creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-ransomware-network-indicators/references/api-reference.md
T

84 lines
2.3 KiB
Markdown
Raw Blame History

# Ransomware Network Indicator Analysis API Reference
## Zeek conn.log Fields
| Field | Description | Example |
|-------|-------------|---------|
| `ts` | Connection timestamp (epoch) | 1609459200.123 |
| `uid` | Unique connection ID | CYxTKo2zkGkGbfJFi |
| `id.orig_h` | Source IP | 192.168.1.100 |
| `id.orig_p` | Source port | 49152 |
| `id.resp_h` | Destination IP | 185.220.101.1 |
| `id.resp_p` | Destination port | 443 |
| `proto` | Protocol | tcp |
| `duration` | Connection duration (seconds) | 0.5 |
| `orig_bytes` | Bytes sent by originator | 1024 |
| `resp_bytes` | Bytes sent by responder | 512 |
| `conn_state` | Connection state | SF |
## Beaconing Detection Algorithm
```
1. Group connections by (src_ip, dst_ip, dst_port)
2. Sort timestamps within each group
3. Calculate intervals: t[i+1] - t[i]
4. Compute statistics:
- mean_interval = mean(intervals)
- stddev = stdev(intervals)
- coefficient_of_variation = stddev / mean_interval
5. Flag as beaconing if CV < 0.3 (regular interval pattern)
- CV < 0.1 = critical (highly regular)
- CV 0.1-0.3 = high (moderately regular)
```
## TOR Exit Node Detection
```bash
# Fetch current TOR exit node list
curl -s https://check.torproject.org/torbulkexitlist > tor_exits.txt
# Alternative: Dan.me.uk TOR list
curl -s https://www.dan.me.uk/torlist/?exit > tor_exits_alt.txt
# Cross-reference with Zeek conn.log
zeek-cut id.resp_h < conn.log | sort -u | comm -12 - tor_exits_sorted.txt
```
## RITA (Real Intelligence Threat Analytics) for Zeek
```bash
# Import Zeek logs into RITA
rita import /opt/zeek/logs/current rita_db
# Analyze beaconing
rita show-beacons rita_db
# Show long connections
rita show-long-connections rita_db
# DNS analysis
rita show-exploded-dns rita_db
```
## Zeek CLI for Live Capture
```bash
# Analyze PCAP with Zeek
zeek -r capture.pcap
# Live capture on interface
zeek -i eth0 local.zeek
# Extract conn.log fields
zeek-cut ts id.orig_h id.resp_h id.resp_p orig_bytes resp_bytes < conn.log
```
## MITRE ATT&CK Mapping
| Technique | ID | Network Indicator |
|-----------|----|--------------------|
| Application Layer Protocol | T1071 | C2 beaconing patterns |
| Encrypted Channel | T1573 | TOR/encrypted C2 traffic |
| Exfiltration Over C2 Channel | T1041 | High outbound byte ratio |
| Data Encrypted for Impact | T1486 | Ransomware encryption |
Reference in New Issue View Git Blame Copy Permalink