mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-14 19:55:16 +03:00
c21af3347e
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
159 lines
5.2 KiB
Markdown
159 lines
5.2 KiB
Markdown
# API Reference — Detecting Ransomware Precursors in Network Traffic
|
|
|
|
## Zeek (Bro) Log Fields
|
|
|
|
### conn.log
|
|
| Field | Type | Description |
|
|
|-------|------|-------------|
|
|
| `ts` | time | Connection start timestamp (Unix epoch) |
|
|
| `id.orig_h` | addr | Source IP address |
|
|
| `id.orig_p` | port | Source port |
|
|
| `id.resp_h` | addr | Destination IP address |
|
|
| `id.resp_p` | port | Destination port |
|
|
| `proto` | enum | Transport protocol (tcp/udp/icmp) |
|
|
| `orig_bytes` | count | Bytes sent by originator |
|
|
| `resp_bytes` | count | Bytes sent by responder |
|
|
| `conn_state` | string | Connection state (SF=normal, S0=no reply, REJ=rejected) |
|
|
| `duration` | interval | Duration of connection |
|
|
|
|
### smb_files.log
|
|
| Field | Type | Description |
|
|
|-------|------|-------------|
|
|
| `action` | enum | SMB action (SMB_FILE_OPEN, SMB_FILE_WRITE, SMB_FILE_DELETE) |
|
|
| `path` | string | Full UNC path accessed |
|
|
| `name` | string | Filename |
|
|
| `size` | count | File size in bytes |
|
|
| `id.orig_h` | addr | Source host (accessor) |
|
|
| `id.resp_h` | addr | Target host |
|
|
|
|
### kerberos.log
|
|
| Field | Type | Description |
|
|
|-------|------|-------------|
|
|
| `request_type` | string | KRB_AS_REQ, KRB_TGS_REQ |
|
|
| `client` | string | Client principal |
|
|
| `service` | string | Service principal (SPN) |
|
|
| `success` | bool | Whether request succeeded |
|
|
| `error_msg` | string | Error type (e.g., KDC_ERR_PREAUTH_REQUIRED) |
|
|
|
|
## Suricata CLI
|
|
|
|
### Start in IDS mode
|
|
```bash
|
|
suricata -c /etc/suricata/suricata.yaml -i eth0
|
|
```
|
|
|
|
### Start in IPS mode (NFQUEUE)
|
|
```bash
|
|
suricata -c /etc/suricata/suricata.yaml -q 0
|
|
# Configure iptables to send traffic to NFQUEUE:
|
|
iptables -I FORWARD -j NFQUEUE --queue-num 0
|
|
```
|
|
|
|
### Run on pcap file
|
|
```bash
|
|
suricata -c /etc/suricata/suricata.yaml -r capture.pcap -l /var/log/suricata/
|
|
```
|
|
|
|
### Update rules with suricata-update
|
|
```bash
|
|
suricata-update # Update all enabled sources
|
|
suricata-update list-sources # List available rule sources
|
|
suricata-update enable-source et/open # Enable Emerging Threats Open
|
|
suricata-update enable-source ptresearch/attackdetection # PT Research rules
|
|
suricata-update update-sources # Refresh source index
|
|
suricata-update --no-reload # Update without live reload
|
|
```
|
|
|
|
### Reload rules without restart
|
|
```bash
|
|
kill -USR2 $(pidof suricata)
|
|
# Or via Unix socket:
|
|
suricatasc -c reload-rules
|
|
```
|
|
|
|
### Query eve.json for alerts
|
|
```bash
|
|
# Ransomware-related alerts in last hour
|
|
jq 'select(.event_type=="alert") | select(.alert.signature | test("ransomware|cobalt|mimikatz|psexec";"i"))' \
|
|
/var/log/suricata/eve.json | jq -r '[.timestamp,.src_ip,.dest_ip,.alert.signature] | @tsv'
|
|
|
|
# Top 10 alert signatures
|
|
jq -r 'select(.event_type=="alert") | .alert.signature' /var/log/suricata/eve.json | \
|
|
sort | uniq -c | sort -rn | head -10
|
|
```
|
|
|
|
## RITA (Real Intelligence Threat Analytics)
|
|
|
|
### Import Zeek logs and analyze
|
|
```bash
|
|
rita import --input /var/log/zeek/current/ --database my_network
|
|
rita analyze my_network
|
|
```
|
|
|
|
### Beacon detection output
|
|
```bash
|
|
rita show-beacons my_network --human-readable
|
|
# Columns: Score | Source | Dest | Connections | Avg Bytes | TS Delta
|
|
# Score 0.9+ = high confidence beacon
|
|
```
|
|
|
|
### DNS tunneling detection
|
|
```bash
|
|
rita show-exploded-dns my_network | head -20
|
|
rita show-long-connections my_network --human-readable
|
|
```
|
|
|
|
## Splunk SPL — Ransomware Precursor Queries
|
|
|
|
### Internal lateral movement via SMB/RDP/WinRM
|
|
```spl
|
|
index=zeek sourcetype=zeek_conn
|
|
id.resp_p IN (445, 135, 3389, 5985, 5986)
|
|
id.orig_h IN 10.0.0.0/8
|
|
id.resp_h IN 10.0.0.0/8
|
|
| stats dc(id.resp_h) as targets count as conns by id.orig_h
|
|
| where targets >= 10
|
|
| sort -targets
|
|
```
|
|
|
|
### Detect beaconing (regular connection intervals)
|
|
```spl
|
|
index=zeek sourcetype=zeek_conn
|
|
| bucket _time span=1m
|
|
| stats count as conns by id.orig_h, id.resp_h, id.resp_p, _time
|
|
| stats stdev(conns) as jitter avg(conns) as avg_conns count as minutes
|
|
by id.orig_h, id.resp_h, id.resp_p
|
|
| where minutes > 10 AND jitter < 2 AND avg_conns > 0
|
|
| eval beacon_score = round(1 - (jitter / (avg_conns + 0.001)), 2)
|
|
| where beacon_score > 0.8
|
|
| sort -beacon_score
|
|
```
|
|
|
|
## abuse.ch Threat Intelligence Feeds
|
|
|
|
### Feodo Tracker (C2 IPs — Cobalt Strike, BazarLoader)
|
|
```bash
|
|
# CSV format: first_seen,dst_ip,dst_port,c2_status,malware
|
|
curl -s https://feodotracker.abuse.ch/downloads/ipblocklist.csv | \
|
|
grep -v "^#" | awk -F, '{print $2}' > /tmp/c2_ips.txt
|
|
```
|
|
|
|
### ThreatFox IOC API
|
|
```bash
|
|
# Query recent ransomware IOCs
|
|
curl -s -X POST https://threatfox-api.abuse.ch/api/v1/ \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"query":"get_iocs","days":7,"tag":"ransomware"}' | \
|
|
jq '.data[] | [.ioc_value,.ioc_type,.malware,.confidence_level] | @tsv' -r
|
|
```
|
|
|
|
## MITRE ATT&CK Ransomware Precursor Techniques
|
|
| Technique | ID | Network Indicator |
|
|
|-----------|----|-------------------|
|
|
| Remote Services: SMB/WMI | T1021.002 | SMB port 445 traffic to many hosts |
|
|
| OS Credential Dumping: DCSync | T1003.006 | DRS GetNCChanges from non-DC |
|
|
| Kerberoasting | T1558.003 | TGS-REQ for many SPNs |
|
|
| Command & Control | T1071.001 | Regular HTTPS beaconing |
|
|
| Lateral Tool Transfer | T1570 | Large SMB file writes across hosts |
|
|
| Network Service Scanning | T1046 | Port sweeps on 445/3389/135 |
|