Detects credential dumping attacks like LSASS access via Sysmon Event ID 10, SAM exports, NTDS.dit theft using Windows security logs and SIEM correlation rules. For Windows threat hunting.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
凭据转储(MITRE ATT&CK T1003)是后利用技术,攻击者从操作系统内存、注册表配置单元或域控制器数据库中提取认证凭据。本技能涵盖通过 Sysmon 事件 ID 10(ProcessAccess)检测 LSASS 内存访问、通过 reg.exe 导出 SAM 注册表配置单元、通过 ntdsutil/vssadmin 提取 NTDS.dit,以及滥用 comsvcs.dll MiniDump。检测规则分析 GrantedAccess 位掩码、可疑调用进程和已知工具特征。
Detects LSASS credential dumping, SAM extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules for threat hunting and SOC analysis.
Detects LSASS credential dumping, SAM hive extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows Security logs, and SIEM rules. For SOC threat hunting and detection rule building.
Detects OS credential dumping techniques like LSASS access, SAM extraction, NTDS, and DCSync using EDR telemetry and Sysmon logs. Useful for threat hunting and incident response in Windows environments.
Share bugs, ideas, or general feedback.
凭据转储(MITRE ATT&CK T1003)是后利用技术,攻击者从操作系统内存、注册表配置单元或域控制器数据库中提取认证凭据。本技能涵盖通过 Sysmon 事件 ID 10(ProcessAccess)检测 LSASS 内存访问、通过 reg.exe 导出 SAM 注册表配置单元、通过 ntdsutil/vssadmin 提取 NTDS.dit,以及滥用 comsvcs.dll MiniDump。检测规则分析 GrantedAccess 位掩码、可疑调用进程和已知工具特征。
JSON 报告,包含检测到的凭据转储指标,含技术分类、严重性评级、进程详情、MITRE ATT&CK 映射和 Splunk/Elastic 检测查询。