creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
780757902b7faeb8d77d034d4faead329cdd6539
Anthropic-Cybersecurity-Skills/skills/detecting-ransomware-encryption-behavior/references/api-reference.md
T
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete 
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
2026-03-19 13:26:49 +01:00

2.6 KiB
Raw Blame History

API Reference: Detecting Ransomware Encryption Behavior

Shannon Entropy

Formula: H(X) = -Sum p(x) log2(p(x)). For byte data range is 0.0 to 8.0.

Python Implementation

import math
from collections import Counter

def shannon_entropy(data):
    freq = Counter(data)
    length = len(data)
    return -sum((c / length) * math.log2(c / length) for c in freq.values())

Entropy Thresholds

Range Interpretation Example
0.0-1.0 Nearly uniform Null files
1.0-4.0 Low entropy Plain text
4.0-6.0 Mixed content Office docs
6.0-7.0 Compressed PDF
7.0-7.5 Highly compressed ZIP JPEG
7.5-7.9 Block cipher encrypted AES-CBC
7.9-8.0 Stream cipher encrypted AES-CTR ChaCha20

psutil Process IO Monitoring

import psutil
proc = psutil.Process(pid)
io = proc.io_counters()
# Fields: read_bytes write_bytes read_count write_count

Sysmon Event IDs

Event ID Event Relevance
1 Process Create Identify encrypting process
2 File time changed Timestomping
11 FileCreate Ransom notes
15 FileCreateStreamHash ADS usage
23 FileDelete Shadow copy deletion
26 FileDeleteDetected File deletion

Windows ETW Providers

Microsoft-Windows-Kernel-File GUID: EDD08927-9CC4-4E65-B970-C2560FB5C289

Event ID Description
10 Create (open)
11 Close
12 Read
14 Write
15 SetInformation

Behavioral Scoring

Signal Weight Threshold
Files modified per min 30 pts Over 50
Entropy delta 30 pts Over 3.0
Extension changes 20 pts Over 10
Ransom note creation 20 pts Any

Score Interpretation

Score Severity Action
0-25 INFO Log
25-50 LOW Alert SOC
50-75 HIGH Suspend process
75-100 CRITICAL Kill and isolate

Shadow Copy Deletion

Command Method
vssadmin delete shadows /all /quiet VSS Admin
wmic shadowcopy delete WMI
bcdedit /set recoveryenabled no Disable recovery
wbadmin delete catalog -quiet Delete backup

watchdog Library

Method Trigger
on_created File created
on_modified File modified
on_deleted File deleted
on_moved File renamed

Double Extension Detection

parts = filename.rsplit(".", 2)
if len(parts) >= 3:
    original_ext = "." + parts[-2]
    appended_ext = "." + parts[-1]
Reference in New Issue View Git Blame Copy Permalink