creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 22:54:53 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-campaign-attribution-evidence/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

3.1 KiB
Raw Blame History

API Reference: Campaign Attribution Evidence Analysis

Diamond Model of Intrusion Analysis

Four Core Features

Feature Description Attribution Value
Adversary Threat actor identity Direct attribution
Capability Malware, exploits, tools Indirect - shared tooling
Infrastructure C2, domains, IPs Strong - operational overlap
Victim Targets, sectors, regions Contextual - targeting pattern

Pivot Analysis

Adversary ←→ Capability ←→ Infrastructure ←→ Victim
    ↕              ↕              ↕              ↕
  (HUMINT)     (Malware DB)   (WHOIS/DNS)   (Victimology)

Analysis of Competing Hypotheses (ACH)

Matrix Format

Evidence \ Hypothesis  |  APT28  |  APT29  |  Lazarus  |  Unknown
-----------------------------------------------------------------
Infrastructure overlap  |   ++    |    -    |     -     |    N
TTP consistency        |   ++    |   ++    |     -     |    N
Malware similarity     |    +    |    -    |     -     |    N
Timing (UTC+3)         |   ++    |   ++    |     -     |    N
Language (Russian)     |   ++    |   ++    |     -     |    N

Scoring

Symbol Meaning Weight
++ Strongly consistent +2
+ Consistent +1
N Neutral 0
- Inconsistent -1
-- Strongly inconsistent -2

MITRE ATT&CK Group Queries

Python (mitreattack-python)

from mitreattack.stix20 import MitreAttackData
attack = MitreAttackData("enterprise-attack.json")
group = attack.get_group_by_alias("APT29")
techniques = attack.get_techniques_used_by_group(group.id)

STIX2 Relationship Query

from stix2 import Filter
relationships = src.query([
    Filter("type", "=", "relationship"),
    Filter("source_ref", "=", group_id),
    Filter("relationship_type", "=", "uses"),
])

Infrastructure Overlap Tools

PassiveTotal / RiskIQ

# WHOIS history
curl -u user:key "https://api.passivetotal.org/v2/whois?query=domain.com"

# Passive DNS
curl -u user:key "https://api.passivetotal.org/v2/dns/passive?query=1.2.3.4"

VirusTotal Relations

curl -H "x-apikey: KEY" \
  "https://www.virustotal.com/api/v3/domains/example.com/communicating_files"

Confidence Assessment Framework

Level Score Range Criteria
HIGH 0.8-1.0 Multiple independent evidence types converge
MEDIUM 0.5-0.8 Significant evidence with some gaps
LOW 0.2-0.5 Limited evidence, alternative hypotheses remain
NEGLIGIBLE 0.0-0.2 Insufficient evidence for attribution

STIX Attribution Objects

Campaign Object

{
  "type": "campaign",
  "name": "Operation DarkShadow",
  "first_seen": "2024-01-15T00:00:00Z",
  "last_seen": "2024-03-20T00:00:00Z",
  "objective": "Espionage targeting defense sector"
}

Attribution Relationship

{
  "type": "relationship",
  "relationship_type": "attributed-to",
  "source_ref": "campaign--abc123",
  "target_ref": "intrusion-set--def456",
  "confidence": 75
}
Reference in New Issue View Git Blame Copy Permalink