Which log formats does this skill support?

The skill is designed to parse and analyze Zeek conn.log files (TSV) and NetFlow records exported in CSV or JSON formats.

How does it identify data exfiltration?

It flags connections that exhibit abnormally high outbound-to-inbound byte ratios to external IPs, which is a common indicator of data theft.

Can it detect encrypted C2 traffic?

Yes, it identifies C2 traffic by analyzing behavioral metadata—such as beaconing intervals and connection statistics—rather than relying on payload inspection.

Does this skill map to the MITRE ATT&CK framework?

Yes, it automatically maps detected indicators to relevant MITRE ATT&CK techniques including T1071 (C2), T1573 (Encrypted Channel), and T1041 (Exfiltration).

Ransomware Network Indicator Analysis

Name: Ransomware Network Indicator Analysis
Author: micsapp

bymicsapp

0•

보안 및 테스팅

Detects and analyzes ransomware activity within network logs by identifying C2 beaconing, TOR connections, and data exfiltration patterns.

This skill provides a specialized framework for security analysts to process Zeek and NetFlow data to uncover stealthy ransomware behaviors before encryption begins. It performs statistical analysis on connection intervals to find periodic C2 heartbeats, cross-references traffic against known TOR exit nodes, and monitors for high-volume outbound flows characteristic of data theft. By correlating these indicators into a composite risk score and mapping them to MITRE ATT&CK techniques, it streamlines incident response and empowers proactive threat hunting initiatives.

주요 기능

01Automated TOR exit node cross-referencing and alerting

02Identification of suspicious data exfiltration via outbound byte ratios

030 GitHub stars

04Statistical C2 beaconing detection using connection interval analysis

05Composite risk scoring with integrated MITRE ATT&CK mapping

06DNS pattern analysis for DGA and high-entropy subdomains

사용 사례

01Rapidly investigating potential ransomware incidents during active SOC alerts

02Automating the generation of structured network forensic reports for stakeholders

03Proactive threat hunting within historical Zeek or NetFlow log archives

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills analyzing-ransomware-network-indicators

For use in Claude.ai and ChatGPT

주요 기능

01Automated TOR exit node cross-referencing and alerting

02Identification of suspicious data exfiltration via outbound byte ratios

030 GitHub stars

04Statistical C2 beaconing detection using connection interval analysis

05Composite risk scoring with integrated MITRE ATT&CK mapping

06DNS pattern analysis for DGA and high-entropy subdomains

사용 사례

01Rapidly investigating potential ransomware incidents during active SOC alerts

02Automating the generation of structured network forensic reports for stakeholders

03Proactive threat hunting within historical Zeek or NetFlow log archives

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills analyzing-ransomware-network-indicators

For use in Claude.ai and ChatGPT