creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 06:34:57 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/building-threat-hunt-hypothesis-framework/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

2.1 KiB
Raw Blame History

API Reference: Threat Hunt Hypothesis Framework

Hypothesis Structure

Field Description
hypothesis_id Unique identifier (HYP-XXXXXXXX)
technique_id MITRE ATT&CK technique (e.g. T1059.001)
hypothesis_statement Natural language hypothesis
data_sources Required log sources
priority high / medium / low
status planned / in_progress / completed

MITRE ATT&CK Data Sources

# Download ATT&CK STIX bundle
curl -O https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json

# Filter attack-pattern objects for technique data sources
python3 -c "
import json
bundle = json.load(open('enterprise-attack.json'))
for obj in bundle['objects']:
    if obj.get('type') == 'attack-pattern' and not obj.get('x_mitre_deprecated'):
        eid = obj['external_references'][0]['external_id']
        ds = [d['source_name'] for d in obj.get('x_mitre_data_sources', [])]
        print(f'{eid}: {ds}')
"

Hunt Maturity Model (HMM)

Level Name Description
HM0 Initial Ad hoc, no documented procedures
HM1 Minimal Basic procedures, limited data sources
HM2 Procedural Documented hypotheses, repeatable hunts
HM3 Innovative Custom analytics, TI-driven hypotheses
HM4 Leading Automated, ML-assisted, continuous hunting

Key Windows Event IDs for Hunting

Event ID Source Use Case
4104 PowerShell Script block logging
4688 Security Process creation
4624/4625 Security Logon success/failure
4698 Security Scheduled task created
1 (Sysmon) Sysmon Process create with hashes
3 (Sysmon) Sysmon Network connection
10 (Sysmon) Sysmon Process access (LSASS)
11 (Sysmon) Sysmon File create

Sigma Rule Integration

title: Suspicious PowerShell Execution
status: experimental
logsource:
    product: windows
    service: powershell
detection:
    selection:
        EventID: 4104
        ScriptBlockText|contains:
            - 'Invoke-Mimikatz'
            - 'Invoke-Expression'
    condition: selection
level: high
Reference in New Issue View Git Blame Copy Permalink