mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 21:54:56 +03:00
mukul975
c47eed6a64
- Fix 25 shell=True subprocess calls with list-based commands - Fix 49 verify=False in defensive skills (env-var override) - Add timeout to 231 HTTP/subprocess/socket calls - Fix 6 SQL injection patterns with whitelist validation - Replace 8 __import__() with standard imports - Remove 701 unused imports across 442 files - Add authorized-testing disclaimers to all offensive skills - Complete 11 incomplete skill directories - Expand 10 stub SKILL.md files with full content - Fix 2 YAML parse errors in frontmatter - Fix 5 pre-existing syntax errors - Convert 22 hardcoded paths/ports to environment variables - Back up 21 redundant skill pairs to .bak - Fix 2 global declaration errors - 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE) - 0 compile errors across all 724 agent.py files
117 lines
5.0 KiB
Python
117 lines
5.0 KiB
Python
#!/usr/bin/env python3
|
|
"""Windows Defender advanced configuration audit agent."""
|
|
|
|
import json
|
|
import argparse
|
|
import subprocess
|
|
from datetime import datetime
|
|
|
|
|
|
def get_defender_status():
|
|
"""Get Windows Defender status via PowerShell."""
|
|
cmd = ["powershell", "-Command", "Get-MpComputerStatus | ConvertTo-Json"]
|
|
try:
|
|
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
|
|
return json.loads(result.stdout) if result.stdout.strip() else {"error": "No output"}
|
|
except (FileNotFoundError, json.JSONDecodeError, subprocess.TimeoutExpired) as e:
|
|
return {"error": str(e)}
|
|
|
|
|
|
def get_defender_preferences():
|
|
"""Get Windows Defender preference settings."""
|
|
cmd = ["powershell", "-Command", "Get-MpPreference | ConvertTo-Json"]
|
|
try:
|
|
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
|
|
return json.loads(result.stdout) if result.stdout.strip() else {"error": "No output"}
|
|
except (FileNotFoundError, json.JSONDecodeError, subprocess.TimeoutExpired) as e:
|
|
return {"error": str(e)}
|
|
|
|
|
|
def audit_asr_rules():
|
|
"""Audit Attack Surface Reduction rules configuration."""
|
|
cmd = ["powershell", "-Command",
|
|
"Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids | ConvertTo-Json"]
|
|
try:
|
|
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
|
|
rule_ids = json.loads(result.stdout) if result.stdout.strip() else []
|
|
except (FileNotFoundError, json.JSONDecodeError):
|
|
rule_ids = []
|
|
critical_asr_rules = {
|
|
"be9ba2d9-53ea-4cdc-84e5-9b1eeee46550": "Block executable content from email and webmail",
|
|
"d4f940ab-401b-4efc-aadc-ad5f3c50688a": "Block all Office applications from creating child processes",
|
|
"3b576869-a4ec-4529-8536-b80a7769e899": "Block Office applications from creating executable content",
|
|
"75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84": "Block Office applications from injecting code",
|
|
"d3e037e1-3eb8-44c8-a917-57927947596d": "Block JavaScript or VBScript from launching downloaded content",
|
|
"5beb7efe-fd9a-4556-801d-275e5ffc04cc": "Block execution of potentially obfuscated scripts",
|
|
"92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b": "Block Win32 API calls from Office macros",
|
|
"56a863a9-875e-4185-98a7-b882c64b5ce5": "Block abuse of exploited vulnerable signed drivers",
|
|
}
|
|
configured = set(rule_ids) if isinstance(rule_ids, list) else set()
|
|
missing = []
|
|
for rule_id, desc in critical_asr_rules.items():
|
|
if rule_id not in configured:
|
|
missing.append({"rule_id": rule_id, "description": desc, "severity": "HIGH"})
|
|
return {"configured_count": len(configured), "missing_critical": missing}
|
|
|
|
|
|
def check_tamper_protection():
|
|
"""Check tamper protection status."""
|
|
cmd = ["powershell", "-Command",
|
|
"(Get-MpComputerStatus).IsTamperProtected"]
|
|
try:
|
|
result = subprocess.run(cmd, capture_output=True, text=True, timeout=15)
|
|
enabled = "true" in result.stdout.strip().lower()
|
|
return {"tamper_protection": enabled,
|
|
"severity": "CRITICAL" if not enabled else "INFO"}
|
|
except (FileNotFoundError, subprocess.TimeoutExpired):
|
|
return {"error": "Cannot check tamper protection"}
|
|
|
|
|
|
def run_audit():
|
|
"""Execute Windows Defender audit."""
|
|
print(f"\n{'='*60}")
|
|
print(f" WINDOWS DEFENDER ADVANCED SETTINGS AUDIT")
|
|
print(f" Generated: {datetime.utcnow().isoformat()} UTC")
|
|
print(f"{'='*60}\n")
|
|
|
|
status = get_defender_status()
|
|
print(f"--- DEFENDER STATUS ---")
|
|
if "error" not in status:
|
|
print(f" Real-time protection: {status.get('RealTimeProtectionEnabled', 'N/A')}")
|
|
print(f" Behavior monitoring: {status.get('BehaviorMonitorEnabled', 'N/A')}")
|
|
print(f" Cloud protection: {status.get('OnAccessProtectionEnabled', 'N/A')}")
|
|
print(f" Signature version: {status.get('AntivirusSignatureVersion', 'N/A')}")
|
|
|
|
asr = audit_asr_rules()
|
|
print(f"\n--- ASR RULES ---")
|
|
print(f" Configured: {asr['configured_count']}")
|
|
print(f" Missing critical: {len(asr['missing_critical'])}")
|
|
for rule in asr["missing_critical"][:5]:
|
|
print(f" [{rule['severity']}] {rule['description']}")
|
|
|
|
tamper = check_tamper_protection()
|
|
print(f"\n--- TAMPER PROTECTION ---")
|
|
print(f" Enabled: {tamper.get('tamper_protection', 'N/A')}")
|
|
|
|
return {"status": status, "asr": asr, "tamper": tamper}
|
|
|
|
|
|
def main():
|
|
parser = argparse.ArgumentParser(description="Windows Defender Audit Agent")
|
|
parser.add_argument("--audit", action="store_true", help="Run full audit")
|
|
parser.add_argument("--output", help="Save report to JSON file")
|
|
args = parser.parse_args()
|
|
|
|
if args.audit:
|
|
report = run_audit()
|
|
if args.output:
|
|
with open(args.output, "w") as f:
|
|
json.dump(report, f, indent=2, default=str)
|
|
print(f"\n[+] Report saved to {args.output}")
|
|
else:
|
|
parser.print_help()
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|