mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-15 20:25:18 +03:00
c47eed6a64
- Fix 25 shell=True subprocess calls with list-based commands - Fix 49 verify=False in defensive skills (env-var override) - Add timeout to 231 HTTP/subprocess/socket calls - Fix 6 SQL injection patterns with whitelist validation - Replace 8 __import__() with standard imports - Remove 701 unused imports across 442 files - Add authorized-testing disclaimers to all offensive skills - Complete 11 incomplete skill directories - Expand 10 stub SKILL.md files with full content - Fix 2 YAML parse errors in frontmatter - Fix 5 pre-existing syntax errors - Convert 22 hardcoded paths/ports to environment variables - Back up 21 redundant skill pairs to .bak - Fix 2 global declaration errors - 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE) - 0 compile errors across all 724 agent.py files
2.7 KiB
2.7 KiB
Workflows: Analyzing Phishing Email Headers
Workflow 1: Rapid Header Triage
START: Suspicious email reported
|
v
[Extract raw headers from email client]
|
v
[Check Authentication-Results header]
|
+-- SPF=pass, DKIM=pass, DMARC=pass --> Lower suspicion, check content
|
+-- Any FAIL --> High suspicion
|
v
[Compare From vs Return-Path vs Reply-To]
|
+-- All match --> Check Received chain
+-- Mismatch --> LIKELY PHISHING - escalate
|
v
[Document findings, block sender, alert SOC]
Workflow 2: Full Header Forensic Analysis
Phase 1: Collection
- Obtain raw email source (.eml file or copy full headers)
- Preserve original message with headers as evidence
- Calculate hash of original .eml file for chain of custody
Phase 2: Authentication Analysis
- Extract SPF result from Authentication-Results
- Verify SPF by querying sender domain's TXT record:
dig TXT _spf.example.com - Extract DKIM result and verify signature domain
- Check DMARC alignment (identifier alignment between SPF/DKIM and From domain)
- Document all authentication pass/fail results
Phase 3: Route Analysis
- Parse all Received headers (bottom to top)
- For each hop:
- Extract server hostname and IP
- Note timestamp
- Calculate time delta between hops
- Flag any:
- Unexpected relay servers
- Geographic anomalies (IP in unexpected country)
- Excessive delays (possible queuing for mass send)
- Internal-only hostnames appearing in external mail
Phase 4: Sender Investigation
- WHOIS lookup on sending domain
- Domain age < 30 days = high risk
- Registrar known for abuse = medium risk
- Reverse DNS on originating IP
- AbuseIPDB / VirusTotal lookup on originating IP
- Check if sending domain appears in known phishing feeds
Phase 5: Indicator Extraction
- Extract all URLs from message body and headers
- Extract all IP addresses from Received chain
- Extract domain names from all relevant fields
- Create IOC list for threat intelligence platform
Workflow 3: Automated Pipeline
Email received --> MTA logs header -->
SIEM ingestion -->
Automated header parsing -->
Authentication check -->
IF fail: Create alert + enrich with TI -->
SOC analyst review -->
Confirm/dismiss -->
IF confirmed: Block + hunt similar
Decision Matrix
| Authentication | Route | Sender Rep | Action |
|---|---|---|---|
| All Pass | Normal | Good | Deliver normally |
| SPF Fail | Normal | Good | Quarantine, investigate |
| DKIM Fail | Normal | Unknown | Quarantine, investigate |
| DMARC Fail | Anomalous | Bad | Block, create IOC |
| All Fail | Anomalous | Bad | Block, escalate, hunt |