mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-16 16:03:17 +03:00
mukul975
c21af3347e
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2.5 KiB
2.5 KiB
API Reference: T1003 Credential Dumping Detection
MITRE ATT&CK T1003 Sub-Techniques
| Sub-technique | Name | Detection |
|---|---|---|
| T1003.001 | LSASS Memory | Sysmon Event 10 |
| T1003.002 | SAM Registry | Event 4688 |
| T1003.003 | NTDS.dit | Event 4688, VSS events |
| T1003.004 | LSA Secrets | Registry access |
| T1003.005 | Cached Domain Creds | Registry access |
| T1003.006 | DCSync | Event 4662 |
Sysmon Events for Credential Dumping
Event ID 10 — ProcessAccess
| Field | Description |
|---|---|
| SourceProcessId | PID of accessing process |
| SourceImage | Path of accessing process |
| TargetProcessId | PID of target (lsass.exe) |
| TargetImage | Path of target process |
| GrantedAccess | Access mask |
Suspicious Access Masks
| Mask | Meaning |
|---|---|
| 0x1010 | QUERY_LIMITED + VM_READ |
| 0x1FFFFF | PROCESS_ALL_ACCESS |
| 0x1410 | QUERY_INFO + VM_READ |
| 0x0040 | DUP_HANDLE |
Event ID 1 — ProcessCreate
<Data Name="Image">C:\tools\mimikatz.exe</Data>
<Data Name="CommandLine">mimikatz.exe "sekurlsa::logonpasswords"</Data>
Windows Security Event Log
Event 4688 — Process Creation
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688}
Event 4662 — Object Access (DCSync detection)
Properties: {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} # DS-Replication-Get-Changes
Properties: {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} # DS-Replication-Get-Changes-All
CrowdStrike Falcon — Detection Query
Search for credential access alerts
GET https://api.crowdstrike.com/detects/queries/detects/v1
?filter=behaviors.tactic:'Credential Access'
Authorization: Bearer {token}
Microsoft Defender ATP — Advanced Hunting
LSASS Access KQL
DeviceProcessEvents
| where FileName == "lsass.exe"
| join kind=inner (
DeviceProcessEvents
| where InitiatingProcessFileName !in ("svchost.exe", "csrss.exe")
) on DeviceId
| project Timestamp, DeviceName, InitiatingProcessFileName
Sigma Rules
LSASS Memory Access
title: LSASS Memory Access by Non-System Process
logsource:
product: windows
category: process_access
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess|contains:
- '0x1010'
- '0x1FFFFF'
filter:
SourceImage|endswith:
- '\svchost.exe'
- '\csrss.exe'
condition: selection and not filter
level: critical