creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d833f0eab9efd8b4d045d9f2142be20683066eec
Anthropic-Cybersecurity-Skills/skills/implementing-ransomware-kill-switch-detection/references/api-reference.md
T
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete 
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
2026-03-19 13:26:49 +01:00

3.7 KiB
Raw Blame History

API Reference: Ransomware Kill Switch Detection

Windows Mutex (Mutant) APIs

CreateMutex (kernel32.dll)

HANDLE CreateMutexW(
  LPSECURITY_ATTRIBUTES lpMutexAttributes,  // NULL for default
  BOOL bInitialOwner,                       // TRUE to own immediately
  LPCWSTR lpName                            // Named mutex string
);
// Returns: Handle to mutex, or NULL on failure
// GetLastError() == ERROR_ALREADY_EXISTS (183) if mutex already exists

OpenMutex (kernel32.dll)

HANDLE OpenMutexW(
  DWORD dwDesiredAccess,  // SYNCHRONIZE (0x00100000)
  BOOL bInheritHandle,    // FALSE
  LPCWSTR lpName          // Named mutex string
);
// Returns: Handle if exists, NULL if not found

PowerShell Mutex Operations

# Create a named mutex
$created = $false
$m = New-Object System.Threading.Mutex($true, "Global\MutexName", [ref]$created)

# Check if mutex exists
try {
  $m = [System.Threading.Mutex]::OpenExisting("Global\MutexName")
  "EXISTS"
} catch { "NOT_FOUND" }

Known Ransomware Kill Switch Mutexes

Mutex Name Family Notes
Global\MsWinZonesCacheCounterMutexA WannaCry Single-instance guard
Global\kasKDJSAFJauisiudUASIIQWUA82 Conti Instance mutex
Global\YOURPRODUCT_MUTEX Ryuk variant Instance guard
Global\JhbGjhBsSQjz Maze Single-instance check
Global{GUID-based} LockBit Machine-specific GUID
Global\sdjfhksjdhfsd Generic builders Common in kits

Known Kill Switch Domains

Domain Family Discovered By
iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com WannaCry v1 MalwareTech (2017)
fferfsodp9ifjaposdfjhgosurijfaewrwergwea.com WannaCry v1 Secondary switch

Sysmon Configuration for Mutex Detection

Event ID 1 - Process Creation

<Sysmon schemaversion="4.90">
  <EventFiltering>
    <ProcessCreate onmatch="include">
      <Image condition="excludes">C:\Windows\</Image>
    </ProcessCreate>
  </EventFiltering>
</Sysmon>

Velociraptor Mutex Hunting

Windows.Detection.Mutants Artifact

SELECT * FROM glob(globs="\\BaseNamedObjects\\*")
WHERE Name =~ "MsWinZonesCacheCounterMutexA|kasKDJSAF|YOURPRODUCT"

Sysinternals Handle Tool

handle.exe -a | findstr /i "Mutant"
handle.exe -a -p <PID> | findstr /i "Mutant"

DNS Kill Switch Monitoring

Python DNS Resolution Check

import socket

def check_domain(domain):
    try:
        ip = socket.gethostbyname(domain)
        return {"resolves": True, "ip": ip}
    except socket.gaierror:
        return {"resolves": False}

Passive DNS Services

Service URL Notes
VirusTotal virustotal.com Domain resolution history
PassiveTotal community.riskiq.com DNS record history
SecurityTrails securitytrails.com Domain intelligence

Malware Mutex Database

albertzsigovits/malware-mutex (GitHub)

URL: https://github.com/albertzsigovits/malware-mutex
Format: JSON with mutex name, malware family, source reference

ANY.RUN Mutex Search

URL: https://any.run/cybersecurity-blog/mutex-search-in-ti-lookup/
Search: Threat Intelligence Lookup → Synchronization → Mutex name

Mutex Vaccination Deployment Methods

Method Persistence Scope
GPO Startup Script Survives reboot Domain-wide
Scheduled Task (at logon) Survives reboot Per-machine
Windows Service Survives reboot Per-machine
Manual PowerShell Until reboot Current session

GPO Startup Script Path

Computer Configuration → Policies → Windows Settings →
Scripts (Startup/Shutdown) → Startup → Add Script
Reference in New Issue View Git Blame Copy Permalink