mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 20:55:17 +03:00
47 lines
1.6 KiB
Markdown
47 lines
1.6 KiB
Markdown
# Standards and Frameworks Reference
|
|
|
|
## STIX 2.1 Infrastructure Object
|
|
```json
|
|
{
|
|
"type": "infrastructure",
|
|
"name": "C2 Server",
|
|
"infrastructure_types": ["command-and-control"],
|
|
"description": "Cobalt Strike TeamServer at 198.51.100.1",
|
|
"first_seen": "2025-01-01T00:00:00Z",
|
|
"last_seen": "2025-06-01T00:00:00Z"
|
|
}
|
|
```
|
|
|
|
## Diamond Model of Intrusion Analysis
|
|
- **Adversary**: Threat actor or group
|
|
- **Capability**: Tools, techniques, and malware
|
|
- **Infrastructure**: C2 servers, domains, hosting
|
|
- **Victim**: Targeted organization or individual
|
|
|
|
## Infrastructure Types (STIX vocabulary)
|
|
- command-and-control, botnet, exfiltration, hosting-malware
|
|
- hosting-target-lists, phishing, staging, undefined
|
|
|
|
## Network Fingerprinting Methods
|
|
| Method | Type | Description |
|
|
|--------|------|-------------|
|
|
| JARM | Active | TLS server fingerprint from 10 TLS handshakes |
|
|
| JA3S | Passive | Server Hello hash from TLS negotiation |
|
|
| JA3 | Passive | Client Hello hash for client fingerprinting |
|
|
| Favicon Hash | Active | HTTP favicon file hash |
|
|
| HTTP Headers | Active/Passive | Server banner and header fingerprinting |
|
|
| SSH Key | Active | SSH host key fingerprint |
|
|
|
|
## Passive DNS Record Types
|
|
- A/AAAA: Domain to IP mapping
|
|
- CNAME: Domain alias
|
|
- MX: Mail server records
|
|
- NS: Nameserver records
|
|
- TXT: Text records (SPF, DKIM, verification)
|
|
|
|
## References
|
|
- [Diamond Model Paper](https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf)
|
|
- [STIX Infrastructure](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_jo3k1o6lr9)
|
|
- [JARM](https://github.com/salesforce/jarm)
|
|
- [JA3/JA3S](https://github.com/salesforce/ja3)
|