mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 13:44:56 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
2.7 KiB
2.7 KiB
API Reference: Cyber Kill Chain Analysis Tools
Lockheed Martin Cyber Kill Chain Phases
| Phase | Name | MITRE ATT&CK Tactic |
|---|---|---|
| 1 | Reconnaissance | TA0043 Reconnaissance |
| 2 | Weaponization | TA0042 Resource Development |
| 3 | Delivery | TA0001 Initial Access |
| 4 | Exploitation | TA0002 Execution |
| 5 | Installation | TA0003 Persistence, TA0004 Privilege Escalation |
| 6 | Command & Control | TA0011 Command and Control |
| 7 | Actions on Objectives | TA0010 Exfiltration, TA0040 Impact |
Courses of Action (COA) Matrix
| COA | Description |
|---|---|
| Detect | Alert on adversary activity |
| Deny | Prevent phase completion |
| Disrupt | Interrupt adversary mid-phase |
| Degrade | Reduce adversary effectiveness |
| Deceive | Expose activity via deception |
| Destroy | Neutralize adversary infrastructure |
MITRE ATT&CK Navigator
JSON Layer Format
{
"name": "Kill Chain Coverage",
"versions": {"navigator": "4.8", "layer": "4.4", "attack": "13"},
"domain": "enterprise-attack",
"techniques": [
{"techniqueID": "T1566", "color": "#ff6666", "comment": "Phase 3: Delivery"}
]
}
CLI Usage
# Export layer via ATT&CK Navigator API
curl -X POST https://mitre-attack.github.io/attack-navigator/api/layers \
-d @layer.json -o coverage_map.svg
Splunk - Kill Chain Phase Queries
Phase 3 Detection (Delivery)
index=email sourcetype=exchange action=delivered
| eval has_macro=if(match(attachment, "\.(docm|xlsm|pptm)$"), 1, 0)
| where has_macro=1
| stats count by sender, subject, attachment
Phase 6 Detection (C2)
index=proxy OR index=firewall
| stats count AS connections, dc(dest) AS unique_dests by src_ip
| where connections > 100 AND unique_dests < 3
| sort - connections
Elastic Security EQL
Multi-Phase Detection
sequence by host.name with maxspan=1h
[process where event.action == "start" and process.name == "WINWORD.EXE"]
[process where event.action == "start" and process.parent.name == "WINWORD.EXE"]
[network where destination.port == 443 and not destination.ip in ("known_good")]
MISP - Kill Chain Tagging
Galaxy Cluster Tags
misp-galaxy:kill-chain="reconnaissance"
misp-galaxy:kill-chain="delivery"
misp-galaxy:kill-chain="exploitation"
misp-galaxy:kill-chain="installation"
misp-galaxy:kill-chain="command-and-control"
misp-galaxy:kill-chain="actions-on-objectives"
PyMISP Event Tagging
from pymisp import PyMISP, MISPEvent
misp = PyMISP("https://misp.example.com", "API_KEY")
event = MISPEvent()
event.add_tag("kill-chain:delivery")
event.add_tag("mitre-attack-pattern:T1566 - Phishing")
misp.update_event(event)