mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-12 14:14:56 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
1.4 KiB
1.4 KiB
API Reference: Detecting Pass-the-Hash Attacks
python-evtx Library
from Evtx.Evtx import FileHeader
with open("Security.evtx", "rb") as f:
fh = FileHeader(f)
for record in fh.records():
xml_string = record.xml()
Event 4624 - NTLM Network Logon (PTH Indicator)
<Data Name="TargetUserName">admin</Data>
<Data Name="TargetDomainName">CORP</Data>
<Data Name="LogonType">3</Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="LmPackageName">NTLM V2</Data>
<Data Name="LogonProcessName">NtLmSsp</Data>
<Data Name="KeyLength">0</Data>
<Data Name="IpAddress">10.0.0.50</Data>
<Data Name="WorkstationName">ATTACKER-PC</Data>
PTH Detection Indicators
| Field | PTH Value | Normal |
|---|---|---|
| LogonType | 3 (Network) | Various |
| AuthenticationPackageName | NTLM | Kerberos |
| LogonProcessName | NtLmSsp | Kerberos |
| KeyLength | 0 | 128 |
| LmPackageName | NTLM V1 (weaker) | NTLM V2 |
Detection Logic
- Filter 4624 where LogonType=3 AND AuthenticationPackageName=NTLM
- Flag events with KeyLength=0 (hash-only authentication)
- Detect same account authenticating from 3+ different source IPs
- Detect account used from 3+ different workstation names
- Correlate with process creation (4688) for post-exploitation activity
MITRE ATT&CK
- T1550.002 - Pass the Hash
- T1078 - Valid Accounts