mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 05:34:55 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
1.6 KiB
1.6 KiB
API Reference: Detecting Mimikatz Execution Patterns
Mimikatz Command Signatures
| Command | MITRE | Impact |
|---|---|---|
sekurlsa::logonpasswords |
T1003.001 | Dump all credentials |
lsadump::dcsync |
T1003.006 | DCSync attack |
kerberos::golden |
T1558.001 | Golden Ticket |
kerberos::ptt |
T1550.003 | Pass-the-Ticket |
lsadump::sam |
T1003.002 | SAM dump |
misc::skeleton |
T1556.001 | Skeleton Key |
LSASS Dump Techniques
| Method | Detection Pattern |
|---|---|
| comsvcs.dll MiniDump | rundll32.*comsvcs.*MiniDump |
| ProcDump | procdump.*-ma.*lsass |
| SQLDumper | sqldumper.*lsass |
| .NET createdump | createdump.*lsass |
| PowerShell | Out-Minidump.*lsass |
Sysmon Detection Events
| Event ID | Usage |
|---|---|
| 1 | Process Create (mimikatz.exe) |
| 7 | Image Loaded (sekurlsa.dll) |
| 10 | Process Access (LSASS access mask) |
Splunk SPL Detection
index=sysmon (EventCode=1 OR EventCode=10)
| where match(CommandLine, "(?i)(sekurlsa|lsadump|kerberos::golden|privilege::debug)")
OR (TargetImage="*\\lsass.exe" AND GrantedAccess IN ("0x1010","0x1FFFFF"))
| table _time Image CommandLine GrantedAccess Computer
YARA Rule
rule Mimikatz_Strings {
strings:
$s1 = "sekurlsa::logonpasswords" ascii wide
$s2 = "lsadump::dcsync" ascii wide
$s3 = "kerberos::golden" ascii wide
$s4 = "mimilib" ascii wide
condition:
any of them
}
CLI Usage
python agent.py --evtx-file Sysmon.evtx
python agent.py --text-log process_audit.log