mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 12:45:17 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,79 @@
|
||||
---
|
||||
name: detecting-mimikatz-execution-patterns
|
||||
description: Detect Mimikatz execution through command-line patterns, LSASS access signatures, binary indicators, and in-memory detection of known modules.
|
||||
domain: cybersecurity
|
||||
subdomain: threat-hunting
|
||||
tags: [threat-hunting, mitre-attack, mimikatz, credential-dumping, edr, t1003, proactive-detection]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: MIT
|
||||
---
|
||||
|
||||
# Detecting Mimikatz Execution Patterns
|
||||
|
||||
## When to Use
|
||||
|
||||
- When proactively hunting for indicators of detecting mimikatz execution patterns in the environment
|
||||
- After threat intelligence indicates active campaigns using these techniques
|
||||
- During incident response to scope compromise related to these techniques
|
||||
- When EDR or SIEM alerts trigger on related indicators
|
||||
- During periodic security assessments and purple team exercises
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- EDR platform with process and network telemetry (CrowdStrike, MDE, SentinelOne)
|
||||
- SIEM with relevant log data ingested (Splunk, Elastic, Sentinel)
|
||||
- Sysmon deployed with comprehensive configuration
|
||||
- Windows Security Event Log forwarding enabled
|
||||
- Threat intelligence feeds for IOC correlation
|
||||
|
||||
## Workflow
|
||||
|
||||
1. **Formulate Hypothesis**: Define a testable hypothesis based on threat intelligence or ATT&CK gap analysis.
|
||||
2. **Identify Data Sources**: Determine which logs and telemetry are needed to validate or refute the hypothesis.
|
||||
3. **Execute Queries**: Run detection queries against SIEM and EDR platforms to collect relevant events.
|
||||
4. **Analyze Results**: Examine query results for anomalies, correlating across multiple data sources.
|
||||
5. **Validate Findings**: Distinguish true positives from false positives through contextual analysis.
|
||||
6. **Correlate Activity**: Link findings to broader attack chains and threat actor TTPs.
|
||||
7. **Document and Report**: Record findings, update detection rules, and recommend response actions.
|
||||
|
||||
## Key Concepts
|
||||
|
||||
| Concept | Description |
|
||||
|---------|-------------|
|
||||
| T1003.001 | LSASS Memory |
|
||||
| T1003.006 | DCSync |
|
||||
| T1558.003 | Kerberoasting |
|
||||
| T1558.001 | Golden Ticket |
|
||||
|
||||
## Tools & Systems
|
||||
|
||||
| Tool | Purpose |
|
||||
|------|---------|
|
||||
| CrowdStrike Falcon | EDR telemetry and threat detection |
|
||||
| Microsoft Defender for Endpoint | Advanced hunting with KQL |
|
||||
| Splunk Enterprise | SIEM log analysis with SPL queries |
|
||||
| Elastic Security | Detection rules and investigation timeline |
|
||||
| Sysmon | Detailed Windows event monitoring |
|
||||
| Velociraptor | Endpoint artifact collection and hunting |
|
||||
| Sigma Rules | Cross-platform detection rule format |
|
||||
|
||||
## Common Scenarios
|
||||
|
||||
1. **Scenario 1**: Standard sekurlsa::logonpasswords credential dump
|
||||
2. **Scenario 2**: PowerShell Invoke-Mimikatz reflective loading
|
||||
3. **Scenario 3**: DCSync from non-DC host
|
||||
4. **Scenario 4**: Golden ticket creation for persistence
|
||||
|
||||
## Output Format
|
||||
|
||||
```
|
||||
Hunt ID: TH-DETECT-[DATE]-[SEQ]
|
||||
Technique: T1003.001
|
||||
Host: [Hostname]
|
||||
User: [Account context]
|
||||
Evidence: [Log entries, process trees, network data]
|
||||
Risk Level: [Critical/High/Medium/Low]
|
||||
Confidence: [High/Medium/Low]
|
||||
Recommended Action: [Containment, investigation, monitoring]
|
||||
```
|
||||
@@ -0,0 +1,107 @@
|
||||
# Detecting Mimikatz Execution Patterns - Hunt Template
|
||||
|
||||
## Hunt Metadata
|
||||
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| Hunt ID | TH-DETECT-YYYY-MM-DD-NNN |
|
||||
| Analyst | |
|
||||
| Date Started | |
|
||||
| Date Completed | |
|
||||
| Status | [ ] In Progress / [ ] Complete |
|
||||
| Priority | [ ] Critical / [ ] High / [ ] Medium / [ ] Low |
|
||||
|
||||
## Hypothesis
|
||||
|
||||
> **Statement**: [Formulate a clear, testable hypothesis]
|
||||
>
|
||||
> **Basis**: [ ] Threat Intel / [ ] ATT&CK Gap / [ ] Anomaly / [ ] Incident Follow-up
|
||||
|
||||
## Target Techniques
|
||||
|
||||
- [ ] T1003.001 - LSASS Memory
|
||||
- [ ] T1003.006 - DCSync
|
||||
- [ ] T1558.003 - Kerberoasting
|
||||
- [ ] T1558.001 - Golden Ticket
|
||||
|
||||
## Data Sources
|
||||
|
||||
- [ ] Sysmon Event Logs
|
||||
- [ ] Windows Security Event Logs
|
||||
- [ ] EDR Telemetry (Platform: _____________)
|
||||
- [ ] SIEM (Platform: _____________)
|
||||
- [ ] Network Logs (Proxy/Firewall/DNS)
|
||||
- [ ] Cloud Audit Logs
|
||||
- [ ] Email Gateway Logs
|
||||
- [ ] Application Logs
|
||||
|
||||
## Queries Executed
|
||||
|
||||
### Query 1: [Description]
|
||||
```
|
||||
[Query text]
|
||||
```
|
||||
**Results**: [Count] events | **Execution Time**: [Duration]
|
||||
|
||||
### Query 2: [Description]
|
||||
```
|
||||
[Query text]
|
||||
```
|
||||
**Results**: [Count] events | **Execution Time**: [Duration]
|
||||
|
||||
## Findings
|
||||
|
||||
| # | Timestamp | Host | User | Technique | Evidence Summary | Risk | Verdict |
|
||||
|---|-----------|------|------|-----------|-----------------|------|---------|
|
||||
| 1 | | | | | | | TP / FP / BTP |
|
||||
| 2 | | | | | | | TP / FP / BTP |
|
||||
| 3 | | | | | | | TP / FP / BTP |
|
||||
|
||||
## IOCs Discovered
|
||||
|
||||
### Network IOCs
|
||||
| Type | Value | Context | Confidence |
|
||||
|------|-------|---------|-----------|
|
||||
| IP | | | |
|
||||
| Domain | | | |
|
||||
| URL | | | |
|
||||
|
||||
### Host IOCs
|
||||
| Type | Value | Context | Confidence |
|
||||
|------|-------|---------|-----------|
|
||||
| SHA256 | | | |
|
||||
| Filename | | | |
|
||||
| Registry Key | | | |
|
||||
| Scheduled Task | | | |
|
||||
|
||||
## Hunt Results Summary
|
||||
|
||||
| Metric | Count |
|
||||
|--------|-------|
|
||||
| Total Events Analyzed | |
|
||||
| Anomalies Identified | |
|
||||
| True Positives | |
|
||||
| False Positives | |
|
||||
| Benign True Positives | |
|
||||
| New IOCs Discovered | |
|
||||
| Detection Rules Created | |
|
||||
| Detection Rules Updated | |
|
||||
|
||||
## Hypothesis Outcome
|
||||
|
||||
- [ ] **Confirmed**: Evidence supports the hypothesis
|
||||
- [ ] **Partially Confirmed**: Some evidence found, further investigation needed
|
||||
- [ ] **Refuted**: No evidence found
|
||||
- [ ] **Inconclusive**: Insufficient data
|
||||
|
||||
## Recommendations
|
||||
|
||||
1. **Immediate Actions**: [Containment, remediation steps]
|
||||
2. **Detection Improvements**: [New rules, tuning recommendations]
|
||||
3. **Visibility Gaps**: [Missing data sources, coverage needs]
|
||||
4. **Security Hardening**: [Configuration changes, policy updates]
|
||||
5. **Follow-up Hunts**: [Related hypotheses to investigate]
|
||||
|
||||
## Analyst Notes
|
||||
|
||||
[Free-form notes, observations, and lessons learned]
|
||||
@@ -0,0 +1,41 @@
|
||||
# Standards and References - Detecting Mimikatz Execution Patterns
|
||||
|
||||
## MITRE ATT&CK Mappings
|
||||
|
||||
| Technique | Name | Description |
|
||||
|-----------|------|-------------|
|
||||
| T1003.001 | LSASS Memory | See attack.mitre.org/techniques/T1003/001 |
|
||||
| T1003.006 | DCSync | See attack.mitre.org/techniques/T1003/006 |
|
||||
| T1558.003 | Kerberoasting | See attack.mitre.org/techniques/T1558/003 |
|
||||
| T1558.001 | Golden Ticket | See attack.mitre.org/techniques/T1558/001 |
|
||||
|
||||
## Detection Data Sources
|
||||
|
||||
| Source | Event ID | Purpose |
|
||||
|--------|----------|---------|
|
||||
| Sysmon | 1 | Process creation with command line |
|
||||
| Sysmon | 3 | Network connection initiated |
|
||||
| Sysmon | 7 | Image loaded (DLL) |
|
||||
| Sysmon | 10 | Process access (LSASS) |
|
||||
| Sysmon | 11 | File creation |
|
||||
| Sysmon | 12/13 | Registry create/set |
|
||||
| Sysmon | 22 | DNS query |
|
||||
| Sysmon | 25 | Process tampering |
|
||||
| Windows Security | 4624 | Successful logon |
|
||||
| Windows Security | 4625 | Failed logon |
|
||||
| Windows Security | 4648 | Explicit credential logon |
|
||||
| Windows Security | 4672 | Special privileges assigned |
|
||||
| Windows Security | 4688 | Process creation |
|
||||
| Windows Security | 4697 | Service installed |
|
||||
| Windows Security | 4698 | Scheduled task created |
|
||||
| Windows Security | 4769 | Kerberos TGS requested |
|
||||
| Windows Security | 5140 | Network share accessed |
|
||||
|
||||
## References
|
||||
|
||||
- MITRE ATT&CK Framework: https://attack.mitre.org/
|
||||
- Sigma Detection Rules: https://github.com/SigmaHQ/sigma
|
||||
- LOLBAS Project: https://lolbas-project.github.io/
|
||||
- Atomic Red Team Tests: https://github.com/redcanaryco/atomic-red-team
|
||||
- Red Canary Threat Detection Report
|
||||
- SANS Threat Hunting Summit Resources
|
||||
@@ -0,0 +1,73 @@
|
||||
# Detailed Hunting Workflow - Detecting Mimikatz Execution Patterns
|
||||
|
||||
## Phase 1: Data Collection and Querying
|
||||
|
||||
### Splunk SPL Query
|
||||
```spl
|
||||
index=sysmon EventCode=1
|
||||
| where match(CommandLine, "(?i)(sekurlsa|lsadump|kerberos::list|privilege::debug|token::elevate|dpapi::)")
|
||||
| table _time Computer User Image CommandLine ParentImage
|
||||
```
|
||||
|
||||
### KQL Query (Microsoft Defender for Endpoint)
|
||||
```kql
|
||||
DeviceProcessEvents
|
||||
| where ProcessCommandLine has_any ("sekurlsa","lsadump","kerberos::","privilege::debug")
|
||||
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
|
||||
```
|
||||
|
||||
## Phase 2: Baseline and Anomaly Detection
|
||||
|
||||
### Step 2.1 - Establish Normal Behavior Baseline
|
||||
- Collect 30 days of historical data for the targeted technique
|
||||
- Document expected patterns, frequencies, and legitimate use cases
|
||||
- Identify known false positive sources and document exceptions
|
||||
- Build statistical baseline (mean, standard deviation) for key metrics
|
||||
|
||||
### Step 2.2 - Identify Anomalies
|
||||
- Compare current activity against the 30-day baseline
|
||||
- Flag events exceeding 3 standard deviations from normal
|
||||
- Prioritize anomalies by risk score and potential business impact
|
||||
- Cross-reference with threat intelligence for known IOCs
|
||||
|
||||
## Phase 3: Investigation and Correlation
|
||||
|
||||
### Step 3.1 - Deep Dive Analysis
|
||||
- For each anomaly, collect full process tree context
|
||||
- Correlate with network activity, file operations, and authentication events
|
||||
- Check binary signatures, file hashes, and certificate validity
|
||||
- Review user account context and access patterns
|
||||
|
||||
### Step 3.2 - Attack Chain Reconstruction
|
||||
- Map findings to MITRE ATT&CK kill chain stages
|
||||
- Identify initial access vector if applicable
|
||||
- Trace lateral movement and privilege escalation paths
|
||||
- Determine data access and potential exfiltration
|
||||
|
||||
## Phase 4: Validation and Response
|
||||
|
||||
### Step 4.1 - True/False Positive Determination
|
||||
- Verify findings with system owners and IT operations
|
||||
- Check change management records for authorized activities
|
||||
- Validate user context (authorized actions vs. compromised account)
|
||||
- Document determination rationale for each finding
|
||||
|
||||
### Step 4.2 - Response Actions
|
||||
- For confirmed threats: initiate incident response procedures
|
||||
- For detection gaps: create or update detection rules
|
||||
- For false positives: tune existing rules and update exclusions
|
||||
- Update threat hunting playbook with lessons learned
|
||||
|
||||
## Phase 5: Documentation and Reporting
|
||||
|
||||
### Step 5.1 - Hunt Report
|
||||
- Summarize hypothesis, methodology, and findings
|
||||
- Include all queries executed and their results
|
||||
- Document IOCs discovered and detection rules created
|
||||
- Provide recommendations for security improvements
|
||||
|
||||
### Step 5.2 - Knowledge Base Update
|
||||
- Add findings to threat intelligence platform
|
||||
- Update MITRE ATT&CK coverage heatmap
|
||||
- Share detection rules via Sigma format
|
||||
- Schedule follow-up hunts for related techniques
|
||||
@@ -0,0 +1,87 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Mimikatz Detection - Analyzes logs for T1003.001 indicators."""
|
||||
|
||||
import json, csv, argparse, datetime, re
|
||||
from collections import defaultdict
|
||||
from pathlib import Path
|
||||
|
||||
DETECTION_PATTERNS = [
|
||||
r'sekurlsa::',
|
||||
r'lsadump::',
|
||||
r'kerberos::list',
|
||||
r'privilege::debug',
|
||||
r'token::elevate',
|
||||
r'dpapi::',
|
||||
r'vault::cred',
|
||||
r'crypto::cng',
|
||||
r'Invoke-Mimikatz',
|
||||
r'mimikatz',
|
||||
r'gentilkiwi',
|
||||
]
|
||||
|
||||
def parse_logs(path):
|
||||
p = Path(path)
|
||||
if p.suffix == ".json":
|
||||
with open(p, encoding="utf-8") as f:
|
||||
data = json.load(f)
|
||||
return data if isinstance(data, list) else data.get("events", [])
|
||||
elif p.suffix == ".csv":
|
||||
with open(p, encoding="utf-8-sig") as f:
|
||||
return [dict(r) for r in csv.DictReader(f)]
|
||||
return []
|
||||
|
||||
def analyze_event(event):
|
||||
cmd = event.get("CommandLine", event.get("command_line", event.get("ProcessCommandLine", "")))
|
||||
content = event.get("Task_Content", event.get("Parameters", event.get("RawEventData", "")))
|
||||
search_text = f"{cmd} {content}"
|
||||
risk = 0
|
||||
indicators = []
|
||||
for pattern in DETECTION_PATTERNS:
|
||||
if re.search(pattern, search_text, re.IGNORECASE):
|
||||
risk += 25
|
||||
indicators.append(f"Pattern match: {pattern}")
|
||||
if not indicators:
|
||||
return None
|
||||
risk = min(risk, 100)
|
||||
return {
|
||||
"technique": "T1003.001",
|
||||
"command_line": cmd[:500] if cmd else content[:500],
|
||||
"hostname": event.get("Computer", event.get("DeviceName", event.get("hostname", "unknown"))),
|
||||
"user": event.get("User", event.get("AccountName", event.get("UserId", "unknown"))),
|
||||
"timestamp": event.get("_time", event.get("timestamp", event.get("UtcTime", event.get("Timestamp", "")))),
|
||||
"risk_score": risk,
|
||||
"risk_level": "CRITICAL" if risk >= 75 else "HIGH" if risk >= 50 else "MEDIUM" if risk >= 25 else "LOW",
|
||||
"indicators": indicators,
|
||||
}
|
||||
|
||||
def run_hunt(input_path, output_dir):
|
||||
print(f"[*] Mimikatz Hunt - {datetime.datetime.now().isoformat()}")
|
||||
events = parse_logs(input_path)
|
||||
findings = [f for f in (analyze_event(e) for e in events) if f]
|
||||
Path(output_dir).mkdir(parents=True, exist_ok=True)
|
||||
slug = "detecting_mimikatz_e"
|
||||
with open(Path(output_dir) / f"{slug}_findings.json", "w", encoding="utf-8") as f:
|
||||
json.dump({"hunt_id": f"TH-{datetime.date.today()}", "total_events": len(events), "findings": findings}, f, indent=2)
|
||||
with open(Path(output_dir) / "hunt_report.md", "w", encoding="utf-8") as f:
|
||||
f.write(f"# Mimikatz Hunt Report\n\n")
|
||||
f.write(f"**Date**: {datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')}\n")
|
||||
f.write(f"**Findings**: {len(findings)}\n\n")
|
||||
for finding in sorted(findings, key=lambda x: x["risk_score"], reverse=True)[:20]:
|
||||
f.write(f"### [{finding['risk_level']}] {finding['technique']}\n")
|
||||
f.write(f"- **Host**: {finding['hostname']}\n")
|
||||
f.write(f"- **Indicators**: {', '.join(finding['indicators'])}\n\n")
|
||||
print(f"[+] {len(findings)} findings written to {output_dir}")
|
||||
|
||||
def main():
|
||||
p = argparse.ArgumentParser(description="Mimikatz Detection")
|
||||
sp = p.add_subparsers(dest="cmd")
|
||||
h = sp.add_parser("hunt"); h.add_argument("--input", "-i", required=True); h.add_argument("--output", "-o", default="./detecting_mimik_output")
|
||||
sp.add_parser("queries")
|
||||
args = p.parse_args()
|
||||
if args.cmd == "hunt": run_hunt(args.input, args.output)
|
||||
elif args.cmd == "queries":
|
||||
print("=== Detection Queries ===")
|
||||
print("See references/workflows.md for platform-specific queries")
|
||||
else: p.print_help()
|
||||
|
||||
if __name__ == "__main__": main()
|
||||
Reference in New Issue
Block a user