creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 06:04:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/detecting-privilege-escalation-attempts/references/api-reference.md
T

1.3 KiB
Raw Blame History

API Reference: Detecting Privilege Escalation Attempts

Windows Privilege Escalation Techniques

Technique MITRE ID Detection
UAC Bypass T1548.002 eventvwr.exe, fodhelper.exe
Token Manipulation T1134 SeDebugPrivilege (Event 4672)
Service Modification T1543.003 sc config binpath=
Potato Exploits T1134.001 JuicyPotato, PrintSpoofer
Scheduled Task T1053.005 schtasks /ru SYSTEM

Linux Privilege Escalation Techniques

Technique MITRE ID Detection
SUID Abuse T1548.001 find -perm 4000
Sudo Exploitation T1548.003 sudo -l enumeration
Kernel Exploit T1068 DirtyPipe, PwnKit
Cron Abuse T1053.003 crontab modification

Key Windows Event IDs

Event ID Detection
4672 Special Privileges Assigned
4688 Process Creation
Sysmon 1 Process Create with cmdline

Splunk SPL

index=wineventlog (EventCode=4672 OR EventCode=4688)
| where match(PrivilegeList, "SeDebugPrivilege")
   OR match(CommandLine, "(?i)(fodhelper|juicypotato)")
| table _time User CommandLine Computer

CLI Usage

python agent.py --evtx-file Sysmon.evtx
python agent.py --text-log auth.log
Reference in New Issue View Git Blame Copy Permalink