creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 22:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/hunting-for-data-exfiltration-indicators/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

1.4 KiB
Raw Blame History

API Reference: Data Exfiltration Detection

Exfiltration Methods (MITRE ATT&CK)

Technique ID Description
Exfiltration Over C2 Channel T1041 Via existing C2
Exfiltration Over Alternative Protocol T1048 DNS, ICMP, etc.
Exfiltration Over Web Service T1567 Cloud storage
Automated Exfiltration T1020 Scripted transfer

DNS Exfiltration Indicators

Indicator Threshold
Shannon entropy > 3.5
Subdomain length > 40 chars
Query volume per domain > 100/hour
TXT record responses > 500 bytes

Zeek Log Fields

conn.log

Field Description
ts Timestamp
id.orig_h Source IP
id.resp_h Destination IP
orig_bytes Bytes from source
resp_bytes Bytes from destination

dns.log

Field Description
query DNS query name
qtype_name Query type (A, TXT, etc.)
answers Response answers

Python Libraries

Library Use
csv Parse Zeek TSV logs
math Shannon entropy calculation
collections.defaultdict Aggregate statistics
dpkt PCAP parsing
scapy Packet-level analysis

Shannon Entropy Formula

H(X) = -sum(p(x) * log2(p(x)))

Normal domain: H < 3.0, Exfil encoded: H > 3.5

Reference in New Issue View Git Blame Copy Permalink