analyzing-ransomware-network-indicators

by mukul975

analyzing-ransomware-network-indicators helps analyze Zeek conn.log and NetFlow to spot C2 beaconing, TOR exits, exfiltration, and suspicious DNS for Security Audit and incident response.

Stars6.1k

Favorites0

Comments0

AddedMay 9, 2026

CategorySecurity Audit

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill analyzing-ransomware-network-indicators

Curation Score

This skill scores 78/100, which means it is a solid listing candidate for directory users who need ransomware network-indicator analysis. The repository provides a real, specific workflow for Zeek conn.log and NetFlow review, so users can judge fit and expect less guesswork than with a generic prompt, though it would benefit from more explicit operational steps and install guidance.

78/100

Strengths

Specific trigger/use-case: ransomware C2 beaconing, TOR exit-node connections, exfiltration flows, and key exchange analysis are clearly named in the description and overview.
Reusable workflow support: the repo includes a Python script and an API reference with beaconing and TOR-detection logic, which improves agent leverage.
Good task framing: the SKILL.md includes when-to-use and prerequisites sections, helping agents and users understand applicability quickly.

Cautions

Install friction: there is no install command in SKILL.md, so users may need to infer how to activate or wire the skill.
Workflow still needs more operational detail: the excerpts show core detection logic, but the directory user may want clearer end-to-end execution steps and output expectations.

Malware Analysis Networking Network Security Ransomware Incident Response Zeek Netflow

Overview

Overview of analyzing-ransomware-network-indicators skill

The analyzing-ransomware-network-indicators skill helps you detect ransomware-related network behavior from Zeek conn.log and NetFlow data. It is most useful for incident responders, SOC analysts, and threat hunters who need to confirm whether suspicious traffic matches common ransomware patterns such as C2 beaconing, TOR usage, exfiltration, or key-exchange activity.

What makes the analyzing-ransomware-network-indicators skill practical is that it is not just a concept checklist. It is grounded in a small analysis workflow with an API reference and a Python helper script, so it supports repeatable triage instead of one-off prompt guessing. If you already have network logs and need a structured way to interpret them for Security Audit or IR review, this skill is a good fit.

Best fit for ransomware network triage

Use this skill when the question is, “Do these connections look like ransomware infrastructure or staging?” It is a strong match for:

Zeek conn.log review
NetFlow export analysis
Beaconing pattern checks
TOR exit node cross-referencing
Outbound data transfer and suspicious DNS review

What this skill is trying to answer

The analyzing-ransomware-network-indicators skill focuses on practical detection questions: which hosts talked to unusual destinations, whether callbacks are periodic, whether traffic aligns with known TOR exits, and whether large outbound flows suggest exfiltration. That makes it more useful for analyst workflow than a generic cybersecurity prompt.

When it is not a good fit

Do not use this skill if you only have endpoint telemetry, memory artifacts, or malware samples with no network evidence. It also is not a full ransomware reverse-engineering workflow. If your task is payload analysis, decryptor development, or forensic timeline reconstruction, choose a different skill.

How to Use analyzing-ransomware-network-indicators skill

Install and inspect the skill

For analyzing-ransomware-network-indicators install, add the skill from the repository path and then read the skill files in this order: SKILL.md, references/api-reference.md, and scripts/agent.py. The script shows what fields the workflow expects, while the reference file shows the exact indicators and thresholds the skill is built around.

Prepare the right inputs

The analyzing-ransomware-network-indicators usage pattern works best when you provide:

Zeek conn.log or NetFlow CSV/JSON
The time window of concern
Any known internal asset or user that triggered the alert
A short hypothesis, such as “possible ransomware beaconing after phishing”

If possible, normalize your logs first. The skill is strongest when records are consistent enough to group by source, destination, and port.

Turn a rough prompt into a useful request

A weak request is: “Analyze this log for ransomware.”
A better one is: “Use analyzing-ransomware-network-indicators to review this Zeek conn.log for periodic beaconing, TOR exit node destinations, and high-volume outbound transfers from 10.10.4.23 between 02:00 and 04:00 UTC.”

That version gives the skill enough context to focus on the right hosts, time range, and indicators.

Read the workflow files first

For a fast analyzing-ransomware-network-indicators guide, start with:

references/api-reference.md for field names, beaconing thresholds, and TOR lookup workflow
scripts/agent.py for parsing assumptions and output logic
SKILL.md for the intended investigation sequence and prerequisites

These files tell you how to adapt the skill to your own tooling instead of treating it like a black box.

analyzing-ransomware-network-indicators skill FAQ

Is this only for ransomware cases?

No. The analyzing-ransomware-network-indicators skill is useful whenever you need to test whether traffic resembles ransomware infrastructure or staged exfiltration. That includes broader threat-hunting and Security Audit work, especially when you want to rule in or rule out suspicious network behavior.

Do I need Zeek to use it?

Zeek is the cleanest fit, but the skill also supports NetFlow-style inputs. If you only have summary flow logs, you can still use the skill, though you may lose some fidelity for DNS or protocol detail.

Is this better than a normal prompt?

Usually yes. A normal prompt can describe ransomware indicators, but analyzing-ransomware-network-indicators gives you a tighter analysis path, reusable field assumptions, and repository-backed thresholds. That reduces guesswork and makes the output easier to operationalize.

Is it beginner-friendly?

Yes, if you can provide logs and a clear question. You do not need advanced malware knowledge to get value from the analyzing-ransomware-network-indicators skill, but you do need to know what data you have and what time period to examine.

How to Improve analyzing-ransomware-network-indicators skill

Give the skill narrower questions

The biggest quality gain comes from narrowing scope. Instead of asking for a broad review, specify one host, one time window, and one suspected behavior. For example: “Check for beaconing from 172.16.8.14 to external IPs every 5 minutes after the phishing email opened.”

Include indicator context

If you already have a suspicious domain, ASN, TOR hit, or IOC list, include it in the prompt. The analyzing-ransomware-network-indicators skill works better when it can compare logs against a concrete suspicion rather than searching blindly.

Watch for common failure modes

The main failure mode is overcalling ransomware from noisy traffic alone. Short-lived retries, CDN traffic, backup jobs, and software updates can look suspicious if you do not provide business context. Ask the skill to separate likely ransomware indicators from benign periodic traffic.

Iterate with follow-up evidence

After the first pass, refine based on what the skill finds: add more logs, extend the time window, or request a second review focused only on the top talkers or TOR matches. That iterative loop usually produces a stronger analyzing-ransomware-network-indicators usage result than one broad prompt.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

security-threat-model

by openai

Repository-grounded security-threat-model skill for AppSec threat modeling. It maps trust boundaries, assets, attacker goals, abuse paths, and mitigations into a concise Markdown threat model. Use it when you need security-threat-model for Threat Modeling on a specific repo or path, not a generic architecture review or code check.

Threat Modeling

Favorites 0GitHub 0

solana-vulnerability-scanner

by trailofbits

solana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.

Security Audit

Favorites 0GitHub 4.9k

azure-ai-contentsafety-ts

by microsoft

azure-ai-contentsafety-ts helps analyze text and images for harmful content with Azure AI Content Safety in TypeScript. Use this skill for moderation workflows, blocklists, and security audit checks for hate, violence, sexual content, and self-harm. It also covers Azure endpoint and auth setup.

Security Audit

Favorites 0GitHub 2.3k

sharp-edges

by trailofbits

The sharp-edges skill helps you find APIs, configs, and interfaces where the easy path leads to insecure use. Use it to review authentication flows, cryptographic wrappers, dangerous defaults, null or zero semantics, and misuse-prone design choices. It is a strong fit for sharp-edges for Security Audit work when you need concrete footguns, not generic security guesses.

Security Audit

Favorites 0GitHub 5k

security-review

by affaan-m

Use the security-review skill to review auth, user input, secrets, APIs, payments, uploads, and other sensitive flows. It provides a practical security-review guide with clear pass/fail checks, risky-pattern examples, and a focused process for catching common issues before release.

Security Audit

Favorites 0GitHub 156.3k

django-security

by affaan-m

django-security is a practical guide for hardening Django apps with authentication, authorization, CSRF, XSS, SQL injection prevention, secure cookies, and production settings. It helps developers and reviewers run a focused Security Audit, quickly spot risky config, and apply concrete fixes before deployment.

Security Audit

Favorites 0GitHub 156.1k

exploiting-insecure-data-storage-in-mobile

by mukul975

The exploiting-insecure-data-storage-in-mobile skill helps assess and extract evidence from insecure local storage in Android and iOS apps. It covers SharedPreferences, SQLite databases, plist files, world-readable files, backup exposure, and weak keychain/keystore handling for mobile pentesting and Security Audit workflows.

Security Audit

Favorites 0GitHub 6.2k

detecting-s3-data-exfiltration-attempts

by mukul975

detecting-s3-data-exfiltration-attempts helps investigate possible AWS S3 data theft by correlating CloudTrail S3 data events, GuardDuty findings, Amazon Macie alerts, and S3 access patterns. Use this detecting-s3-data-exfiltration-attempts skill for Security Audit, incident response, and suspicious bulk-download analysis.

Security Audit

Favorites 0GitHub 6.2k

building-incident-response-playbook

by mukul975

building-incident-response-playbook helps security teams create reusable incident response playbooks with step-by-step phases, decision trees, escalation criteria, RACI ownership, and SOAR-ready structure. It is designed for incident response procedure documentation, incident triage workflows, and audit-friendly operational response plans.

Incident Triage

Favorites 0GitHub 6.1k

building-patch-tuesday-response-process

by mukul975

building-patch-tuesday-response-process helps teams build a repeatable Microsoft Patch Tuesday process to triage advisories, rank risk, test patches, approve rollout, and track compliance. Useful for security operations, vulnerability management, and building-patch-tuesday-response-process for Project Management.

Project Management

Favorites 0GitHub 6.1k

ossfuzz

by trailofbits

Learn the ossfuzz skill for continuous fuzzing setup, project enrollment, harness planning, and build workflow review. This guide helps security engineers and maintainers assess readiness, spot build blockers, and prepare a practical path from source tree to OSS-Fuzz or private fuzzing infrastructure.

Security Audit

Favorites 0GitHub 5k

codeql

by trailofbits

The codeql skill helps you run CodeQL with fewer blind spots during a security audit. It focuses on database quality, suite selection, data extensions, and SARIF review so you can use codeql usage more reliably across supported languages. Use it for repeatable codeql guide steps when analyzing real repositories.

Security Audit

Favorites 0GitHub 5k

semgrep-rule-creator

by trailofbits

semgrep-rule-creator creates production-quality Semgrep rules for security vulnerabilities, bug patterns, taint-flow detections, and coding standards. Use the semgrep-rule-creator skill for Security Audit work when you need precise rules, test cases, and validation instead of a generic draft.

Security Audit

Favorites 0GitHub 5k

insecure-defaults

by trailofbits

The insecure-defaults skill helps spot fail-open configuration patterns that let software run with unsafe settings instead of stopping. Use it for a Security Audit of production code, deployment configs, and secret-handling logic to catch weak auth, hardcoded secrets, and permissive defaults.

Security Audit

Favorites 0GitHub 5k

constant-time-analysis

by trailofbits

constant-time-analysis is a security-audit skill for finding timing side-channel risks in cryptographic code before they become exploitable bugs. Use it to review secret-dependent math, branches, comparisons, and compiled output when checking C, C++, Go, Rust, Swift, Java, Kotlin, PHP, JavaScript, TypeScript, Python, or Ruby.

Security Audit

Favorites 0GitHub 5k

secure-workflow-guide

by trailofbits

secure-workflow-guide guides a 5-step Solidity security workflow: Slither triage, feature-specific checks, visual inspection, security-property notes, and manual review. It is built for smart contract teams, auditors, and builders who want a repeatable secure-workflow-guide guide before deployment or release.

Security Audit

Favorites 0GitHub 4.9k