Detects insider threat behaviors like abnormal data access, off-hours activity, bulk file downloads, privilege abuse, and pre-departure data theft via EDR/SIEM queries. For threat hunting in Splunk, Elastic, CrowdStrike.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 主动狩猎环境中内部威胁行为指标时
Detects insider threat behaviors including unusual data access, off-hours activity, mass file downloads, privilege abuse, and resignation data theft via EDR/SIEM queries and analysis.
Detects insider threat behavioral indicators like unusual data access, off-hours activity, mass file downloads, privilege abuse, and resignation-correlated data theft in EDR/SIEM logs.
Investigates insider threat indicators including data exfiltration attempts, unauthorized access patterns, policy violations, and pre-departure behavior using SIEM analysis, DLP alerts, and HR data correlation. For SOC teams handling HR referrals, anomalous data movement, or building investigation timelines.
Share bugs, ideas, or general feedback.
| 概念 | 描述 |
|---|---|
| T1078 | 有效账户(Valid Accounts) |
| T1530 | 云存储对象中的数据(Data from Cloud Storage Object) |
| T1567 | 通过 Web 服务外泄(Exfiltration Over Web Service) |
| 工具 | 用途 |
|---|---|
| CrowdStrike Falcon | EDR 遥测和威胁检测 |
| Microsoft Defender for Endpoint | 使用 KQL 进行高级狩猎 |
| Splunk Enterprise | 使用 SPL 查询进行 SIEM 日志分析 |
| Elastic Security | 检测规则和调查时间线 |
| Sysmon | 详细的 Windows 事件监控 |
| Velociraptor | 终端工件收集和狩猎 |
| Sigma Rules | 跨平台检测规则格式 |
Hunt ID: TH-DETECT-[DATE]-[SEQ]
Technique: T1078
Host: [主机名]
User: [账户上下文]
Evidence: [日志条目、进程树、网络数据]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [遏制、调查、监控]