Files
Anthropic-Cybersecurity-Skills/skills/detecting-ransomware-precursors-in-network/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

5.2 KiB

API Reference — Detecting Ransomware Precursors in Network Traffic

Zeek (Bro) Log Fields

conn.log

Field Type Description
ts time Connection start timestamp (Unix epoch)
id.orig_h addr Source IP address
id.orig_p port Source port
id.resp_h addr Destination IP address
id.resp_p port Destination port
proto enum Transport protocol (tcp/udp/icmp)
orig_bytes count Bytes sent by originator
resp_bytes count Bytes sent by responder
conn_state string Connection state (SF=normal, S0=no reply, REJ=rejected)
duration interval Duration of connection

smb_files.log

Field Type Description
action enum SMB action (SMB_FILE_OPEN, SMB_FILE_WRITE, SMB_FILE_DELETE)
path string Full UNC path accessed
name string Filename
size count File size in bytes
id.orig_h addr Source host (accessor)
id.resp_h addr Target host

kerberos.log

Field Type Description
request_type string KRB_AS_REQ, KRB_TGS_REQ
client string Client principal
service string Service principal (SPN)
success bool Whether request succeeded
error_msg string Error type (e.g., KDC_ERR_PREAUTH_REQUIRED)

Suricata CLI

Start in IDS mode

suricata -c /etc/suricata/suricata.yaml -i eth0

Start in IPS mode (NFQUEUE)

suricata -c /etc/suricata/suricata.yaml -q 0
# Configure iptables to send traffic to NFQUEUE:
iptables -I FORWARD -j NFQUEUE --queue-num 0

Run on pcap file

suricata -c /etc/suricata/suricata.yaml -r capture.pcap -l /var/log/suricata/

Update rules with suricata-update

suricata-update                          # Update all enabled sources
suricata-update list-sources             # List available rule sources
suricata-update enable-source et/open    # Enable Emerging Threats Open
suricata-update enable-source ptresearch/attackdetection  # PT Research rules
suricata-update update-sources           # Refresh source index
suricata-update --no-reload              # Update without live reload

Reload rules without restart

kill -USR2 $(pidof suricata)
# Or via Unix socket:
suricatasc -c reload-rules

Query eve.json for alerts

# Ransomware-related alerts in last hour
jq 'select(.event_type=="alert") | select(.alert.signature | test("ransomware|cobalt|mimikatz|psexec";"i"))' \
  /var/log/suricata/eve.json | jq -r '[.timestamp,.src_ip,.dest_ip,.alert.signature] | @tsv'

# Top 10 alert signatures
jq -r 'select(.event_type=="alert") | .alert.signature' /var/log/suricata/eve.json | \
  sort | uniq -c | sort -rn | head -10

RITA (Real Intelligence Threat Analytics)

Import Zeek logs and analyze

rita import --input /var/log/zeek/current/ --database my_network
rita analyze my_network

Beacon detection output

rita show-beacons my_network --human-readable
# Columns: Score | Source | Dest | Connections | Avg Bytes | TS Delta
# Score 0.9+ = high confidence beacon

DNS tunneling detection

rita show-exploded-dns my_network | head -20
rita show-long-connections my_network --human-readable

Splunk SPL — Ransomware Precursor Queries

Internal lateral movement via SMB/RDP/WinRM

index=zeek sourcetype=zeek_conn
  id.resp_p IN (445, 135, 3389, 5985, 5986)
  id.orig_h IN 10.0.0.0/8
  id.resp_h IN 10.0.0.0/8
| stats dc(id.resp_h) as targets count as conns by id.orig_h
| where targets >= 10
| sort -targets

Detect beaconing (regular connection intervals)

index=zeek sourcetype=zeek_conn
| bucket _time span=1m
| stats count as conns by id.orig_h, id.resp_h, id.resp_p, _time
| stats stdev(conns) as jitter avg(conns) as avg_conns count as minutes
    by id.orig_h, id.resp_h, id.resp_p
| where minutes > 10 AND jitter < 2 AND avg_conns > 0
| eval beacon_score = round(1 - (jitter / (avg_conns + 0.001)), 2)
| where beacon_score > 0.8
| sort -beacon_score

abuse.ch Threat Intelligence Feeds

Feodo Tracker (C2 IPs — Cobalt Strike, BazarLoader)

# CSV format: first_seen,dst_ip,dst_port,c2_status,malware
curl -s https://feodotracker.abuse.ch/downloads/ipblocklist.csv | \
  grep -v "^#" | awk -F, '{print $2}' > /tmp/c2_ips.txt

ThreatFox IOC API

# Query recent ransomware IOCs
curl -s -X POST https://threatfox-api.abuse.ch/api/v1/ \
  -H "Content-Type: application/json" \
  -d '{"query":"get_iocs","days":7,"tag":"ransomware"}' | \
  jq '.data[] | [.ioc_value,.ioc_type,.malware,.confidence_level] | @tsv' -r

MITRE ATT&CK Ransomware Precursor Techniques

Technique ID Network Indicator
Remote Services: SMB/WMI T1021.002 SMB port 445 traffic to many hosts
OS Credential Dumping: DCSync T1003.006 DRS GetNCChanges from non-DC
Kerberoasting T1558.003 TGS-REQ for many SPNs
Command & Control T1071.001 Regular HTTPS beaconing
Lateral Tool Transfer T1570 Large SMB file writes across hosts
Network Service Scanning T1046 Port sweeps on 445/3389/135