mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 21:19:40 +03:00
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
2.2 KiB
2.2 KiB
API Reference: Spearphishing Detection via Email Gateway
Python email Module
Parse EML file
import email
from email import policy
with open("message.eml", "rb") as f:
msg = email.message_from_binary_file(f, policy=policy.default)
Security Headers
| Header | Purpose |
|---|---|
Received-SPF |
SPF check result |
Authentication-Results |
SPF, DKIM, DMARC combined |
DKIM-Signature |
DKIM signing info |
ARC-Authentication-Results |
ARC chain results |
X-Mailer |
Client used to send |
Return-Path |
Envelope sender |
Authentication-Results Values
Authentication-Results: mx.google.com;
dkim=pass header.d=example.com;
spf=pass smtp.mailfrom=example.com;
dmarc=pass
SPF Record Lookup
dig TXT example.com | grep "v=spf1"
# v=spf1 include:_spf.google.com ~all
SPF Results
| Result | Meaning |
|---|---|
pass |
Authorized sender |
fail |
Unauthorized (reject) |
softfail |
Unauthorized (accept with mark) |
neutral |
No assertion |
none |
No SPF record |
DKIM Verification
opendkim-testkey -d example.com -s selector -vvv
DMARC Record
dig TXT _dmarc.example.com
# v=DMARC1; p=reject; rua=mailto:dmarc@example.com
Microsoft Defender for Office 365 API
Get email threat assessment
POST https://graph.microsoft.com/v1.0/informationProtection/threatAssessmentRequests
Authorization: Bearer {token}
{
"contentType": "mail",
"expectedAssessment": "block",
"category": "phishing",
"mailInfo": {
"internetMessageId": "<message-id>"
}
}
Proofpoint TAP API
Get blocked messages
GET https://tap-api-v2.proofpoint.com/v2/siem/messages/blocked
?sinceSeconds=3600
Authorization: Basic {base64_credentials}
Response Fields
| Field | Description |
|---|---|
spamScore |
Spam confidence (0-100) |
phishScore |
Phishing confidence (0-100) |
threatsInfoMap |
Threat details array |
fromAddress |
Envelope sender |
Mimecast API — URL Protection
Decode Mimecast URL
POST https://api.mimecast.com/api/ttp/url/decode-url
Authorization: MC {access-key}:{secret-key}
{
"data": [{"url": "https://protect.mimecast.com/..."}]
}