mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-12 06:04:56 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
1.7 KiB
1.7 KiB
DCSync Persistence Detection — API Reference
Libraries
| Library | Install | Purpose |
|---|---|---|
| ldap3 | pip install ldap3 |
LDAP directory queries for AD permission enumeration |
| impacket | pip install impacket |
Network protocol toolkit — secretsdump.py for DCSync |
| pyad | pip install pyad |
Windows Active Directory interface |
Key ldap3 Methods
| Method | Description |
|---|---|
Server(ip, get_info=ALL) |
Create LDAP server connection object |
Connection(server, user, password, authentication=NTLM) |
Bind to AD with NTLM auth |
conn.search(search_base, search_filter, attributes) |
Query directory objects |
conn.entries |
Access search result entries |
conn.unbind() |
Close LDAP connection |
Critical GUIDs for DCSync Detection
| GUID | Right |
|---|---|
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 |
DS-Replication-Get-Changes |
1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 |
DS-Replication-Get-Changes-All |
89e95b76-444d-4c62-991a-0facbeda640c |
DS-Replication-Get-Changes-In-Filtered-Set |
Windows Event IDs
| Event ID | Description |
|---|---|
| 4662 | Directory service object accessed (replication GUIDs indicate DCSync) |
| 4624 | Logon event — correlate with replication activity from non-DC source |
MITRE ATT&CK Mapping
| Technique | ID |
|---|---|
| OS Credential Dumping: DCSync | T1003.006 |