creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 06:34:57 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-malicious-url-with-urlscan/references/workflows.md
T

2.3 KiB
Raw Blame History

Workflows: Analyzing Malicious URLs with URLScan

Workflow 1: URL Triage Pipeline

Suspicious URL received (from user report / email gateway / SIEM)
  |
  v
[Step 1: Defang and document URL]
  +-- Replace http with hxxp, . with [.]
  +-- Record original context (email subject, sender, timestamp)
  |
  v
[Step 2: Submit to URLScan (private visibility)]
  +-- POST to /api/v1/scan/
  +-- Wait for scan completion (poll /api/v1/result/{uuid}/)
  |
  v
[Step 3: Analyze results]
  +-- Review screenshot for brand impersonation
  +-- Check redirect chain (original URL vs final URL)
  +-- Examine DOM for login forms / credential inputs
  +-- Review network requests for suspicious endpoints
  +-- Check SSL certificate details
  |
  v
[Step 4: Classify]
  +-- Phishing (credential harvesting)
  +-- Malware delivery
  +-- Scam / fraud
  +-- Benign (false positive)
  |
  v
[Step 5: Action]
  +-- If malicious: Extract IOCs, block domain/IP, update filters
  +-- If benign: Document and close
  +-- If uncertain: Escalate for deeper analysis

Workflow 2: Bulk URL Analysis

URL list from email gateway / threat feed
  |
  v
[Batch submit to URLScan API]
  +-- Rate limit: 2 submissions/second (free tier)
  +-- Use private visibility for sensitive URLs
  |
  v
[Collect all results]
  +-- Poll each scan UUID for completion
  +-- Download screenshots and DOM content
  |
  v
[Automated triage]
  +-- Flag: credential input forms detected
  +-- Flag: brand impersonation in screenshot
  +-- Flag: known phishing infrastructure (IP/ASN)
  +-- Flag: newly registered domains
  |
  v
[Generate report]
  +-- Categorized URL list (malicious / suspicious / clean)
  +-- IOC extract for blocking
  +-- Statistics summary

Workflow 3: IOC Extraction and Enrichment

URLScan result available
  |
  v
[Extract from scan]
  +-- All domains contacted
  +-- All IPs contacted
  +-- SSL certificate fingerprints
  +-- JavaScript file hashes
  +-- Page resource hashes
  +-- Final redirect URL
  |
  v
[Cross-reference]
  +-- VirusTotal: domain/IP/hash reputation
  +-- PhishTank: known phishing URL database
  +-- WHOIS: domain registration details
  +-- AbuseIPDB: IP abuse reports
  +-- Google Safe Browsing: malware/phishing flags
  |
  v
[Compile IOC package]
  +-- STIX/TAXII format for TIP
  +-- CSV for firewall/proxy rules
  +-- JSON for SIEM enrichment
Reference in New Issue View Git Blame Copy Permalink