analyzing-ransomware-network-indicators

Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration flows, and encryption key exchange via Zeek conn.log and NetFlow analysis

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "analyzing-ransomware-network-indicators" with this command: npx skills add mukul975/anthropic-cybersecurity-skills/mukul975-anthropic-cybersecurity-skills-analyzing-ransomware-network-indicators

Analyzing Ransomware Network Indicators

Overview

Before and during ransomware execution, adversaries establish C2 channels, exfiltrate data, and download encryption keys. This skill analyzes Zeek conn.log and NetFlow data to detect beaconing patterns (regular-interval callbacks), connections to known TOR exit nodes, large outbound data transfers, and suspicious DNS activity associated with ransomware families.

Prerequisites

  • Zeek conn.log files or NetFlow CSV/JSON exports
  • Python 3.8+ with standard library
  • TOR exit node list (fetched from Tor Project or threat intel feeds)
  • Optional: Known ransomware C2 IOC list

Steps

  1. Parse Connection Logs — Ingest Zeek conn.log (TSV) or NetFlow records into structured format
  2. Detect Beaconing Patterns — Calculate connection interval statistics (mean, stddev, coefficient of variation) to identify periodic callbacks
  3. Check TOR Exit Node Connections — Cross-reference destination IPs against current TOR exit node list
  4. Identify Data Exfiltration — Flag connections with unusually high outbound byte ratios to external IPs
  5. Analyze DNS Patterns — Detect DGA-like domain queries and high-entropy subdomains
  6. Score and Correlate — Apply composite risk scoring across all indicator types
  7. Generate Report — Produce structured report with timeline and MITRE ATT&CK mapping

Expected Output

  • JSON report with beaconing detections and interval statistics
  • TOR exit node connection alerts
  • Data exfiltration flow analysis
  • Composite ransomware risk score with MITRE mapping (T1071, T1573, T1041)

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

analyzing-android-malware-with-apktool

No summary provided by upstream source.

Repository SourceNeeds Review
10-mukul975
Security

analyzing-cyber-kill-chain

No summary provided by upstream source.

Repository SourceNeeds Review
10-mukul975
Security

analyzing-certificate-transparency-for-phishing

No summary provided by upstream source.

Repository SourceNeeds Review
9-mukul975
Security

analyzing-network-traffic-with-wireshark

No summary provided by upstream source.

Repository SourceNeeds Review
9-mukul975