mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-26 11:44:37 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
52 lines
2.1 KiB
Markdown
52 lines
2.1 KiB
Markdown
# API Reference: Hunting Advanced Persistent Threats
|
|
|
|
## Libraries
|
|
|
|
### attackcti (MITRE ATT&CK CTI Library)
|
|
- **Install**: `pip install attackcti`
|
|
- **Docs**: https://attackcti.readthedocs.io/
|
|
- `attack_client()` -- Initialize the ATT&CK STIX/TAXII client
|
|
- `get_groups()` -- Retrieve all threat actor groups from ATT&CK
|
|
- `get_techniques_used_by_group(group)` -- Get techniques mapped to a specific group
|
|
- `get_techniques()` -- List all ATT&CK techniques
|
|
- `get_mitigations()` -- List all mitigations
|
|
|
|
### mitreattack-python (ATT&CK STIX Data)
|
|
- **Install**: `pip install mitreattack-python`
|
|
- **Docs**: https://mitreattack-python.readthedocs.io/
|
|
- `MitreAttackData(stix_filepath)` -- Load ATT&CK STIX bundle
|
|
- `get_groups()` -- All threat groups
|
|
- `get_techniques_used_by_group(group_stix_id)` -- Techniques per group
|
|
- `get_attack_campaigns()` -- Known campaigns
|
|
|
|
### osquery
|
|
- **Docs**: https://osquery.readthedocs.io/
|
|
- `scheduled_tasks` -- Windows scheduled tasks table
|
|
- `processes` -- Running process information
|
|
- `process_open_sockets` -- Network connections per process
|
|
- `autoexec` -- Auto-start execution points
|
|
- `file` -- File metadata queries
|
|
|
|
## Key ATT&CK Technique IDs
|
|
|
|
| ID | Name | Relevance |
|
|
|----|------|-----------|
|
|
| T1059 | Command and Scripting Interpreter | Process-based hunting |
|
|
| T1053 | Scheduled Task/Job | Persistence detection |
|
|
| T1071 | Application Layer Protocol | C2 communication |
|
|
| T1055 | Process Injection | In-memory threats |
|
|
| T1003 | OS Credential Dumping | Credential theft |
|
|
| T1566 | Phishing | Initial access vector |
|
|
| T1218 | Signed Binary Proxy Execution | Defense evasion |
|
|
|
|
## Sigma Rule Format
|
|
- **Spec**: https://sigmahq.io/docs/basics/rules.html
|
|
- Fields: `title`, `status`, `logsource`, `detection`, `level`
|
|
- Converters: `sigma-cli` converts to Splunk SPL, Elastic EQL, Sentinel KQL
|
|
|
|
## External References
|
|
- MITRE ATT&CK Groups: https://attack.mitre.org/groups/
|
|
- ATT&CK Navigator: https://mitre-attack.github.io/attack-navigator/
|
|
- Velociraptor VQL: https://docs.velociraptor.app/docs/vql/
|
|
- Zeek Documentation: https://docs.zeek.org/en/current/
|