creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-14 23:14:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-anti-ransomware-group-policy/references/api-reference.md
T
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete 
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
2026-03-19 13:26:49 +01:00

3.9 KiB
Raw Blame History

API Reference: Anti-Ransomware Group Policy

AppLocker PowerShell Cmdlets

Get Effective Policy

Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections

Create AppLocker Rule

# Deny executables from AppData paths
New-AppLockerPolicy -RuleType Path -RuleNamePrefix "DenyAppData" `
  -Path "%USERPROFILE%\AppData\*" -Action Deny -User Everyone

Test AppLocker Policy

Test-AppLockerPolicy -Path "C:\Users\test\AppData\Local\Temp\malware.exe" `
  -XmlPolicy (Get-AppLockerPolicy -Effective -Xml)

AppLocker Event Log IDs

Event ID Log Description
8003 AppLocker/EXE Allowed executable
8004 AppLocker/EXE Blocked executable
8005 AppLocker/Script Allowed script
8006 AppLocker/Script Blocked script
8007 AppLocker/MSI Allowed installer
8008 AppLocker/MSI Blocked installer

Controlled Folder Access (CFA)

Enable CFA

Set-MpPreference -EnableControlledFolderAccess Enabled

CFA Modes

Value Mode Description
0 Disabled No protection
1 Enabled Block unauthorized modifications
2 Audit Log but do not block
6 BlockDiskModificationOnly Block disk-level changes only

Add Protected Folders

Add-MpPreference -ControlledFolderAccessProtectedFolders "C:\Finance"

Add Allowed Applications

Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\App\app.exe"

CFA Event IDs

Event ID Log Description
1123 Defender/Operational Blocked file modification
1124 Defender/Operational Audited file modification

Attack Surface Reduction (ASR) Rules

Enable ASR Rule

Add-MpPreference -AttackSurfaceReductionRules_Ids <GUID> `
  -AttackSurfaceReductionRules_Actions Enabled

ASR Rule Actions

Value Action
0 Disabled
1 Block
2 Audit
6 Warn

Key Anti-Ransomware ASR Rule GUIDs

GUID Rule
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block executable content from email
D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block Office child processes
3B576869-A4EC-4529-8536-B80A7769E899 Block Office executable content creation
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Block Office code injection
D3E037E1-3EB8-44C8-A917-57927947596D Block JS/VBS downloaded executables
5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block obfuscated scripts
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Block Win32 API from Office macros

ASR Event IDs

Event ID Log Description
1121 Defender/Operational ASR rule fired in block mode
1122 Defender/Operational ASR rule fired in audit mode

GPO Paths Reference

AppLocker

Computer Configuration → Policies → Windows Settings →
Security Settings → Application Control Policies → AppLocker

Controlled Folder Access

Computer Configuration → Administrative Templates →
Windows Components → Microsoft Defender Antivirus →
Microsoft Defender Exploit Guard → Controlled Folder Access

Attack Surface Reduction

Computer Configuration → Administrative Templates →
Windows Components → Microsoft Defender Antivirus →
Microsoft Defender Exploit Guard → Attack Surface Reduction

Network Restrictions

Computer Configuration → Administrative Templates →
Network → Lanman Workstation    (SMB settings)
Windows Components → Remote Desktop Services    (RDP settings)
Windows Components → AutoPlay Policies    (AutoPlay/AutoRun)

GPResult Verification

# Check applied GPOs
gpresult /r /scope:computer

# Generate HTML report
gpresult /h gpo_report.html

# Check specific policy RSoP
gpresult /z /scope:computer
Reference in New Issue View Git Blame Copy Permalink