mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-11 10:03:42 +03:00
c21af3347e
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2.2 KiB
2.2 KiB
API Reference: Agent Tesla RAT Configuration Extraction
Agent Tesla Overview
- Type: .NET RAT / Information Stealer
- Exfiltration: SMTP, FTP, Telegram, HTTP POST
- Capabilities: Keylogging, clipboard, screenshots, credential theft
String Extraction
Python Regex for ASCII Strings
re.finditer(rb'[\x20-\x7e]{6,}', binary_data)
Wide Strings (UTF-16LE)
re.finditer(rb'(?:[\x20-\x7e]\x00){6,}', binary_data)
Configuration Indicators
SMTP Exfiltration
| Field | Pattern |
|---|---|
| Server | smtp.gmail.com, smtp.yandex.com |
| Port | 587, 465, 25 |
[\w.+-]+@[\w-]+\.[\w.]+ |
|
| Password | Base64 or XOR encoded |
FTP Exfiltration
| Field | Pattern |
|---|---|
| Server | ftp.\w+\.\w+ |
| URI | ftp://user:pass@host/path |
Telegram Bot
| Field | Pattern |
|---|---|
| Bot Token | \d{8,12}:[A-Za-z0-9_-]{35} |
| Chat ID | \d{9,13} |
| API URL | api.telegram.org/bot{token}/sendDocument |
.NET Decompilation
dnSpy
# Open sample in dnSpy
# Navigate to namespace: AgentTesla / WebMonitor / etc.
# Look for hardcoded credentials in static fields
ILSpy / dotPeek
Alternative .NET decompilers for config extraction.
YARA Rule
rule AgentTesla {
meta:
description = "Agent Tesla keylogger/RAT"
strings:
$smtp = "SmtpPort" ascii wide
$hook = "KeyboardHook" ascii wide
$clip = "GetClipboardData" ascii wide
$ns1 = "AgentTesla" ascii
$ns2 = "WebMonitor" ascii
condition:
uint16(0) == 0x5A4D and 3 of them
}
File Hashing
Python hashlib
import hashlib
sha256 = hashlib.sha256(open(path, 'rb').read()).hexdigest()
VirusTotal API — Sample Lookup
GET https://www.virustotal.com/api/v3/files/{sha256}
x-apikey: {API_KEY}
Response Fields
| Field | Description |
|---|---|
data.attributes.popular_threat_classification |
Malware family |
data.attributes.last_analysis_stats |
AV detection counts |
data.attributes.sandbox_verdicts |
Sandbox analysis results |
Sandbox Analysis
- ANY.RUN: Interactive analysis
- Hybrid Analysis: Automated report
- Joe Sandbox: Deep behavioral analysis