mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-14 03:15:16 +03:00
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
2.1 KiB
2.1 KiB
API Reference: Service Account Abuse Detection
Active Directory PowerShell Module
Get Service Accounts (SPN-based)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties `
ServicePrincipalName, LastLogonDate, Enabled, PasswordLastSet, `
PasswordNeverExpires, AdminCount, MemberOf
Get Managed Service Accounts
Get-ADServiceAccount -Filter * -Properties `
PrincipalsAllowedToRetrieveManagedPassword, LastLogonDate
Check Kerberos Delegation
Get-ADUser -Filter {TrustedForDelegation -eq $true} -Properties `
TrustedForDelegation, TrustedToAuthForDelegation, `
msDS-AllowedToDelegateTo
Windows Event Log Queries
Logon Type Values
| Type | Description | Concern for Service Accounts |
|---|---|---|
| 2 | Interactive | HIGH — should not happen |
| 3 | Network | Normal for services |
| 5 | Service | Normal |
| 10 | RemoteInteractive (RDP) | HIGH — should not happen |
Event IDs
| ID | Log | Description |
|---|---|---|
| 4624 | Security | Successful logon |
| 4625 | Security | Failed logon |
| 4648 | Security | Explicit credential use |
| 4672 | Security | Special privilege logon |
| 4720 | Security | Account created |
| 4738 | Security | Account modified |
Microsoft Graph API — Service Principal Audit
List Service Principals
GET https://graph.microsoft.com/v1.0/servicePrincipals
Authorization: Bearer {token}
List App Role Assignments
GET https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignments
Audit Sign-In Logs
GET https://graph.microsoft.com/v1.0/auditLogs/signIns
?$filter=appId eq '{service-principal-app-id}'
AWS IAM — Service Role Audit
List service-linked roles
aws iam list-roles --query "Roles[?starts_with(Path, '/aws-service-role/')]"
Get role last used
aws iam get-role --role-name MyServiceRole \
--query "Role.RoleLastUsed"
Access Analyzer findings
aws accessanalyzer list-findings --analyzer-arn {arn} \
--filter '{"resourceType":{"eq":["AWS::IAM::Role"]}}'