Hunts Windows registry persistence mechanisms like Run keys, Winlogon mods, IFEO injection, and COM hijacking using EDR/SIEM queries. Useful for threat hunting, incident response, and purple team exercises.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 主动狩猎环境中注册表持久化机制的指标时
Hunt for Windows registry persistence mechanisms including Run keys, Winlogon modifications, IFEO injection, and COM hijacking. For threat hunting, IR, and security assessments.
Guides hunting for Windows registry persistence like Run keys, Winlogon mods, IFEO injection, COM hijacking using EDR, SIEM, Sysmon queries.
Hunts attacker persistence mechanisms in Windows endpoints covering registry Run keys, services, startup folders, and WMI event subscriptions. For threat hunting and incident response.
Share bugs, ideas, or general feedback.
| 概念 | 描述 |
|---|---|
| T1547.001 | 注册表 Run 键 |
| T1547.004 | Winlogon 辅助 DLL |
| T1546.012 | IFEO 注入 |
| T1546.015 | COM 劫持 |
| 工具 | 用途 |
|---|---|
| CrowdStrike Falcon | EDR 遥测和威胁检测 |
| Microsoft Defender for Endpoint | 基于 KQL 的高级狩猎 |
| Splunk Enterprise | 使用 SPL 查询的 SIEM 日志分析 |
| Elastic Security | 检测规则和调查时间线 |
| Sysmon | 详细的 Windows 事件监控 |
| Velociraptor | 终端工件收集和狩猎 |
| Sigma Rules | 跨平台检测规则格式 |
狩猎 ID:TH-HUNTIN-[日期]-[序号]
技术:T1547.001
主机:[主机名]
用户:[账户上下文]
证据:[日志条目、进程树、网络数据]
风险等级:[严重/高/中/低]
置信度:[高/中/低]
建议措施:[遏制、调查、监控]