creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/performing-malware-ioc-extraction/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

49 lines
1.7 KiB
Markdown
Raw Blame History

# API Reference — Performing Malware IOC Extraction
## Libraries Used
- **re**: Regex patterns for 16 IOC types including defanged indicators
- **hashlib**: MD5, SHA1, SHA256 file hashing
- **pathlib**: File reading (text and binary)
## CLI Interface
```
python agent.py text --file threat_report.txt
python agent.py hash --file malware.exe
python agent.py strings --file malware.exe [--min-length 6]
python agent.py report --file malware.exe [--output iocs.json]
```
## Core Functions
### `extract_iocs_from_text(text)` — Extract IOCs with defanging support
Handles defanged indicators: `[.]` -> `.`, `hxxp` -> `http`. Filters private IPs.
### `extract_from_file(file_path)` — Extract IOCs from text/report files
### `hash_file(file_path)` — Calculate MD5/SHA1/SHA256 hashes
### `extract_strings(file_path, min_length)` — Binary string extraction
Extracts ASCII and wide (UTF-16LE) strings. Identifies suspicious API calls and keywords.
### `generate_ioc_report(file_path, output)` — Full analysis report
## IOC Pattern Types (16)
| Type | Example |
|------|---------|
| ipv4 | 192.168.1.1 (private filtered) |
| domain | evil.example.com |
| url | https://malware.example.com/payload |
| md5/sha1/sha256 | File hashes |
| cve | CVE-2024-12345 |
| registry_key | HKLM\Software\... |
| file_path_windows | C:\Windows\Temp\mal.exe |
| mutex | Global\MutexName |
| mitre_technique | T1059.001 |
| bitcoin_addr | Bitcoin wallet address |
| user_agent | Mozilla/5.0 strings |
## Suspicious String Keywords
CreateRemoteThread, VirtualAlloc, WriteProcessMemory, LoadLibrary,
GetProcAddress, WinExec, ShellExecute, powershell, cmd.exe
## Dependencies
No external packages — Python standard library only.
Reference in New Issue View Git Blame Copy Permalink