Detects privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse on Windows/Linux. Useful for threat hunting with EDR/SIEM like CrowdStrike, Splunk, Sysmon.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 主动狩猎环境中权限提升尝试指标时
Detects privilege escalation attempts like token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse on Windows/Linux using EDR/SIEM/Sysmon.
Detects privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse across Windows and Linux.
Detects T1548 elevation control abuse including UAC bypass on Windows, sudo exploitation, and setuid/setgid on Linux by monitoring registry changes, process elevations, and anomalous parent-child relations. Provides Splunk, KQL, Sigma queries.
Share bugs, ideas, or general feedback.
| 概念 | 描述 |
|---|---|
| T1134 | 访问令牌操控(Access Token Manipulation) |
| T1548.002 | UAC 绕过(UAC Bypass) |
| T1068 | 权限提升漏洞利用 |
| T1574.009 | 未加引号的服务路径(Unquoted Service Path) |
| 工具 | 用途 |
|---|---|
| CrowdStrike Falcon | EDR 遥测和威胁检测 |
| Microsoft Defender for Endpoint | 使用 KQL 进行高级狩猎 |
| Splunk Enterprise | 使用 SPL 查询进行 SIEM 日志分析 |
| Elastic Security | 检测规则和调查时间线 |
| Sysmon | 详细的 Windows 事件监控 |
| Velociraptor | 终端工件收集和狩猎 |
| Sigma Rules | 跨平台检测规则格式 |
Hunt ID: TH-DETECT-[DATE]-[SEQ]
Technique: T1134
Host: [主机名]
User: [账户上下文]
Evidence: [日志条目、进程树、网络数据]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [遏制、调查、监控]