mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 13:44:56 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
85 lines
2.5 KiB
Markdown
85 lines
2.5 KiB
Markdown
# Active Breach Containment API Reference
|
|
|
|
## CrowdStrike Falcon - Host Containment
|
|
|
|
```bash
|
|
# Contain a host (network isolation)
|
|
curl -X POST "https://api.crowdstrike.com/devices/entities/devices-actions/v2?action_name=contain" \
|
|
-H "Authorization: Bearer $TOKEN" \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"ids": ["device_id_here"]}'
|
|
|
|
# Lift containment
|
|
curl -X POST "https://api.crowdstrike.com/devices/entities/devices-actions/v2?action_name=lift_containment" \
|
|
-H "Authorization: Bearer $TOKEN" \
|
|
-d '{"ids": ["device_id_here"]}'
|
|
```
|
|
|
|
## Microsoft Defender for Endpoint - Isolation
|
|
|
|
```powershell
|
|
# Isolate machine via API
|
|
$body = @{ Comment = "Breach containment INC-2025-001"; IsolationType = "Full" } | ConvertTo-Json
|
|
Invoke-RestMethod -Uri "https://api.securitycenter.microsoft.com/api/machines/$machineId/isolate" `
|
|
-Method Post -Headers @{Authorization = "Bearer $token"} -Body $body -ContentType "application/json"
|
|
|
|
# Release from isolation
|
|
Invoke-RestMethod -Uri "https://api.securitycenter.microsoft.com/api/machines/$machineId/unisolate" `
|
|
-Method Post -Headers @{Authorization = "Bearer $token"} `
|
|
-Body (@{Comment = "Containment lifted"} | ConvertTo-Json) -ContentType "application/json"
|
|
```
|
|
|
|
## Active Directory - Credential Actions
|
|
|
|
```powershell
|
|
# Disable compromised account
|
|
Disable-ADAccount -Identity "jsmith"
|
|
|
|
# Reset password
|
|
Set-ADAccountPassword -Identity "jsmith" -Reset -NewPassword (ConvertTo-SecureString "NewP@ss!" -AsPlainText -Force)
|
|
|
|
# Revoke Azure AD sessions
|
|
Revoke-AzureADUserAllRefreshToken -ObjectId "user-object-id"
|
|
|
|
# KRBTGT double reset (first reset)
|
|
Reset-KrbtgtKeys -Server DC01 -Force
|
|
```
|
|
|
|
## Network Containment - iptables
|
|
|
|
```bash
|
|
# Block C2 IP
|
|
iptables -A INPUT -s 185.220.x.x -j DROP
|
|
iptables -A OUTPUT -d 185.220.x.x -j DROP
|
|
|
|
# Isolate host from network (allow management only)
|
|
iptables -A FORWARD -s 10.10.5.12 -d 10.10.0.1 -j ACCEPT
|
|
iptables -A FORWARD -s 10.10.5.12 -j DROP
|
|
|
|
# Block SMB lateral movement
|
|
iptables -A FORWARD -p tcp --dport 445 -j DROP
|
|
```
|
|
|
|
## DNS Sinkholing
|
|
|
|
```bash
|
|
# Add sinkhole entry
|
|
echo "127.0.0.1 evil.example.com" >> /etc/hosts
|
|
|
|
# Unbound DNS sinkhole
|
|
unbound-control local_zone "evil.example.com" redirect
|
|
unbound-control local_data "evil.example.com A 10.0.0.99"
|
|
```
|
|
|
|
## Evidence Collection
|
|
|
|
```bash
|
|
# Memory dump (Linux)
|
|
sudo dd if=/proc/kcore of=/evidence/memory.raw bs=1M
|
|
|
|
# Volatile data collection
|
|
ps auxww > /evidence/processes.txt
|
|
ss -tunap > /evidence/network.txt
|
|
cat /proc/net/arp > /evidence/arp.txt
|
|
```
|