Hunts anomalous network connections by analyzing outbound traffic patterns, rare target addresses, non-standard ports, and endpoint connection frequencies in EDR/SIEM data. Useful for threat hunting and incident response.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 主动狩猎环境中异常网络连接指标时
Hunts unusual network connections by analyzing outbound traffic patterns, rare destinations, non-standard ports, and anomalous frequencies from endpoints using EDR and SIEM queries.
Hunts for unusual network connections by analyzing outbound traffic patterns, rare destinations, non-standard ports, and anomalous frequencies from endpoints using EDR and SIEM tools.
Hunts advanced persistent threats (APTs) in enterprises using hypothesis-based searches across EDR telemetry, Zeek network logs, and memory artifacts with Velociraptor/osquery. For periodic hunting cycles, UEBA anomaly investigations, and TTP verification.
Share bugs, ideas, or general feedback.
| 概念 | 描述 |
|---|---|
| T1071 | 应用层协议 |
| T1095 | 非应用层协议 |
| T1571 | 非标准端口 |
| 工具 | 用途 |
|---|---|
| CrowdStrike Falcon | EDR 遥测和威胁检测 |
| Microsoft Defender for Endpoint | 基于 KQL 的高级狩猎 |
| Splunk Enterprise | 使用 SPL 查询的 SIEM 日志分析 |
| Elastic Security | 检测规则和调查时间线 |
| Sysmon | 详细的 Windows 事件监控 |
| Velociraptor | 终端工件收集和狩猎 |
| Sigma Rules | 跨平台检测规则格式 |
狩猎 ID:TH-HUNTIN-[日期]-[序号]
技术:T1071
主机:[主机名]
用户:[账户上下文]
证据:[日志条目、进程树、网络数据]
风险等级:[严重/高/中/低]
置信度:[高/中/低]
建议措施:[遏制、调查、监控]