Analyzes Cuckoo/AnyRun behavior reports to detect malware sandbox evasion techniques like timing checks, VM artifacts, user interaction detection, and sleep inflation.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
沙箱逃避(MITRE ATT&CK T1497)允许恶意软件检测分析环境并改变行为以规避检测。本技能分析 Cuckoo Sandbox 和 AnyRun 的行为报告中的逃避指标,包括基于时序的检查(GetTickCount、QueryPerformanceCounter、睡眠膨胀)、虚拟机工件检测(注册表键、MAC 地址前缀、进程名称如 vmtoolsd.exe)、用户交互检测(鼠标移动、键盘输入)和环境指纹识别(磁盘大小、CPU 数量、内存容量)。检测规则标记表现出这些行为的样本以供深入人工分析。
Detects sandbox evasion techniques in malware from Cuckoo/AnyRun behavioral reports by analyzing timing checks, VM artifacts, user interactions, and sleep inflation.
Detects sandbox evasion techniques in malware from Cuckoo/AnyRun behavioral reports by analyzing timing checks, VM artifacts, user interaction detection, and sleep inflation patterns. Maps to MITRE ATT&CK T1497 for security analysts.
Executes malware samples in Cuckoo Sandbox to observe runtime behaviors including process creation, filesystem/registry changes, network activity, and API calls. Generates reports for malware classification and IOC extraction.
Share bugs, ideas, or general feedback.
沙箱逃避(MITRE ATT&CK T1497)允许恶意软件检测分析环境并改变行为以规避检测。本技能分析 Cuckoo Sandbox 和 AnyRun 的行为报告中的逃避指标,包括基于时序的检查(GetTickCount、QueryPerformanceCounter、睡眠膨胀)、虚拟机工件检测(注册表键、MAC 地址前缀、进程名称如 vmtoolsd.exe)、用户交互检测(鼠标移动、键盘输入)和环境指纹识别(磁盘大小、CPU 数量、内存容量)。检测规则标记表现出这些行为的样本以供深入人工分析。
JSON 报告,列出检测到的逃避技术及 MITRE ATT&CK 映射、API 调用证据、逃避复杂性评分,以及逃避类别分类(时序、虚拟机检测、用户交互、环境指纹识别)。