creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-10 13:14:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ef27f026cbd32f7da41adf21c7305ea055443c66
Anthropic-Cybersecurity-Skills/skills/analyzing-ransomware-network-indicators/SKILL.md
T
mukul975 ef27f026cb feat: enrich 209 skills with MITRE ATLAS, D3FEND, and NIST AI RMF frontmatter 
Added structured security framework mappings to SKILL.md frontmatter across all applicable skills:
- atlas_techniques: MITRE ATLAS v5.5 AML.TXXXX IDs (81 skills, AI-targeted attack techniques)
- d3fend_techniques: MITRE D3FEND v1.3 defensive technique labels (139 skills, mapped from ATT&CK IDs)
- nist_ai_rmf: NIST AI RMF 1.0 subcategory IDs (85 skills, AI risk management functions)

Also updates ATTACK_COVERAGE.md with coverage statistics for all three frameworks.
2026-04-06 01:56:17 +02:00

2.5 KiB
Raw Blame History

name, description, domain, subdomain, tags, version, author, license, d3fend_techniques
name description domain subdomain tags version author license d3fend_techniques
analyzing-ransomware-network-indicators Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration flows, and encryption key exchange via Zeek conn.log and NetFlow analysis cybersecurity threat-hunting
ransomware
c2-beaconing
zeek
netflow
tor
exfiltration
network-forensics
1.0 mahipal Apache-2.0
File Metadata Consistency Validation
Certificate Analysis
Application Protocol Command Analysis
Content Format Conversion
File Content Analysis

Analyzing Ransomware Network Indicators

Overview

Before and during ransomware execution, adversaries establish C2 channels, exfiltrate data, and download encryption keys. This skill analyzes Zeek conn.log and NetFlow data to detect beaconing patterns (regular-interval callbacks), connections to known TOR exit nodes, large outbound data transfers, and suspicious DNS activity associated with ransomware families.

When to Use

  • When investigating security incidents that require analyzing ransomware network indicators
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Zeek conn.log files or NetFlow CSV/JSON exports
  • Python 3.8+ with standard library
  • TOR exit node list (fetched from Tor Project or threat intel feeds)
  • Optional: Known ransomware C2 IOC list

Steps

  1. Parse Connection Logs — Ingest Zeek conn.log (TSV) or NetFlow records into structured format
  2. Detect Beaconing Patterns — Calculate connection interval statistics (mean, stddev, coefficient of variation) to identify periodic callbacks
  3. Check TOR Exit Node Connections — Cross-reference destination IPs against current TOR exit node list
  4. Identify Data Exfiltration — Flag connections with unusually high outbound byte ratios to external IPs
  5. Analyze DNS Patterns — Detect DGA-like domain queries and high-entropy subdomains
  6. Score and Correlate — Apply composite risk scoring across all indicator types
  7. Generate Report — Produce structured report with timeline and MITRE ATT&CK mapping

Expected Output

  • JSON report with beaconing detections and interval statistics
  • TOR exit node connection alerts
  • Data exfiltration flow analysis
  • Composite ransomware risk score with MITRE mapping (T1071, T1573, T1041)
Reference in New Issue View Git Blame Copy Permalink