mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-13 06:34:57 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
186 lines
7.6 KiB
Python
186 lines
7.6 KiB
Python
#!/usr/bin/env python3
|
|
"""Golden Ticket Detection Agent - Detects forged Kerberos TGTs via Event 4624/4672/4768 analysis."""
|
|
|
|
import json
|
|
import logging
|
|
import argparse
|
|
from collections import defaultdict
|
|
from datetime import datetime
|
|
|
|
from Evtx.Evtx import FileHeader
|
|
from lxml import etree
|
|
|
|
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
|
|
logger = logging.getLogger(__name__)
|
|
|
|
NS = {"evt": "http://schemas.microsoft.com/win/2004/08/events/event"}
|
|
|
|
ADMIN_PRIVILEGES = [
|
|
"SeDebugPrivilege", "SeTcbPrivilege", "SeBackupPrivilege",
|
|
"SeRestorePrivilege", "SeTakeOwnershipPrivilege", "SeLoadDriverPrivilege",
|
|
"SeImpersonatePrivilege", "SeAssignPrimaryTokenPrivilege",
|
|
]
|
|
|
|
|
|
def parse_event_data(root):
|
|
"""Extract EventData fields from an EVTX XML record."""
|
|
data = {}
|
|
for elem in root.findall(".//evt:EventData/evt:Data", NS):
|
|
data[elem.get("Name", "")] = elem.text or ""
|
|
time_elem = root.find(".//evt:System/evt:TimeCreated", NS)
|
|
data["_timestamp"] = time_elem.get("SystemTime", "") if time_elem is not None else ""
|
|
return data
|
|
|
|
|
|
def parse_security_events(evtx_path):
|
|
"""Parse Event IDs 4624, 4672, and 4768 from Security EVTX."""
|
|
events = {"4624": [], "4672": [], "4768": []}
|
|
target_ids = {"4624", "4672", "4768"}
|
|
with open(evtx_path, "rb") as f:
|
|
fh = FileHeader(f)
|
|
for record in fh.records():
|
|
try:
|
|
xml = record.xml()
|
|
root = etree.fromstring(xml.encode("utf-8"))
|
|
eid_elem = root.find(".//evt:System/evt:EventID", NS)
|
|
if eid_elem is None or eid_elem.text not in target_ids:
|
|
continue
|
|
data = parse_event_data(root)
|
|
events[eid_elem.text].append(data)
|
|
except Exception:
|
|
continue
|
|
for eid, evts in events.items():
|
|
logger.info("Parsed %d events for Event ID %s", len(evts), eid)
|
|
return events
|
|
|
|
|
|
def detect_orphan_logons(events):
|
|
"""Detect Kerberos logons (4624) with no corresponding TGT request (4768)."""
|
|
tgt_accounts = {e.get("TargetUserName", "").lower() for e in events["4768"]}
|
|
orphan_logons = []
|
|
for logon in events["4624"]:
|
|
if logon.get("AuthenticationPackageName", "") == "Kerberos":
|
|
account = logon.get("TargetUserName", "").lower()
|
|
if account and account not in tgt_accounts and not account.endswith("$"):
|
|
orphan_logons.append({
|
|
"timestamp": logon["_timestamp"],
|
|
"account": logon.get("TargetUserName", ""),
|
|
"source_ip": logon.get("IpAddress", ""),
|
|
"logon_type": logon.get("LogonType", ""),
|
|
"workstation": logon.get("WorkstationName", ""),
|
|
"indicator": "Kerberos logon without TGT request (possible golden ticket)",
|
|
})
|
|
logger.info("Found %d orphan Kerberos logons", len(orphan_logons))
|
|
return orphan_logons
|
|
|
|
|
|
def detect_anomalous_privileges(events, known_admins=None):
|
|
"""Detect non-admin accounts receiving admin privileges (Event 4672)."""
|
|
if known_admins is None:
|
|
known_admins = set()
|
|
anomalous = []
|
|
for priv_event in events["4672"]:
|
|
account = priv_event.get("SubjectUserName", "")
|
|
privileges = priv_event.get("PrivilegeList", "")
|
|
if account.lower() not in known_admins and not account.endswith("$"):
|
|
admin_privs = [p for p in ADMIN_PRIVILEGES if p in privileges]
|
|
if admin_privs:
|
|
anomalous.append({
|
|
"timestamp": priv_event["_timestamp"],
|
|
"account": account,
|
|
"domain": priv_event.get("SubjectDomainName", ""),
|
|
"admin_privileges": admin_privs,
|
|
"indicator": "Non-admin account with admin privileges (golden ticket indicator)",
|
|
})
|
|
logger.info("Found %d anomalous privilege assignments", len(anomalous))
|
|
return anomalous
|
|
|
|
|
|
def detect_abnormal_tgt_patterns(events):
|
|
"""Detect TGT requests with abnormal encryption types or patterns."""
|
|
account_tgts = defaultdict(list)
|
|
for tgt in events["4768"]:
|
|
account = tgt.get("TargetUserName", "")
|
|
account_tgts[account].append(tgt)
|
|
anomalies = []
|
|
for account, tgts in account_tgts.items():
|
|
if account.endswith("$"):
|
|
continue
|
|
rc4_tgts = [t for t in tgts if t.get("TicketEncryptionType", "") in ("0x17", "0x18")]
|
|
if rc4_tgts and len(rc4_tgts) > len(tgts) * 0.5:
|
|
anomalies.append({
|
|
"account": account,
|
|
"total_tgts": len(tgts),
|
|
"rc4_tgts": len(rc4_tgts),
|
|
"indicator": "Majority RC4 TGT requests (possible ticket forging)",
|
|
})
|
|
logger.info("Found %d accounts with abnormal TGT patterns", len(anomalies))
|
|
return anomalies
|
|
|
|
|
|
def detect_logon_privilege_correlation(events):
|
|
"""Correlate logon events with privilege assignments for timeline analysis."""
|
|
priv_accounts = defaultdict(list)
|
|
for priv in events["4672"]:
|
|
account = priv.get("SubjectUserName", "").lower()
|
|
priv_accounts[account].append(priv["_timestamp"])
|
|
logon_accounts = defaultdict(list)
|
|
for logon in events["4624"]:
|
|
account = logon.get("TargetUserName", "").lower()
|
|
logon_accounts[account].append({
|
|
"timestamp": logon["_timestamp"],
|
|
"source_ip": logon.get("IpAddress", ""),
|
|
"logon_type": logon.get("LogonType", ""),
|
|
})
|
|
correlations = []
|
|
for account in priv_accounts:
|
|
if account in logon_accounts and not account.endswith("$"):
|
|
correlations.append({
|
|
"account": account,
|
|
"privilege_events": len(priv_accounts[account]),
|
|
"logon_events": len(logon_accounts[account]),
|
|
"source_ips": list({l["source_ip"] for l in logon_accounts[account]}),
|
|
})
|
|
return correlations
|
|
|
|
|
|
def generate_report(orphan_logons, priv_anomalies, tgt_anomalies, correlations):
|
|
"""Generate golden ticket detection report."""
|
|
total = len(orphan_logons) + len(priv_anomalies) + len(tgt_anomalies)
|
|
severity = "Critical" if orphan_logons and priv_anomalies else "High" if total > 0 else "Low"
|
|
report = {
|
|
"timestamp": datetime.utcnow().isoformat(),
|
|
"severity": severity,
|
|
"orphan_kerberos_logons": orphan_logons[:20],
|
|
"anomalous_privilege_assignments": priv_anomalies[:20],
|
|
"abnormal_tgt_patterns": tgt_anomalies,
|
|
"logon_privilege_correlations": correlations[:20],
|
|
"total_indicators": total,
|
|
}
|
|
print(f"GOLDEN TICKET DETECTION: {total} indicators, Severity: {severity}")
|
|
return report
|
|
|
|
|
|
def main():
|
|
parser = argparse.ArgumentParser(description="Golden Ticket Detection Agent")
|
|
parser.add_argument("--evtx-file", required=True, help="Path to Security EVTX file")
|
|
parser.add_argument("--known-admins", nargs="*", default=[], help="Known admin account names")
|
|
parser.add_argument("--output", default="golden_ticket_report.json")
|
|
args = parser.parse_args()
|
|
|
|
events = parse_security_events(args.evtx_file)
|
|
known_admins = {a.lower() for a in args.known_admins}
|
|
orphan_logons = detect_orphan_logons(events)
|
|
priv_anomalies = detect_anomalous_privileges(events, known_admins)
|
|
tgt_anomalies = detect_abnormal_tgt_patterns(events)
|
|
correlations = detect_logon_privilege_correlation(events)
|
|
|
|
report = generate_report(orphan_logons, priv_anomalies, tgt_anomalies, correlations)
|
|
with open(args.output, "w") as f:
|
|
json.dump(report, f, indent=2)
|
|
logger.info("Report saved to %s", args.output)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|