mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-14 03:15:16 +03:00
c21af3347e
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
5.2 KiB
5.2 KiB
API Reference — Detecting Ransomware Precursors in Network Traffic
Zeek (Bro) Log Fields
conn.log
| Field | Type | Description |
|---|---|---|
ts |
time | Connection start timestamp (Unix epoch) |
id.orig_h |
addr | Source IP address |
id.orig_p |
port | Source port |
id.resp_h |
addr | Destination IP address |
id.resp_p |
port | Destination port |
proto |
enum | Transport protocol (tcp/udp/icmp) |
orig_bytes |
count | Bytes sent by originator |
resp_bytes |
count | Bytes sent by responder |
conn_state |
string | Connection state (SF=normal, S0=no reply, REJ=rejected) |
duration |
interval | Duration of connection |
smb_files.log
| Field | Type | Description |
|---|---|---|
action |
enum | SMB action (SMB_FILE_OPEN, SMB_FILE_WRITE, SMB_FILE_DELETE) |
path |
string | Full UNC path accessed |
name |
string | Filename |
size |
count | File size in bytes |
id.orig_h |
addr | Source host (accessor) |
id.resp_h |
addr | Target host |
kerberos.log
| Field | Type | Description |
|---|---|---|
request_type |
string | KRB_AS_REQ, KRB_TGS_REQ |
client |
string | Client principal |
service |
string | Service principal (SPN) |
success |
bool | Whether request succeeded |
error_msg |
string | Error type (e.g., KDC_ERR_PREAUTH_REQUIRED) |
Suricata CLI
Start in IDS mode
suricata -c /etc/suricata/suricata.yaml -i eth0
Start in IPS mode (NFQUEUE)
suricata -c /etc/suricata/suricata.yaml -q 0
# Configure iptables to send traffic to NFQUEUE:
iptables -I FORWARD -j NFQUEUE --queue-num 0
Run on pcap file
suricata -c /etc/suricata/suricata.yaml -r capture.pcap -l /var/log/suricata/
Update rules with suricata-update
suricata-update # Update all enabled sources
suricata-update list-sources # List available rule sources
suricata-update enable-source et/open # Enable Emerging Threats Open
suricata-update enable-source ptresearch/attackdetection # PT Research rules
suricata-update update-sources # Refresh source index
suricata-update --no-reload # Update without live reload
Reload rules without restart
kill -USR2 $(pidof suricata)
# Or via Unix socket:
suricatasc -c reload-rules
Query eve.json for alerts
# Ransomware-related alerts in last hour
jq 'select(.event_type=="alert") | select(.alert.signature | test("ransomware|cobalt|mimikatz|psexec";"i"))' \
/var/log/suricata/eve.json | jq -r '[.timestamp,.src_ip,.dest_ip,.alert.signature] | @tsv'
# Top 10 alert signatures
jq -r 'select(.event_type=="alert") | .alert.signature' /var/log/suricata/eve.json | \
sort | uniq -c | sort -rn | head -10
RITA (Real Intelligence Threat Analytics)
Import Zeek logs and analyze
rita import --input /var/log/zeek/current/ --database my_network
rita analyze my_network
Beacon detection output
rita show-beacons my_network --human-readable
# Columns: Score | Source | Dest | Connections | Avg Bytes | TS Delta
# Score 0.9+ = high confidence beacon
DNS tunneling detection
rita show-exploded-dns my_network | head -20
rita show-long-connections my_network --human-readable
Splunk SPL — Ransomware Precursor Queries
Internal lateral movement via SMB/RDP/WinRM
index=zeek sourcetype=zeek_conn
id.resp_p IN (445, 135, 3389, 5985, 5986)
id.orig_h IN 10.0.0.0/8
id.resp_h IN 10.0.0.0/8
| stats dc(id.resp_h) as targets count as conns by id.orig_h
| where targets >= 10
| sort -targets
Detect beaconing (regular connection intervals)
index=zeek sourcetype=zeek_conn
| bucket _time span=1m
| stats count as conns by id.orig_h, id.resp_h, id.resp_p, _time
| stats stdev(conns) as jitter avg(conns) as avg_conns count as minutes
by id.orig_h, id.resp_h, id.resp_p
| where minutes > 10 AND jitter < 2 AND avg_conns > 0
| eval beacon_score = round(1 - (jitter / (avg_conns + 0.001)), 2)
| where beacon_score > 0.8
| sort -beacon_score
abuse.ch Threat Intelligence Feeds
Feodo Tracker (C2 IPs — Cobalt Strike, BazarLoader)
# CSV format: first_seen,dst_ip,dst_port,c2_status,malware
curl -s https://feodotracker.abuse.ch/downloads/ipblocklist.csv | \
grep -v "^#" | awk -F, '{print $2}' > /tmp/c2_ips.txt
ThreatFox IOC API
# Query recent ransomware IOCs
curl -s -X POST https://threatfox-api.abuse.ch/api/v1/ \
-H "Content-Type: application/json" \
-d '{"query":"get_iocs","days":7,"tag":"ransomware"}' | \
jq '.data[] | [.ioc_value,.ioc_type,.malware,.confidence_level] | @tsv' -r
MITRE ATT&CK Ransomware Precursor Techniques
| Technique | ID | Network Indicator |
|---|---|---|
| Remote Services: SMB/WMI | T1021.002 | SMB port 445 traffic to many hosts |
| OS Credential Dumping: DCSync | T1003.006 | DRS GetNCChanges from non-DC |
| Kerberoasting | T1558.003 | TGS-REQ for many SPNs |
| Command & Control | T1071.001 | Regular HTTPS beaconing |
| Lateral Tool Transfer | T1570 | Large SMB file writes across hosts |
| Network Service Scanning | T1046 | Port sweeps on 445/3389/135 |