Hunts spearphishing indicators (MITRE T1566) across email logs, endpoint telemetry, and network data using SIEM and EDR queries. Useful for threat hunting, incident response, and proactive detection.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 主动狩猎环境中鱼叉式网络钓鱼指标时
Hunt spearphishing indicators (T1566) across email logs, endpoint telemetry, and network data using EDR, SIEM, Sysmon for threat detection and response.
Hunts spearphishing indicators across email logs, endpoint telemetry, and network data using SIEM/EDR tools like Splunk, CrowdStrike, and Elastic to detect targeted attacks.
Hunts advanced persistent threats (APTs) in enterprises using hypothesis-based searches across EDR telemetry, Zeek network logs, and memory artifacts with Velociraptor/osquery. For periodic hunting cycles, UEBA anomaly investigations, and TTP verification.
Share bugs, ideas, or general feedback.
| 概念 | 描述 |
|---|---|
| T1566.001 | 鱼叉式钓鱼附件 |
| T1566.002 | 鱼叉式钓鱼链接 |
| T1566.003 | 通过服务进行鱼叉式钓鱼 |
| 工具 | 用途 |
|---|---|
| CrowdStrike Falcon | EDR 遥测和威胁检测 |
| Microsoft Defender for Endpoint | 基于 KQL 的高级狩猎 |
| Splunk Enterprise | 使用 SPL 查询的 SIEM 日志分析 |
| Elastic Security | 检测规则和调查时间线 |
| Sysmon | 详细的 Windows 事件监控 |
| Velociraptor | 终端工件收集和狩猎 |
| Sigma Rules | 跨平台检测规则格式 |
狩猎 ID:TH-HUNTIN-[日期]-[序号]
技术:T1566.001
主机:[主机名]
用户:[账户上下文]
证据:[日志条目、进程树、网络数据]
风险等级:[严重/高/中/低]
置信度:[高/中/低]
建议措施:[遏制、调查、监控]