mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 05:34:55 +03:00
mukul975
2.6 KiB
2.6 KiB
Detecting Suspicious Powershell Execution - Hunt Template
Hunt Metadata
| Field | Value |
|---|---|
| Hunt ID | TH-DETECT-YYYY-MM-DD-NNN |
| Analyst | |
| Date Started | |
| Date Completed | |
| Status | [ ] In Progress / [ ] Complete |
| Priority | [ ] Critical / [ ] High / [ ] Medium / [ ] Low |
Hypothesis
Statement: [Formulate a clear, testable hypothesis]
Basis: [ ] Threat Intel / [ ] ATT&CK Gap / [ ] Anomaly / [ ] Incident Follow-up
Target Techniques
- T1059.001 - PowerShell
- T1059.003 - Windows Command Shell
- T1562.001 - Disable or Modify Tools
Data Sources
- Sysmon Event Logs
- Windows Security Event Logs
- EDR Telemetry (Platform: _____________)
- SIEM (Platform: _____________)
- Network Logs (Proxy/Firewall/DNS)
- Cloud Audit Logs
- Email Gateway Logs
- Application Logs
Queries Executed
Query 1: [Description]
[Query text]
Results: [Count] events | Execution Time: [Duration]
Query 2: [Description]
[Query text]
Results: [Count] events | Execution Time: [Duration]
Findings
| # | Timestamp | Host | User | Technique | Evidence Summary | Risk | Verdict |
|---|---|---|---|---|---|---|---|
| 1 | TP / FP / BTP | ||||||
| 2 | TP / FP / BTP | ||||||
| 3 | TP / FP / BTP |
IOCs Discovered
Network IOCs
| Type | Value | Context | Confidence |
|---|---|---|---|
| IP | |||
| Domain | |||
| URL |
Host IOCs
| Type | Value | Context | Confidence |
|---|---|---|---|
| SHA256 | |||
| Filename | |||
| Registry Key | |||
| Scheduled Task |
Hunt Results Summary
| Metric | Count |
|---|---|
| Total Events Analyzed | |
| Anomalies Identified | |
| True Positives | |
| False Positives | |
| Benign True Positives | |
| New IOCs Discovered | |
| Detection Rules Created | |
| Detection Rules Updated |
Hypothesis Outcome
- Confirmed: Evidence supports the hypothesis
- Partially Confirmed: Some evidence found, further investigation needed
- Refuted: No evidence found
- Inconclusive: Insufficient data
Recommendations
- Immediate Actions: [Containment, remediation steps]
- Detection Improvements: [New rules, tuning recommendations]
- Visibility Gaps: [Missing data sources, coverage needs]
- Security Hardening: [Configuration changes, policy updates]
- Follow-up Hunts: [Related hypotheses to investigate]
Analyst Notes
[Free-form notes, observations, and lessons learned]