Builds systematic threat hunting hypothesis frameworks from threat intelligence, attack patterns, and environment data into testable hypotheses. Guides EDR/SIEM queries for proactive detection, incident response, and purple team exercises.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 主动狩猎环境中构建威胁狩猎假设框架的相关指标时
Builds systematic threat hunt hypothesis framework from threat intelligence, ATT&CK patterns, and EDR/SIEM data into testable queries. For proactive detection, incident response, and assessments.
Builds threat hunt hypotheses from intelligence, ATT&CK patterns, and telemetry data into testable EDR/SIEM queries for proactive detection and analysis.
Hunts advanced persistent threats (APTs) in enterprises using hypothesis-based searches across EDR telemetry, Zeek network logs, and memory artifacts with Velociraptor/osquery. For periodic hunting cycles, UEBA anomaly investigations, and TTP verification.
Share bugs, ideas, or general feedback.
| 概念 | 描述 |
|---|---|
| TA0001 | 初始访问(Initial Access) |
| TA0003 | 持久化(Persistence) |
| TA0008 | 横向移动(Lateral Movement) |
| TA0010 | 数据外泄(Exfiltration) |
| 工具 | 用途 |
|---|---|
| CrowdStrike Falcon | EDR 遥测和威胁检测 |
| Microsoft Defender for Endpoint | 使用 KQL 进行高级狩猎 |
| Splunk Enterprise | 使用 SPL 查询进行 SIEM 日志分析 |
| Elastic Security | 检测规则和调查时间线 |
| Sysmon | 详细的 Windows 事件监控 |
| Velociraptor | 终端工件收集和狩猎 |
| Sigma Rules | 跨平台检测规则格式 |
Hunt ID: TH-BUILDI-[DATE]-[SEQ]
Technique: TA0001
Host: [主机名]
User: [账户上下文]
Evidence: [日志条目、进程树、网络数据]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [遏制、调查、监控]