creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d833f0eab9efd8b4d045d9f2142be20683066eec
Anthropic-Cybersecurity-Skills/skills/implementing-ransomware-kill-switch-detection/references/api-reference.md
T
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete 
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
2026-03-19 13:26:49 +01:00

133 lines
3.7 KiB
Markdown
Raw Blame History

# API Reference: Ransomware Kill Switch Detection
## Windows Mutex (Mutant) APIs
### CreateMutex (kernel32.dll)
```c
HANDLE CreateMutexW(
LPSECURITY_ATTRIBUTES lpMutexAttributes, // NULL for default
BOOL bInitialOwner, // TRUE to own immediately
LPCWSTR lpName // Named mutex string
);
// Returns: Handle to mutex, or NULL on failure
// GetLastError() == ERROR_ALREADY_EXISTS (183) if mutex already exists
```
### OpenMutex (kernel32.dll)
```c
HANDLE OpenMutexW(
DWORD dwDesiredAccess, // SYNCHRONIZE (0x00100000)
BOOL bInheritHandle, // FALSE
LPCWSTR lpName // Named mutex string
);
// Returns: Handle if exists, NULL if not found
```
### PowerShell Mutex Operations
```powershell
# Create a named mutex
$created = $false
$m = New-Object System.Threading.Mutex($true, "Global\MutexName", [ref]$created)
# Check if mutex exists
try {
$m = [System.Threading.Mutex]::OpenExisting("Global\MutexName")
"EXISTS"
} catch { "NOT_FOUND" }
```
## Known Ransomware Kill Switch Mutexes
| Mutex Name | Family | Notes |
|-----------|--------|-------|
| Global\MsWinZonesCacheCounterMutexA | WannaCry | Single-instance guard |
| Global\kasKDJSAFJauisiudUASIIQWUA82 | Conti | Instance mutex |
| Global\YOURPRODUCT_MUTEX | Ryuk variant | Instance guard |
| Global\JhbGjhBsSQjz | Maze | Single-instance check |
| Global\{GUID-based} | LockBit | Machine-specific GUID |
| Global\sdjfhksjdhfsd | Generic builders | Common in kits |
## Known Kill Switch Domains
| Domain | Family | Discovered By |
|--------|--------|--------------|
| iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com | WannaCry v1 | MalwareTech (2017) |
| fferfsodp9ifjaposdfjhgosurijfaewrwergwea.com | WannaCry v1 | Secondary switch |
## Sysmon Configuration for Mutex Detection
### Event ID 1 - Process Creation
```xml
<Sysmon schemaversion="4.90">
<EventFiltering>
<ProcessCreate onmatch="include">
<Image condition="excludes">C:\Windows\</Image>
</ProcessCreate>
</EventFiltering>
</Sysmon>
```
## Velociraptor Mutex Hunting
### Windows.Detection.Mutants Artifact
```sql
SELECT * FROM glob(globs="\\BaseNamedObjects\\*")
WHERE Name =~ "MsWinZonesCacheCounterMutexA|kasKDJSAF|YOURPRODUCT"
```
### Sysinternals Handle Tool
```cmd
handle.exe -a | findstr /i "Mutant"
handle.exe -a -p <PID> | findstr /i "Mutant"
```
## DNS Kill Switch Monitoring
### Python DNS Resolution Check
```python
import socket
def check_domain(domain):
try:
ip = socket.gethostbyname(domain)
return {"resolves": True, "ip": ip}
except socket.gaierror:
return {"resolves": False}
```
### Passive DNS Services
| Service | URL | Notes |
|---------|-----|-------|
| VirusTotal | virustotal.com | Domain resolution history |
| PassiveTotal | community.riskiq.com | DNS record history |
| SecurityTrails | securitytrails.com | Domain intelligence |
## Malware Mutex Database
### albertzsigovits/malware-mutex (GitHub)
```
URL: https://github.com/albertzsigovits/malware-mutex
Format: JSON with mutex name, malware family, source reference
```
### ANY.RUN Mutex Search
```
URL: https://any.run/cybersecurity-blog/mutex-search-in-ti-lookup/
Search: Threat Intelligence Lookup → Synchronization → Mutex name
```
## Mutex Vaccination Deployment Methods
| Method | Persistence | Scope |
|--------|------------|-------|
| GPO Startup Script | Survives reboot | Domain-wide |
| Scheduled Task (at logon) | Survives reboot | Per-machine |
| Windows Service | Survives reboot | Per-machine |
| Manual PowerShell | Until reboot | Current session |
### GPO Startup Script Path
```
Computer Configuration → Policies → Windows Settings →
Scripts (Startup/Shutdown) → Startup → Add Script
```
Reference in New Issue View Git Blame Copy Permalink