mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-12 06:04:56 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
2.5 KiB
2.5 KiB
S3 Data Exfiltration Detection API Reference
GuardDuty S3 Finding Types
| Finding Type | Description |
|---|---|
Exfiltration:S3/MaliciousIPCaller |
S3 accessed from known malicious IP |
Exfiltration:S3/AnomalousBehavior |
Unusual S3 access pattern |
UnauthorizedAccess:S3/TorIPCaller |
S3 accessed from Tor exit node |
Discovery:S3/AnomalousBehavior |
Unusual ListObjects/HeadBucket |
Impact:S3/AnomalousBehavior.Delete |
Anomalous object deletion |
CloudTrail S3 Data Events
# Enable S3 data events on trail
aws cloudtrail put-event-selectors --trail-name mgmt-trail \
--event-selectors '[{"ReadWriteType":"All","DataResources":[{"Type":"AWS::S3::Object","Values":["arn:aws:s3:::sensitive-bucket/"]}]}]'
# Query GetObject events via Athena
SELECT eventtime, useridentity.arn, requestparameters,
sourceipaddress, useragent
FROM cloudtrail_logs
WHERE eventname = 'GetObject'
AND requestparameters LIKE '%sensitive-bucket%'
ORDER BY eventtime DESC
S3 Access Monitoring
# Check bucket policy
aws s3api get-bucket-policy --bucket mybucket
# Check public access block
aws s3api get-public-access-block --bucket mybucket
# Enable server access logging
aws s3api put-bucket-logging --bucket mybucket \
--bucket-logging-status '{"LoggingEnabled":{"TargetBucket":"log-bucket","TargetPrefix":"s3-logs/"}}'
# List bucket ACL
aws s3api get-bucket-acl --bucket mybucket
S3 Data Event Log Fields
| Field | Description |
|---|---|
eventName |
GetObject, PutObject, DeleteObject, CopyObject |
requestParameters.bucketName |
Target bucket |
requestParameters.key |
Object key accessed |
sourceIPAddress |
Caller IP |
userIdentity.arn |
Caller identity |
additionalEventData.bytesTransferredOut |
Data volume |
Athena Query - Detect Bulk Downloads
SELECT useridentity.arn, sourceipaddress,
COUNT(*) as object_count,
SUM(CAST(json_extract_scalar(additionaleventdata, '$.bytesTransferredOut') AS bigint)) as bytes_out
FROM cloudtrail_logs
WHERE eventname = 'GetObject'
AND eventtime > '2024-01-01'
GROUP BY useridentity.arn, sourceipaddress
HAVING COUNT(*) > 100
ORDER BY object_count DESC
Bucket Policy - Restrict to VPC Endpoint
{
"Statement": [{
"Sid": "DenyNonVPC",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {"StringNotEquals": {"aws:sourceVpce": "vpce-xxxxx"}}
}]
}