mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-14 03:15:16 +03:00
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
1.7 KiB
1.7 KiB
API Reference: Hunting for Webshells in Web Servers
Shannon Entropy Calculation
import math
def shannon_entropy(data: bytes) -> float:
freq = {}
for byte in data:
freq[byte] = freq.get(byte, 0) + 1
length = len(data)
return -sum((c/length) * math.log2(c/length) for c in freq.values())
# Thresholds: > 5.5 suspicious, > 6.5 likely obfuscated
Webshell Detection Patterns
| Pattern | Language | Risk |
|---|---|---|
eval() |
PHP | HIGH |
base64_decode() |
PHP | HIGH |
system() / passthru() |
PHP | CRITICAL |
shell_exec() / exec() |
PHP | CRITICAL |
$_GET/$_POST + eval |
PHP | CRITICAL |
Runtime.getRuntime().exec |
JSP | CRITICAL |
Server.CreateObject |
ASP | HIGH |
YARA Rule for Webshells
rule webshell_php_generic {
meta:
description = "Generic PHP webshell"
strings:
$eval = "eval(" ascii nocase
$b64 = "base64_decode(" ascii nocase
$system = "system(" ascii nocase
$input = /\$_(GET|POST|REQUEST)\s*\[/ ascii
condition:
$input and ($eval or $b64 or $system)
}
File System Scanning
from pathlib import Path
SCRIPT_EXTS = {".php", ".asp", ".aspx", ".jsp", ".jspx", ".cgi"}
for f in Path("/var/www/html").rglob("*"):
if f.suffix.lower() in SCRIPT_EXTS:
entropy = shannon_entropy(f.read_bytes())
NeoPI (Webshell Detection Tool)
python neopi.py /var/www/html -a # Run all tests
# Tests: entropy, longest word, index of coincidence, signature
References
- MITRE T1505.003: https://attack.mitre.org/techniques/T1505/003/
- NeoPI: https://github.com/Neohapsis/NeoPI
- YARA: https://yara.readthedocs.io/