creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 05:34:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/containing-active-breach/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.5 KiB
Raw Blame History

Active Breach Containment API Reference

CrowdStrike Falcon - Host Containment

# Contain a host (network isolation)
curl -X POST "https://api.crowdstrike.com/devices/entities/devices-actions/v2?action_name=contain" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"ids": ["device_id_here"]}'

# Lift containment
curl -X POST "https://api.crowdstrike.com/devices/entities/devices-actions/v2?action_name=lift_containment" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"ids": ["device_id_here"]}'

Microsoft Defender for Endpoint - Isolation

# Isolate machine via API
$body = @{ Comment = "Breach containment INC-2025-001"; IsolationType = "Full" } | ConvertTo-Json
Invoke-RestMethod -Uri "https://api.securitycenter.microsoft.com/api/machines/$machineId/isolate" `
  -Method Post -Headers @{Authorization = "Bearer $token"} -Body $body -ContentType "application/json"

# Release from isolation
Invoke-RestMethod -Uri "https://api.securitycenter.microsoft.com/api/machines/$machineId/unisolate" `
  -Method Post -Headers @{Authorization = "Bearer $token"} `
  -Body (@{Comment = "Containment lifted"} | ConvertTo-Json) -ContentType "application/json"

Active Directory - Credential Actions

# Disable compromised account
Disable-ADAccount -Identity "jsmith"

# Reset password
Set-ADAccountPassword -Identity "jsmith" -Reset -NewPassword (ConvertTo-SecureString "NewP@ss!" -AsPlainText -Force)

# Revoke Azure AD sessions
Revoke-AzureADUserAllRefreshToken -ObjectId "user-object-id"

# KRBTGT double reset (first reset)
Reset-KrbtgtKeys -Server DC01 -Force

Network Containment - iptables

# Block C2 IP
iptables -A INPUT -s 185.220.x.x -j DROP
iptables -A OUTPUT -d 185.220.x.x -j DROP

# Isolate host from network (allow management only)
iptables -A FORWARD -s 10.10.5.12 -d 10.10.0.1 -j ACCEPT
iptables -A FORWARD -s 10.10.5.12 -j DROP

# Block SMB lateral movement
iptables -A FORWARD -p tcp --dport 445 -j DROP

DNS Sinkholing

# Add sinkhole entry
echo "127.0.0.1 evil.example.com" >> /etc/hosts

# Unbound DNS sinkhole
unbound-control local_zone "evil.example.com" redirect
unbound-control local_data "evil.example.com A 10.0.0.99"

Evidence Collection

# Memory dump (Linux)
sudo dd if=/proc/kcore of=/evidence/memory.raw bs=1M

# Volatile data collection
ps auxww > /evidence/processes.txt
ss -tunap > /evidence/network.txt
cat /proc/net/arp > /evidence/arp.txt
Reference in New Issue View Git Blame Copy Permalink