mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-13 19:05:17 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,41 @@
|
||||
# Standards and References - Detecting Mimikatz Execution Patterns
|
||||
|
||||
## MITRE ATT&CK Mappings
|
||||
|
||||
| Technique | Name | Description |
|
||||
|-----------|------|-------------|
|
||||
| T1003.001 | LSASS Memory | See attack.mitre.org/techniques/T1003/001 |
|
||||
| T1003.006 | DCSync | See attack.mitre.org/techniques/T1003/006 |
|
||||
| T1558.003 | Kerberoasting | See attack.mitre.org/techniques/T1558/003 |
|
||||
| T1558.001 | Golden Ticket | See attack.mitre.org/techniques/T1558/001 |
|
||||
|
||||
## Detection Data Sources
|
||||
|
||||
| Source | Event ID | Purpose |
|
||||
|--------|----------|---------|
|
||||
| Sysmon | 1 | Process creation with command line |
|
||||
| Sysmon | 3 | Network connection initiated |
|
||||
| Sysmon | 7 | Image loaded (DLL) |
|
||||
| Sysmon | 10 | Process access (LSASS) |
|
||||
| Sysmon | 11 | File creation |
|
||||
| Sysmon | 12/13 | Registry create/set |
|
||||
| Sysmon | 22 | DNS query |
|
||||
| Sysmon | 25 | Process tampering |
|
||||
| Windows Security | 4624 | Successful logon |
|
||||
| Windows Security | 4625 | Failed logon |
|
||||
| Windows Security | 4648 | Explicit credential logon |
|
||||
| Windows Security | 4672 | Special privileges assigned |
|
||||
| Windows Security | 4688 | Process creation |
|
||||
| Windows Security | 4697 | Service installed |
|
||||
| Windows Security | 4698 | Scheduled task created |
|
||||
| Windows Security | 4769 | Kerberos TGS requested |
|
||||
| Windows Security | 5140 | Network share accessed |
|
||||
|
||||
## References
|
||||
|
||||
- MITRE ATT&CK Framework: https://attack.mitre.org/
|
||||
- Sigma Detection Rules: https://github.com/SigmaHQ/sigma
|
||||
- LOLBAS Project: https://lolbas-project.github.io/
|
||||
- Atomic Red Team Tests: https://github.com/redcanaryco/atomic-red-team
|
||||
- Red Canary Threat Detection Report
|
||||
- SANS Threat Hunting Summit Resources
|
||||
@@ -0,0 +1,73 @@
|
||||
# Detailed Hunting Workflow - Detecting Mimikatz Execution Patterns
|
||||
|
||||
## Phase 1: Data Collection and Querying
|
||||
|
||||
### Splunk SPL Query
|
||||
```spl
|
||||
index=sysmon EventCode=1
|
||||
| where match(CommandLine, "(?i)(sekurlsa|lsadump|kerberos::list|privilege::debug|token::elevate|dpapi::)")
|
||||
| table _time Computer User Image CommandLine ParentImage
|
||||
```
|
||||
|
||||
### KQL Query (Microsoft Defender for Endpoint)
|
||||
```kql
|
||||
DeviceProcessEvents
|
||||
| where ProcessCommandLine has_any ("sekurlsa","lsadump","kerberos::","privilege::debug")
|
||||
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
|
||||
```
|
||||
|
||||
## Phase 2: Baseline and Anomaly Detection
|
||||
|
||||
### Step 2.1 - Establish Normal Behavior Baseline
|
||||
- Collect 30 days of historical data for the targeted technique
|
||||
- Document expected patterns, frequencies, and legitimate use cases
|
||||
- Identify known false positive sources and document exceptions
|
||||
- Build statistical baseline (mean, standard deviation) for key metrics
|
||||
|
||||
### Step 2.2 - Identify Anomalies
|
||||
- Compare current activity against the 30-day baseline
|
||||
- Flag events exceeding 3 standard deviations from normal
|
||||
- Prioritize anomalies by risk score and potential business impact
|
||||
- Cross-reference with threat intelligence for known IOCs
|
||||
|
||||
## Phase 3: Investigation and Correlation
|
||||
|
||||
### Step 3.1 - Deep Dive Analysis
|
||||
- For each anomaly, collect full process tree context
|
||||
- Correlate with network activity, file operations, and authentication events
|
||||
- Check binary signatures, file hashes, and certificate validity
|
||||
- Review user account context and access patterns
|
||||
|
||||
### Step 3.2 - Attack Chain Reconstruction
|
||||
- Map findings to MITRE ATT&CK kill chain stages
|
||||
- Identify initial access vector if applicable
|
||||
- Trace lateral movement and privilege escalation paths
|
||||
- Determine data access and potential exfiltration
|
||||
|
||||
## Phase 4: Validation and Response
|
||||
|
||||
### Step 4.1 - True/False Positive Determination
|
||||
- Verify findings with system owners and IT operations
|
||||
- Check change management records for authorized activities
|
||||
- Validate user context (authorized actions vs. compromised account)
|
||||
- Document determination rationale for each finding
|
||||
|
||||
### Step 4.2 - Response Actions
|
||||
- For confirmed threats: initiate incident response procedures
|
||||
- For detection gaps: create or update detection rules
|
||||
- For false positives: tune existing rules and update exclusions
|
||||
- Update threat hunting playbook with lessons learned
|
||||
|
||||
## Phase 5: Documentation and Reporting
|
||||
|
||||
### Step 5.1 - Hunt Report
|
||||
- Summarize hypothesis, methodology, and findings
|
||||
- Include all queries executed and their results
|
||||
- Document IOCs discovered and detection rules created
|
||||
- Provide recommendations for security improvements
|
||||
|
||||
### Step 5.2 - Knowledge Base Update
|
||||
- Add findings to threat intelligence platform
|
||||
- Update MITRE ATT&CK coverage heatmap
|
||||
- Share detection rules via Sigma format
|
||||
- Schedule follow-up hunts for related techniques
|
||||
Reference in New Issue
Block a user