --groups sg-isolation

# Snapshot for forensics before termination
aws ec2 create-snapshot --volume-id vol-xxx --description "Mining forensics"
Reference in New Issue View Git Blame Copy Permalink