mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 21:19:40 +03:00
c21af3347e
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2.7 KiB
2.7 KiB
Adversary-in-the-Middle (AiTM) Phishing Detection - API Reference
AiTM Attack Overview
AiTM phishing uses a reverse proxy between the victim and legitimate login page to intercept session cookies in real-time, bypassing MFA. Common frameworks: Evilginx2, Modlishka, Muraena.
Attack Chain:
- Victim clicks phishing link
- Reverse proxy forwards request to real login page
- Victim enters credentials and completes MFA
- Proxy captures session cookie
- Attacker replays session cookie from different location
Azure AD / Entra ID Sign-In Logs
Export via Microsoft Graph API
GET https://graph.microsoft.com/v1.0/auditLogs/signIns
Key Fields
| Field | Type | Description |
|---|---|---|
userPrincipalName |
string | User email |
createdDateTime |
ISO-8601 | Sign-in timestamp |
ipAddress |
string | Source IP address |
location.latitude |
float | Geo-location latitude |
location.longitude |
float | Geo-location longitude |
deviceDetail.displayName |
string | Device name |
correlationId |
string | Session correlation ID |
userAgent |
string | Browser user agent |
Detection Methods
Impossible Travel
Calculates Haversine great-circle distance between consecutive logins. If distance / time > 900 km/h (commercial flight speed) and distance > 100km, flags as suspicious.
Suspicious Inbox Rules
AiTM attackers commonly create rules to:
- Forward emails to external address (
forwardTo,redirectTo) - Delete incoming emails (
moveToDeletedItems,permanentDelete) - Auto-read messages (
markAsRead) - Filter on keywords: invoice, payment, wire, bank, password
Token Replay Detection
Multiple IPs and devices in a short timeframe for the same user session indicates stolen session token replay.
Inbox Rules Format
[
{
"displayName": "rule1",
"mailboxOwner": "user@example.com",
"actions": {"forwardTo": [{"emailAddress": {"address": "attacker@evil.com"}}]},
"conditions": {"subjectContains": ["invoice", "payment"]},
"createdDateTime": "2024-01-15T10:00:00Z"
}
]
Haversine Formula
from math import radians, cos, sin, asin, sqrt
def haversine_km(lat1, lon1, lat2, lon2):
lat1, lon1, lat2, lon2 = map(radians, [lat1, lon1, lat2, lon2])
dlat, dlon = lat2 - lat1, lon2 - lon1
a = sin(dlat/2)**2 + cos(lat1) * cos(lat2) * sin(dlon/2)**2
return 2 * 6371 * asin(sqrt(a))
Output Schema
{
"report": "aitm_phishing_detection",
"total_sign_ins_analyzed": 5000,
"total_findings": 8,
"severity_summary": {"critical": 3, "high": 5},
"findings": [{"type": "impossible_travel", "severity": "critical"}]
}
CLI Usage
python agent.py --logs signin_logs.json --inbox-rules rules.json --output report.json