Detects service account abuse via abnormal interactive logins, privilege escalations, lateral movement, and unauthorized access in EDR/SIEM logs. Useful for threat hunting, incident response, and security assessments.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 主动狩猎环境中服务账户滥用指标时
Detects service account abuse through anomalous interactive logons, privilege escalation, lateral movement, and unauthorized access patterns in EDR/SIEM logs. For threat hunting, incident response, and security assessments.
Guides threat hunting for service account abuse via anomalous interactive logons, privilege escalation, lateral movement, and unauthorized access using EDR/SIEM queries.
Detects attacker lateral movement across networks using Splunk SPL queries on Windows authentication logs, SMB traffic, and remote service abuse. Useful for threat hunting TA0008 in SIEM setups.
Share bugs, ideas, or general feedback.
| 概念 | 描述 |
|---|---|
| T1078.002 | 域账户(Domain Accounts) |
| T1078.001 | 默认账户(Default Accounts) |
| T1021 | 远程服务(Remote Services) |
| 工具 | 用途 |
|---|---|
| CrowdStrike Falcon | EDR 遥测和威胁检测 |
| Microsoft Defender for Endpoint | 使用 KQL 进行高级狩猎 |
| Splunk Enterprise | 使用 SPL 查询进行 SIEM 日志分析 |
| Elastic Security | 检测规则和调查时间线 |
| Sysmon | 详细的 Windows 事件监控 |
| Velociraptor | 终端工件收集和狩猎 |
| Sigma Rules | 跨平台检测规则格式 |
Hunt ID: TH-DETECT-[DATE]-[SEQ]
Technique: T1078.002
Host: [主机名]
User: [账户上下文]
Evidence: [日志条目、进程树、网络数据]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [遏制、调查、监控]