mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 21:19:40 +03:00
c21af3347e
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
91 lines
2.7 KiB
Markdown
91 lines
2.7 KiB
Markdown
# Adversary-in-the-Middle (AiTM) Phishing Detection - API Reference
|
|
|
|
## AiTM Attack Overview
|
|
|
|
AiTM phishing uses a reverse proxy between the victim and legitimate login page to intercept session cookies in real-time, bypassing MFA. Common frameworks: Evilginx2, Modlishka, Muraena.
|
|
|
|
**Attack Chain:**
|
|
1. Victim clicks phishing link
|
|
2. Reverse proxy forwards request to real login page
|
|
3. Victim enters credentials and completes MFA
|
|
4. Proxy captures session cookie
|
|
5. Attacker replays session cookie from different location
|
|
|
|
## Azure AD / Entra ID Sign-In Logs
|
|
|
|
### Export via Microsoft Graph API
|
|
```
|
|
GET https://graph.microsoft.com/v1.0/auditLogs/signIns
|
|
```
|
|
|
|
### Key Fields
|
|
|
|
| Field | Type | Description |
|
|
|-------|------|-------------|
|
|
| `userPrincipalName` | string | User email |
|
|
| `createdDateTime` | ISO-8601 | Sign-in timestamp |
|
|
| `ipAddress` | string | Source IP address |
|
|
| `location.latitude` | float | Geo-location latitude |
|
|
| `location.longitude` | float | Geo-location longitude |
|
|
| `deviceDetail.displayName` | string | Device name |
|
|
| `correlationId` | string | Session correlation ID |
|
|
| `userAgent` | string | Browser user agent |
|
|
|
|
## Detection Methods
|
|
|
|
### Impossible Travel
|
|
Calculates Haversine great-circle distance between consecutive logins. If `distance / time > 900 km/h` (commercial flight speed) and distance > 100km, flags as suspicious.
|
|
|
|
### Suspicious Inbox Rules
|
|
AiTM attackers commonly create rules to:
|
|
- Forward emails to external address (`forwardTo`, `redirectTo`)
|
|
- Delete incoming emails (`moveToDeletedItems`, `permanentDelete`)
|
|
- Auto-read messages (`markAsRead`)
|
|
- Filter on keywords: invoice, payment, wire, bank, password
|
|
|
|
### Token Replay Detection
|
|
Multiple IPs and devices in a short timeframe for the same user session indicates stolen session token replay.
|
|
|
|
## Inbox Rules Format
|
|
|
|
```json
|
|
[
|
|
{
|
|
"displayName": "rule1",
|
|
"mailboxOwner": "user@example.com",
|
|
"actions": {"forwardTo": [{"emailAddress": {"address": "attacker@evil.com"}}]},
|
|
"conditions": {"subjectContains": ["invoice", "payment"]},
|
|
"createdDateTime": "2024-01-15T10:00:00Z"
|
|
}
|
|
]
|
|
```
|
|
|
|
## Haversine Formula
|
|
|
|
```python
|
|
from math import radians, cos, sin, asin, sqrt
|
|
def haversine_km(lat1, lon1, lat2, lon2):
|
|
lat1, lon1, lat2, lon2 = map(radians, [lat1, lon1, lat2, lon2])
|
|
dlat, dlon = lat2 - lat1, lon2 - lon1
|
|
a = sin(dlat/2)**2 + cos(lat1) * cos(lat2) * sin(dlon/2)**2
|
|
return 2 * 6371 * asin(sqrt(a))
|
|
```
|
|
|
|
## Output Schema
|
|
|
|
```json
|
|
{
|
|
"report": "aitm_phishing_detection",
|
|
"total_sign_ins_analyzed": 5000,
|
|
"total_findings": 8,
|
|
"severity_summary": {"critical": 3, "high": 5},
|
|
"findings": [{"type": "impossible_travel", "severity": "critical"}]
|
|
}
|
|
```
|
|
|
|
## CLI Usage
|
|
|
|
```bash
|
|
python agent.py --logs signin_logs.json --inbox-rules rules.json --output report.json
|
|
```
|