mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-06 07:48:57 +03:00
75 lines
2.2 KiB
Markdown
75 lines
2.2 KiB
Markdown
# Workflows - Detecting Evasion Techniques in Endpoint Logs
|
|
|
|
## Workflow 1: Evasion Technique Threat Hunt
|
|
|
|
```
|
|
[Select evasion technique to hunt]
|
|
│
|
|
├── T1055 Process Injection
|
|
├── T1070 Log Tampering
|
|
├── T1036 Masquerading
|
|
├── T1562 Security Tool Disabling
|
|
│
|
|
▼
|
|
[Craft detection query (Splunk/KQL/Elastic)]
|
|
│
|
|
▼
|
|
[Execute across 30-90 days of endpoint telemetry]
|
|
│
|
|
▼
|
|
[Triage results]
|
|
│
|
|
├── Known-good (allowlist) ──► [Add to baseline, refine query]
|
|
├── Suspicious ──► [Deep investigation]
|
|
│ │
|
|
│ ├── Correlate with other telemetry
|
|
│ ├── Check process tree
|
|
│ ├── Review network connections
|
|
│ │
|
|
│ ├── True positive ──► [Escalate to IR]
|
|
│ └── False positive ──► [Tune detection]
|
|
│
|
|
└── No results ──► [Validate logging covers technique]
|
|
```
|
|
|
|
## Workflow 2: Detection Rule Deployment
|
|
|
|
```
|
|
[Create Sigma/SIEM detection rule]
|
|
│
|
|
▼
|
|
[Test against historical data]
|
|
│
|
|
├── High false positive rate ──► [Refine exclusions]
|
|
│
|
|
└── Acceptable FP rate ──► [Deploy in alert mode]
|
|
│
|
|
▼
|
|
[Monitor for 2 weeks]
|
|
│
|
|
▼
|
|
[Review alert quality]
|
|
│
|
|
▼
|
|
[Promote to production detection]
|
|
```
|
|
|
|
## Workflow 3: Evasion Incident Response
|
|
|
|
```
|
|
[Evasion technique detected]
|
|
│
|
|
▼
|
|
[Assess scope: Which endpoints affected?]
|
|
│
|
|
▼
|
|
[Correlate with initial access and persistence]
|
|
│
|
|
▼
|
|
[Determine if adversary achieved objectives]
|
|
│
|
|
├── Active intrusion ──► [Full incident response]
|
|
│
|
|
└── Isolated event ──► [Remediate endpoint, enhance detection]
|
|
```
|