creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-14 23:14:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-anti-ransomware-group-policy/references/api-reference.md
T
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete 
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
2026-03-19 13:26:49 +01:00

139 lines
3.9 KiB
Markdown
Raw Blame History

# API Reference: Anti-Ransomware Group Policy
## AppLocker PowerShell Cmdlets
### Get Effective Policy
```powershell
Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections
```
### Create AppLocker Rule
```powershell
# Deny executables from AppData paths
New-AppLockerPolicy -RuleType Path -RuleNamePrefix "DenyAppData" `
-Path "%USERPROFILE%\AppData\*" -Action Deny -User Everyone
```
### Test AppLocker Policy
```powershell
Test-AppLockerPolicy -Path "C:\Users\test\AppData\Local\Temp\malware.exe" `
-XmlPolicy (Get-AppLockerPolicy -Effective -Xml)
```
### AppLocker Event Log IDs
| Event ID | Log | Description |
|----------|-----|-------------|
| 8003 | AppLocker/EXE | Allowed executable |
| 8004 | AppLocker/EXE | Blocked executable |
| 8005 | AppLocker/Script | Allowed script |
| 8006 | AppLocker/Script | Blocked script |
| 8007 | AppLocker/MSI | Allowed installer |
| 8008 | AppLocker/MSI | Blocked installer |
## Controlled Folder Access (CFA)
### Enable CFA
```powershell
Set-MpPreference -EnableControlledFolderAccess Enabled
```
### CFA Modes
| Value | Mode | Description |
|-------|------|-------------|
| 0 | Disabled | No protection |
| 1 | Enabled | Block unauthorized modifications |
| 2 | Audit | Log but do not block |
| 6 | BlockDiskModificationOnly | Block disk-level changes only |
### Add Protected Folders
```powershell
Add-MpPreference -ControlledFolderAccessProtectedFolders "C:\Finance"
```
### Add Allowed Applications
```powershell
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\App\app.exe"
```
### CFA Event IDs
| Event ID | Log | Description |
|----------|-----|-------------|
| 1123 | Defender/Operational | Blocked file modification |
| 1124 | Defender/Operational | Audited file modification |
## Attack Surface Reduction (ASR) Rules
### Enable ASR Rule
```powershell
Add-MpPreference -AttackSurfaceReductionRules_Ids <GUID> `
-AttackSurfaceReductionRules_Actions Enabled
```
### ASR Rule Actions
| Value | Action |
|-------|--------|
| 0 | Disabled |
| 1 | Block |
| 2 | Audit |
| 6 | Warn |
### Key Anti-Ransomware ASR Rule GUIDs
| GUID | Rule |
|------|------|
| BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Block executable content from email |
| D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Block Office child processes |
| 3B576869-A4EC-4529-8536-B80A7769E899 | Block Office executable content creation |
| 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Block Office code injection |
| D3E037E1-3EB8-44C8-A917-57927947596D | Block JS/VBS downloaded executables |
| 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Block obfuscated scripts |
| 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Block Win32 API from Office macros |
### ASR Event IDs
| Event ID | Log | Description |
|----------|-----|-------------|
| 1121 | Defender/Operational | ASR rule fired in block mode |
| 1122 | Defender/Operational | ASR rule fired in audit mode |
## GPO Paths Reference
### AppLocker
```
Computer Configuration → Policies → Windows Settings →
Security Settings → Application Control Policies → AppLocker
```
### Controlled Folder Access
```
Computer Configuration → Administrative Templates →
Windows Components → Microsoft Defender Antivirus →
Microsoft Defender Exploit Guard → Controlled Folder Access
```
### Attack Surface Reduction
```
Computer Configuration → Administrative Templates →
Windows Components → Microsoft Defender Antivirus →
Microsoft Defender Exploit Guard → Attack Surface Reduction
```
### Network Restrictions
```
Computer Configuration → Administrative Templates →
Network → Lanman Workstation (SMB settings)
Windows Components → Remote Desktop Services (RDP settings)
Windows Components → AutoPlay Policies (AutoPlay/AutoRun)
```
## GPResult Verification
```powershell
# Check applied GPOs
gpresult /r /scope:computer
# Generate HTML report
gpresult /h gpo_report.html
# Check specific policy RSoP
gpresult /z /scope:computer
```
Reference in New Issue View Git Blame Copy Permalink