Detects Mimikatz execution via command line patterns, LSASS access signatures, binary indicators, and known module memory in EDR/SIEM logs. Useful for threat hunting, incident response, and purple team exercises in Windows environments.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 主动狩猎环境中 Mimikatz 执行模式指标时
Detects Mimikatz execution through command-line patterns, LSASS access signatures, binary indicators, and in-memory detection of known modules.
Detects Mimikatz execution patterns via command-line args, LSASS access, binaries, and memory modules using EDR, SIEM, Sysmon for threat hunting and incident response.
Detects OS credential dumping techniques like LSASS access, SAM extraction, NTDS, and DCSync using EDR telemetry and Sysmon logs. Useful for threat hunting and incident response in Windows environments.
Share bugs, ideas, or general feedback.
| 概念 | 描述 |
|---|---|
| T1003.001 | LSASS 内存 |
| T1003.006 | DCSync |
| T1558.003 | Kerberoasting |
| T1558.001 | 黄金票据(Golden Ticket) |
| 工具 | 用途 |
|---|---|
| CrowdStrike Falcon | EDR 遥测和威胁检测 |
| Microsoft Defender for Endpoint | 使用 KQL 进行高级狩猎 |
| Splunk Enterprise | 使用 SPL 查询进行 SIEM 日志分析 |
| Elastic Security | 检测规则和调查时间线 |
| Sysmon | 详细的 Windows 事件监控 |
| Velociraptor | 终端工件收集和狩猎 |
| Sigma Rules | 跨平台检测规则格式 |
Hunt ID: TH-DETECT-[DATE]-[SEQ]
Technique: T1003.001
Host: [主机名]
User: [账户上下文]
Evidence: [日志条目、进程树、网络数据]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [遏制、调查、监控]