creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 22:54:53 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/hunting-for-command-and-control-beaconing/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

85 lines
2.2 KiB
Markdown
Raw Blame History

# API Reference: C2 Beaconing Hunting
## Zeek Log Files
### conn.log Fields
| Index | Field | C2 Relevance |
|-------|-------|-------------|
| 0 | ts | Timing analysis |
| 2 | id.orig_h | Internal host |
| 4 | id.resp_h | C2 server |
| 5 | id.resp_p | C2 port |
| 8 | duration | Long = persistent C2 |
| 9 | orig_bytes | Upload size |
| 10 | resp_bytes | Download size |
### dns.log Fields
| Index | Field | C2 Relevance |
|-------|-------|-------------|
| 0 | ts | Query timing |
| 2 | id.orig_h | Querying host |
| 9 | query | Domain queried |
| 11 | answers | Resolution |
| 14 | qtype_name | Query type (TXT = tunneling) |
### http.log Fields
| Index | Field | C2 Relevance |
|-------|-------|-------------|
| 8 | host | C2 domain |
| 9 | uri | C2 path |
| 12 | user_agent | Identifies C2 framework |
| 13 | request_body_len | Upload size |
| 14 | response_body_len | Download size |
## C2 Framework Signatures
| Framework | User Agent | URI Pattern | Default Port |
|-----------|-----------|-------------|--------------|
| Cobalt Strike | Mozilla/5.0 | /submit.php, /activity | 443 |
| Metasploit | (varies) | /random 4-8 chars | 4444 |
| Empire | Mozilla/5.0 | /login/process.php | 443 |
| Sliver | (custom) | /random UUID | 443 |
## DNS Tunneling Indicators
| Indicator | Pattern |
|-----------|---------|
| Long subdomain | `[a-z0-9]{30,}\.domain\.com` |
| High query frequency | > 100 queries/hour to one domain |
| TXT record queries | Unusual volume of TXT lookups |
| High entropy | Shannon entropy > 3.5 in subdomain |
## JA3/JA3S TLS Fingerprinting
### JA3 Hash (Client)
```bash
# Zeek ssl.log field: ja3
# Known C2 JA3 hashes:
# Cobalt Strike: 72a589da586844d7f0818ce684948eea
# Metasploit: various
```
## Threat Intelligence Feeds
### Abuse.ch ThreatFox
```http
POST https://threatfox-api.abuse.ch/api/v1/
Content-Type: application/json
{"query": "search_ioc", "search_term": "1.2.3.4"}
```
### OTX AlienVault
```http
GET https://otx.alienvault.com/api/v1/indicators/IPv4/{ip}/general
X-OTX-API-KEY: {key}
```
## RITA Beacon Analysis
```bash
rita import /path/to/zeek/logs my_dataset
rita show-beacons my_dataset
rita show-long-connections my_dataset
rita show-dns-fqdn-pairs my_dataset
```
Reference in New Issue View Git Blame Copy Permalink