detecting-ransomware-precursors-in-network

Featured

Detects early-stage ransomware indicators in network traffic before encryption begins, including initial access broker activity, command-and-control beaconing, credential harvesting, reconnaissance scanning, and staging behavior. Uses network detection tools (Zeek, Suricata, Arkime), SIEM correlation rules, and threat intelligence feeds to identify ransomware precursor patterns such as Cobalt Strike beacons, Mimikatz network signatures, and RDP brute-force attempts. Activates for requests involving pre-ransomware detection, network-based ransomware indicators, or early warning ransomware monitoring.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Ransomware Precursors in Network Traffic ## When to Use - Building detection rules for pre-ransomware network activity (the average time from Cobalt Strike deployment to encryption is 17 minutes) - Monitoring for initial access broker (IAB) indicators that precede ransomware deployment - Creating SIEM correlation rules that chain multiple precursor events into high-confidence alerts - Tuning network detection systems to distinguish ransomware staging from normal administrative activity - Investigating suspicious network patterns that may indicate ransomware operators have established a foothold **Do not use** for post-encryption response (see recovering-from-ransomware-attack). This skill focuses on the pre-encryption detection window where containment can prevent data loss. ## Prerequisites - Network detection platform (Zeek/Bro, Suricata, or Arkime/Moloch) deployed on network TAP or SPAN ports - SIEM platform (Splunk, Elastic Security, Microsoft Sentinel, or QRadar) ingesting network logs - Threat intelligence feeds covering ransomware IOCs (CISA, abuse.ch, OTX, MISP) - Network flow data (NetFlow/IPFIX) from core routers and firewalls - DNS query logging from internal resolvers - Full packet capture capability for incident investigation ## Workflow ### Step 1: Identify Ransomware Kill Chain Phases in Network Traffic Map network-observable indicators to each pre-encryption phase: | Kill Chain Phase | Network Indicators | Detection Source | |-------------...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

analyzing-ransomware-network-indicators

Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration flows, and encryption key exchange via Zeek conn.log and NetFlow analysis

12,642 Updated today
mukul975
AI & Automation Featured

implementing-ransomware-kill-switch-detection

Detects and exploits ransomware kill switch mechanisms including mutex-based execution guards, domain-based kill switches, and registry-based termination checks. Implements proactive mutex vaccination and kill switch domain monitoring to prevent ransomware from executing. Activates for requests involving ransomware kill switch analysis, mutex vaccination, WannaCry-style domain kill switches, or malware execution guard detection.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-ransomware-encryption-behavior

Detects ransomware encryption activity in real time using entropy analysis, file system I/O monitoring, and behavioral heuristics. Identifies mass file modification patterns, abnormal entropy spikes in written data, and suspicious process behavior characteristic of ransomware encryption routines. Activates for requests involving ransomware behavioral detection, entropy-based file monitoring, I/O anomaly detection, or real-time encryption activity alerting.

12,642 Updated today
mukul975
AI & Automation Featured

building-soc-playbook-for-ransomware

Builds a structured SOC incident response playbook for ransomware attacks covering detection, containment, eradication, and recovery phases with specific SIEM queries, isolation procedures, and decision trees. Use when SOC teams need formalized response procedures for ransomware incidents aligned to NIST SP 800-61 and MITRE ATT&CK ransomware techniques.

12,642 Updated today
mukul975
AI & Automation Featured

performing-ransomware-response

Executes a structured ransomware incident response from initial detection through containment, forensic analysis, decryption assessment, recovery, and post-incident hardening. Addresses ransom negotiation considerations, backup integrity verification, and regulatory notification requirements. Activates for requests involving ransomware response, ransomware recovery, crypto-ransomware, data encryption attack, ransom payment decision, or ransomware containment.

12,642 Updated today
mukul975