mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-14 06:54:57 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
111 lines
3.1 KiB
Markdown
111 lines
3.1 KiB
Markdown
# API Reference: Campaign Attribution Evidence Analysis
|
|
|
|
## Diamond Model of Intrusion Analysis
|
|
|
|
### Four Core Features
|
|
| Feature | Description | Attribution Value |
|
|
|---------|-------------|-------------------|
|
|
| Adversary | Threat actor identity | Direct attribution |
|
|
| Capability | Malware, exploits, tools | Indirect - shared tooling |
|
|
| Infrastructure | C2, domains, IPs | Strong - operational overlap |
|
|
| Victim | Targets, sectors, regions | Contextual - targeting pattern |
|
|
|
|
### Pivot Analysis
|
|
```
|
|
Adversary ←→ Capability ←→ Infrastructure ←→ Victim
|
|
↕ ↕ ↕ ↕
|
|
(HUMINT) (Malware DB) (WHOIS/DNS) (Victimology)
|
|
```
|
|
|
|
## Analysis of Competing Hypotheses (ACH)
|
|
|
|
### Matrix Format
|
|
```
|
|
Evidence \ Hypothesis | APT28 | APT29 | Lazarus | Unknown
|
|
-----------------------------------------------------------------
|
|
Infrastructure overlap | ++ | - | - | N
|
|
TTP consistency | ++ | ++ | - | N
|
|
Malware similarity | + | - | - | N
|
|
Timing (UTC+3) | ++ | ++ | - | N
|
|
Language (Russian) | ++ | ++ | - | N
|
|
```
|
|
|
|
### Scoring
|
|
| Symbol | Meaning | Weight |
|
|
|--------|---------|--------|
|
|
| `++` | Strongly consistent | +2 |
|
|
| `+` | Consistent | +1 |
|
|
| `N` | Neutral | 0 |
|
|
| `-` | Inconsistent | -1 |
|
|
| `--` | Strongly inconsistent | -2 |
|
|
|
|
## MITRE ATT&CK Group Queries
|
|
|
|
### Python (mitreattack-python)
|
|
```python
|
|
from mitreattack.stix20 import MitreAttackData
|
|
attack = MitreAttackData("enterprise-attack.json")
|
|
group = attack.get_group_by_alias("APT29")
|
|
techniques = attack.get_techniques_used_by_group(group.id)
|
|
```
|
|
|
|
### STIX2 Relationship Query
|
|
```python
|
|
from stix2 import Filter
|
|
relationships = src.query([
|
|
Filter("type", "=", "relationship"),
|
|
Filter("source_ref", "=", group_id),
|
|
Filter("relationship_type", "=", "uses"),
|
|
])
|
|
```
|
|
|
|
## Infrastructure Overlap Tools
|
|
|
|
### PassiveTotal / RiskIQ
|
|
```bash
|
|
# WHOIS history
|
|
curl -u user:key "https://api.passivetotal.org/v2/whois?query=domain.com"
|
|
|
|
# Passive DNS
|
|
curl -u user:key "https://api.passivetotal.org/v2/dns/passive?query=1.2.3.4"
|
|
```
|
|
|
|
### VirusTotal Relations
|
|
```bash
|
|
curl -H "x-apikey: KEY" \
|
|
"https://www.virustotal.com/api/v3/domains/example.com/communicating_files"
|
|
```
|
|
|
|
## Confidence Assessment Framework
|
|
|
|
| Level | Score Range | Criteria |
|
|
|-------|------------|---------|
|
|
| HIGH | 0.8-1.0 | Multiple independent evidence types converge |
|
|
| MEDIUM | 0.5-0.8 | Significant evidence with some gaps |
|
|
| LOW | 0.2-0.5 | Limited evidence, alternative hypotheses remain |
|
|
| NEGLIGIBLE | 0.0-0.2 | Insufficient evidence for attribution |
|
|
|
|
## STIX Attribution Objects
|
|
|
|
### Campaign Object
|
|
```json
|
|
{
|
|
"type": "campaign",
|
|
"name": "Operation DarkShadow",
|
|
"first_seen": "2024-01-15T00:00:00Z",
|
|
"last_seen": "2024-03-20T00:00:00Z",
|
|
"objective": "Espionage targeting defense sector"
|
|
}
|
|
```
|
|
|
|
### Attribution Relationship
|
|
```json
|
|
{
|
|
"type": "relationship",
|
|
"relationship_type": "attributed-to",
|
|
"source_ref": "campaign--abc123",
|
|
"target_ref": "intrusion-set--def456",
|
|
"confidence": 75
|
|
}
|
|
```
|