Hunts attacker persistence via Windows scheduled tasks by analyzing creation events, suspicious operations, and abnormal scheduling patterns. Useful for threat hunting, incident response, and security assessments.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 主动狩猎环境中计划任务持久化指标时
Hunts suspicious Windows scheduled tasks for attacker persistence (T1053.005) by analyzing creation events, task properties, and execution patterns. For threat hunting in Windows environments with Sysmon, Splunk, or Sentinel.
Hunts for adversary persistence via Windows Scheduled Tasks by analyzing creation events, suspicious actions, and unusual patterns. For threat hunting in EDR/SIEM environments.
Hunts for adversary persistence via Windows Scheduled Tasks by analyzing creation events, suspicious actions, and unusual patterns. For threat hunting, IR, and security assessments.
Share bugs, ideas, or general feedback.
| 概念 | 描述 |
|---|---|
| T1053.005 | 计划任务 |
| T1053.003 | Cron |
| T1053.002 | At |
| 工具 | 用途 |
|---|---|
| CrowdStrike Falcon | EDR 遥测和威胁检测 |
| Microsoft Defender for Endpoint | 基于 KQL 的高级狩猎 |
| Splunk Enterprise | 使用 SPL 查询的 SIEM 日志分析 |
| Elastic Security | 检测规则和调查时间线 |
| Sysmon | 详细的 Windows 事件监控 |
| Velociraptor | 终端工件收集和狩猎 |
| Sigma Rules | 跨平台检测规则格式 |
狩猎 ID:TH-HUNTIN-[日期]-[序号]
技术:T1053.005
主机:[主机名]
用户:[账户上下文]
证据:[日志条目、进程树、网络数据]
风险等级:[严重/高/中/低]
置信度:[高/中/低]
建议措施:[遏制、调查、监控]