mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 21:54:56 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
82 lines
2.3 KiB
Markdown
82 lines
2.3 KiB
Markdown
# Fileless Malware Detection API Reference
|
|
|
|
## Windows Event IDs for Fileless Detection
|
|
|
|
| Event ID | Log | Description |
|
|
|----------|-----|-------------|
|
|
| 4104 | PowerShell Operational | Script Block Logging (full script content) |
|
|
| 4103 | PowerShell Operational | Module Logging |
|
|
| 1 | Sysmon | Process Creation with command line |
|
|
| 8 | Sysmon | CreateRemoteThread (injection) |
|
|
| 10 | Sysmon | ProcessAccess (injection prep) |
|
|
| 19/20/21 | Sysmon | WMI Event Filter/Consumer/Binding |
|
|
| 7045 | System | New service installed |
|
|
|
|
## python-evtx - Parse Windows Event Logs
|
|
|
|
```python
|
|
import Evtx.Evtx as evtx
|
|
|
|
with evtx.Evtx("Security.evtx") as log:
|
|
for record in log.records():
|
|
xml = record.xml()
|
|
if "<EventID>4104</EventID>" in xml:
|
|
print(record.timestamp(), xml[:500])
|
|
```
|
|
|
|
## Volatility 3 Commands
|
|
|
|
```bash
|
|
# Detect injected code (RWX memory, PE headers in non-image VADs)
|
|
vol3 -f memory.dmp windows.malfind
|
|
|
|
# List processes
|
|
vol3 -f memory.dmp windows.pslist
|
|
|
|
# Scan for hidden processes
|
|
vol3 -f memory.dmp windows.psscan
|
|
|
|
# List loaded DLLs
|
|
vol3 -f memory.dmp windows.dlllist --pid 1234
|
|
|
|
# Extract injected code
|
|
vol3 -f memory.dmp windows.malfind --dump --pid 1234
|
|
```
|
|
|
|
## LOLBins Detection Patterns (Sysmon)
|
|
|
|
```xml
|
|
<!-- Sysmon config for LOLBin monitoring -->
|
|
<RuleGroup groupRelation="or">
|
|
<ProcessCreate onmatch="include">
|
|
<Image condition="end with">mshta.exe</Image>
|
|
<Image condition="end with">regsvr32.exe</Image>
|
|
<Image condition="end with">certutil.exe</Image>
|
|
<Image condition="end with">wmic.exe</Image>
|
|
<Image condition="end with">cmstp.exe</Image>
|
|
<Image condition="end with">msbuild.exe</Image>
|
|
</ProcessCreate>
|
|
</RuleGroup>
|
|
```
|
|
|
|
## Suspicious PowerShell Indicators
|
|
|
|
```
|
|
-enc / -EncodedCommand → Base64-encoded command
|
|
IEX / Invoke-Expression → Dynamic code execution
|
|
Net.WebClient → Download cradle
|
|
DownloadString() → Remote script fetch
|
|
Reflection.Assembly → Reflective .NET loading
|
|
VirtualAlloc → Shellcode allocation
|
|
FromBase64String → Payload decoding
|
|
```
|
|
|
|
## WMI Persistence Check
|
|
|
|
```powershell
|
|
# List WMI event subscriptions
|
|
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
|
|
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
|
|
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
|
|
```
|