creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/conducting-cloud-incident-response/scripts/agent.py
T
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete 
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
2026-03-19 13:26:49 +01:00

193 lines
7.4 KiB
Python
Raw Blame History

#!/usr/bin/env python3
"""Cloud Incident Response Agent - Automates AWS/Azure cloud IR containment and evidence collection."""
import json
import logging
import argparse
import subprocess
from datetime import datetime, timedelta
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)
def aws_disable_access_key(username, access_key_id):
"""Disable a compromised IAM access key via AWS CLI."""
cmd = [
"aws", "iam", "update-access-key",
"--user-name", username,
"--access-key-id", access_key_id,
"--status", "Inactive",
]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
if result.returncode == 0:
logger.info("Disabled access key %s for user %s", access_key_id, username)
else:
logger.error("Failed to disable key: %s", result.stderr)
return result.returncode == 0
def aws_attach_deny_all(username):
"""Attach AWSDenyAll policy to a compromised IAM user."""
cmd = [
"aws", "iam", "attach-user-policy",
"--user-name", username,
"--policy-arn", "arn:aws:iam::aws:policy/AWSDenyAll",
]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
if result.returncode == 0:
logger.info("Attached AWSDenyAll to user %s", username)
return result.returncode == 0
def aws_isolate_ec2(instance_id, forensic_sg):
"""Isolate an EC2 instance by changing its security group to forensic isolation SG."""
cmd = [
"aws", "ec2", "modify-instance-attribute",
"--instance-id", instance_id,
"--groups", forensic_sg,
]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
if result.returncode == 0:
logger.info("Isolated EC2 %s with security group %s", instance_id, forensic_sg)
return result.returncode == 0
def aws_snapshot_ebs(instance_id):
"""Create EBS snapshots of all volumes attached to an EC2 instance."""
cmd = [
"aws", "ec2", "describe-volumes",
"--filters", f"Name=attachment.instance-id,Values={instance_id}",
"--query", "Volumes[*].VolumeId",
"--output", "text",
]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
volume_ids = result.stdout.strip().split()
snapshots = []
for vol_id in volume_ids:
snap_cmd = [
"aws", "ec2", "create-snapshot",
"--volume-id", vol_id,
"--description", f"IR evidence - {instance_id} - {datetime.utcnow().isoformat()}",
]
snap_result = subprocess.run(snap_cmd, capture_output=True, text=True, timeout=120)
if snap_result.returncode == 0:
snap_data = json.loads(snap_result.stdout)
snapshots.append(snap_data.get("SnapshotId"))
logger.info("Created snapshot %s for volume %s", snap_data.get("SnapshotId"), vol_id)
return snapshots
def aws_query_cloudtrail(username, hours_back=24):
"""Query CloudTrail for API calls made by a specific IAM user."""
start_time = (datetime.utcnow() - timedelta(hours=hours_back)).strftime("%Y-%m-%dT%H:%M:%SZ")
cmd = [
"aws", "cloudtrail", "lookup-events",
"--lookup-attributes", f"AttributeKey=Username,AttributeValue={username}",
"--start-time", start_time,
"--output", "json",
]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
if result.returncode == 0:
events = json.loads(result.stdout).get("Events", [])
logger.info("CloudTrail: %d events for user %s in last %d hours", len(events), username, hours_back)
parsed = []
for event in events:
ct_event = json.loads(event.get("CloudTrailEvent", "{}"))
parsed.append({
"time": event.get("EventTime", ""),
"event_name": event.get("EventName", ""),
"source_ip": ct_event.get("sourceIPAddress", ""),
"user_agent": ct_event.get("userAgent", ""),
"resources": event.get("Resources", []),
})
return parsed
return []
def aws_list_attacker_resources(username, events):
"""Identify resources created by the attacker from CloudTrail events."""
create_events = [
e for e in events
if e["event_name"].startswith(("Create", "Run", "Put", "Attach"))
]
logger.info("Identified %d resource creation events", len(create_events))
return create_events
def aws_check_all_regions_instances():
"""Check all AWS regions for unauthorized EC2 instances."""
cmd = ["aws", "ec2", "describe-regions", "--query", "Regions[*].RegionName", "--output", "text"]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
regions = result.stdout.strip().split()
all_instances = {}
for region in regions:
cmd = [
"aws", "ec2", "describe-instances",
"--region", region,
"--query", "Reservations[*].Instances[*].[InstanceId,InstanceType,State.Name]",
"--output", "json",
]
r = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
if r.returncode == 0:
instances = json.loads(r.stdout)
running = [i for reservation in instances for i in reservation if i[2] == "running"]
if running:
all_instances[region] = running
logger.info("Found instances in %d regions", len(all_instances))
return all_instances
def generate_ir_report(incident_id, username, events, snapshots, containment_actions):
"""Generate a cloud incident response report."""
report = {
"incident_id": incident_id,
"timestamp": datetime.utcnow().isoformat(),
"compromised_identity": username,
"cloudtrail_events": len(events),
"evidence_snapshots": snapshots,
"containment_actions": containment_actions,
"attacker_activity": events[:20],
}
print(json.dumps(report, indent=2))
return report
def main():
parser = argparse.ArgumentParser(description="Cloud Incident Response Agent")
parser.add_argument("--incident-id", required=True, help="Incident ID")
parser.add_argument("--username", required=True, help="Compromised IAM username")
parser.add_argument("--access-key-id", help="Compromised access key to disable")
parser.add_argument("--instance-id", help="EC2 instance to isolate")
parser.add_argument("--forensic-sg", default="sg-forensic-isolate", help="Forensic SG ID")
parser.add_argument("--output", default="cloud_ir_report.json")
args = parser.parse_args()
containment = []
if args.access_key_id:
aws_disable_access_key(args.username, args.access_key_id)
containment.append(f"Disabled access key {args.access_key_id}")
aws_attach_deny_all(args.username)
containment.append(f"Attached AWSDenyAll to {args.username}")
snapshots = []
if args.instance_id:
aws_isolate_ec2(args.instance_id, args.forensic_sg)
containment.append(f"Isolated EC2 {args.instance_id}")
snapshots = aws_snapshot_ebs(args.instance_id)
events = aws_query_cloudtrail(args.username, hours_back=72)
attacker_actions = aws_list_attacker_resources(args.username, events)
report = generate_ir_report(args.incident_id, args.username, events, snapshots, containment)
with open(args.output, "w") as f:
json.dump(report, f, indent=2)
logger.info("IR report saved to %s", args.output)
if __name__ == "__main__":
main()
Reference in New Issue View Git Blame Copy Permalink