mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 13:15:16 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,106 @@
|
||||
# Detecting Suspicious Powershell Execution - Hunt Template
|
||||
|
||||
## Hunt Metadata
|
||||
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| Hunt ID | TH-DETECT-YYYY-MM-DD-NNN |
|
||||
| Analyst | |
|
||||
| Date Started | |
|
||||
| Date Completed | |
|
||||
| Status | [ ] In Progress / [ ] Complete |
|
||||
| Priority | [ ] Critical / [ ] High / [ ] Medium / [ ] Low |
|
||||
|
||||
## Hypothesis
|
||||
|
||||
> **Statement**: [Formulate a clear, testable hypothesis]
|
||||
>
|
||||
> **Basis**: [ ] Threat Intel / [ ] ATT&CK Gap / [ ] Anomaly / [ ] Incident Follow-up
|
||||
|
||||
## Target Techniques
|
||||
|
||||
- [ ] T1059.001 - PowerShell
|
||||
- [ ] T1059.003 - Windows Command Shell
|
||||
- [ ] T1562.001 - Disable or Modify Tools
|
||||
|
||||
## Data Sources
|
||||
|
||||
- [ ] Sysmon Event Logs
|
||||
- [ ] Windows Security Event Logs
|
||||
- [ ] EDR Telemetry (Platform: _____________)
|
||||
- [ ] SIEM (Platform: _____________)
|
||||
- [ ] Network Logs (Proxy/Firewall/DNS)
|
||||
- [ ] Cloud Audit Logs
|
||||
- [ ] Email Gateway Logs
|
||||
- [ ] Application Logs
|
||||
|
||||
## Queries Executed
|
||||
|
||||
### Query 1: [Description]
|
||||
```
|
||||
[Query text]
|
||||
```
|
||||
**Results**: [Count] events | **Execution Time**: [Duration]
|
||||
|
||||
### Query 2: [Description]
|
||||
```
|
||||
[Query text]
|
||||
```
|
||||
**Results**: [Count] events | **Execution Time**: [Duration]
|
||||
|
||||
## Findings
|
||||
|
||||
| # | Timestamp | Host | User | Technique | Evidence Summary | Risk | Verdict |
|
||||
|---|-----------|------|------|-----------|-----------------|------|---------|
|
||||
| 1 | | | | | | | TP / FP / BTP |
|
||||
| 2 | | | | | | | TP / FP / BTP |
|
||||
| 3 | | | | | | | TP / FP / BTP |
|
||||
|
||||
## IOCs Discovered
|
||||
|
||||
### Network IOCs
|
||||
| Type | Value | Context | Confidence |
|
||||
|------|-------|---------|-----------|
|
||||
| IP | | | |
|
||||
| Domain | | | |
|
||||
| URL | | | |
|
||||
|
||||
### Host IOCs
|
||||
| Type | Value | Context | Confidence |
|
||||
|------|-------|---------|-----------|
|
||||
| SHA256 | | | |
|
||||
| Filename | | | |
|
||||
| Registry Key | | | |
|
||||
| Scheduled Task | | | |
|
||||
|
||||
## Hunt Results Summary
|
||||
|
||||
| Metric | Count |
|
||||
|--------|-------|
|
||||
| Total Events Analyzed | |
|
||||
| Anomalies Identified | |
|
||||
| True Positives | |
|
||||
| False Positives | |
|
||||
| Benign True Positives | |
|
||||
| New IOCs Discovered | |
|
||||
| Detection Rules Created | |
|
||||
| Detection Rules Updated | |
|
||||
|
||||
## Hypothesis Outcome
|
||||
|
||||
- [ ] **Confirmed**: Evidence supports the hypothesis
|
||||
- [ ] **Partially Confirmed**: Some evidence found, further investigation needed
|
||||
- [ ] **Refuted**: No evidence found
|
||||
- [ ] **Inconclusive**: Insufficient data
|
||||
|
||||
## Recommendations
|
||||
|
||||
1. **Immediate Actions**: [Containment, remediation steps]
|
||||
2. **Detection Improvements**: [New rules, tuning recommendations]
|
||||
3. **Visibility Gaps**: [Missing data sources, coverage needs]
|
||||
4. **Security Hardening**: [Configuration changes, policy updates]
|
||||
5. **Follow-up Hunts**: [Related hypotheses to investigate]
|
||||
|
||||
## Analyst Notes
|
||||
|
||||
[Free-form notes, observations, and lessons learned]
|
||||
Reference in New Issue
Block a user