mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 21:19:40 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,40 @@
|
||||
# Standards and References - Detecting Suspicious Powershell Execution
|
||||
|
||||
## MITRE ATT&CK Mappings
|
||||
|
||||
| Technique | Name | Description |
|
||||
|-----------|------|-------------|
|
||||
| T1059.001 | PowerShell | See attack.mitre.org/techniques/T1059/001 |
|
||||
| T1059.003 | Windows Command Shell | See attack.mitre.org/techniques/T1059/003 |
|
||||
| T1562.001 | Disable or Modify Tools | See attack.mitre.org/techniques/T1562/001 |
|
||||
|
||||
## Detection Data Sources
|
||||
|
||||
| Source | Event ID | Purpose |
|
||||
|--------|----------|---------|
|
||||
| Sysmon | 1 | Process creation with command line |
|
||||
| Sysmon | 3 | Network connection initiated |
|
||||
| Sysmon | 7 | Image loaded (DLL) |
|
||||
| Sysmon | 10 | Process access (LSASS) |
|
||||
| Sysmon | 11 | File creation |
|
||||
| Sysmon | 12/13 | Registry create/set |
|
||||
| Sysmon | 22 | DNS query |
|
||||
| Sysmon | 25 | Process tampering |
|
||||
| Windows Security | 4624 | Successful logon |
|
||||
| Windows Security | 4625 | Failed logon |
|
||||
| Windows Security | 4648 | Explicit credential logon |
|
||||
| Windows Security | 4672 | Special privileges assigned |
|
||||
| Windows Security | 4688 | Process creation |
|
||||
| Windows Security | 4697 | Service installed |
|
||||
| Windows Security | 4698 | Scheduled task created |
|
||||
| Windows Security | 4769 | Kerberos TGS requested |
|
||||
| Windows Security | 5140 | Network share accessed |
|
||||
|
||||
## References
|
||||
|
||||
- MITRE ATT&CK Framework: https://attack.mitre.org/
|
||||
- Sigma Detection Rules: https://github.com/SigmaHQ/sigma
|
||||
- LOLBAS Project: https://lolbas-project.github.io/
|
||||
- Atomic Red Team Tests: https://github.com/redcanaryco/atomic-red-team
|
||||
- Red Canary Threat Detection Report
|
||||
- SANS Threat Hunting Summit Resources
|
||||
Reference in New Issue
Block a user