creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-16 07:53:18 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/performing-active-directory-compromise-investigation/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

2.6 KiB
Raw Blame History

Active Directory Compromise Investigation - API Reference

Windows Security Event IDs

Event ID Description Compromise Indicator
4662 Directory service object accessed DCSync (replication GUIDs)
4769 Kerberos service ticket requested Kerberoasting (RC4 encryption)
4768 Kerberos TGT requested Golden Ticket (anomalous source)
4672 Special privileges assigned Privileged logon tracking
4624 Successful logon Lateral movement (Type 3)
4648 Explicit credential logon Pass-the-hash, PsExec
4720 User account created Persistence
4728 Member added to global group Privilege escalation
4732 Member added to local group Privilege escalation

DCSync Detection

Replication GUIDs (Event 4662 ObjectType)

GUID Right
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 DS-Replication-Get-Changes
1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 DS-Replication-Get-Changes-All
89e95b76-444d-4c62-991a-0facbeda640c DS-Replication-Get-Changes-In-Filtered-Set

When a non-DC account triggers 4662 with these GUIDs, it indicates DCSync attack (Mimikatz lsadump::dcsync).

Kerberoasting Detection

Event 4769 with TicketEncryptionType = 0x17 (RC4-HMAC) for service accounts. Normal behavior uses AES (0x11 or 0x12). RC4 requests by user accounts against service SPNs indicate offline cracking attempts.

Golden Ticket Detection

Event 4768 TGT requests from IPs that are not domain controllers. Golden tickets forged offline will show TGT requests from workstations rather than DCs.

Lateral Movement Detection

  • Type 3 logon (Event 4624, LogonType=3): Network logon via SMB, WMI, PsExec
  • Event 4648: Explicit credential use (runas, remote tools)
  • Pattern: Multiple Type 3 logons from same source to different targets

Event Log JSON Format

The agent accepts JSON-exported event logs:

[
  {
    "EventID": 4769,
    "TimeCreated": "2024-01-15T10:30:00Z",
    "EventData": {
      "TargetUserName": "svc_sql",
      "ServiceName": "MSSQLSvc/db01:1433",
      "TicketEncryptionType": "0x17"
    }
  }
]

Export from PowerShell:

Get-WinEvent -LogName Security | ConvertTo-Json -Depth 5 > events.json

Output Schema

{
  "report": "ad_compromise_investigation",
  "total_events_analyzed": 50000,
  "total_findings": 15,
  "severity_summary": {"critical": 3, "high": 7, "medium": 5},
  "findings": [{"type": "dcsync_detected", "severity": "critical"}]
}

CLI Usage

python agent.py --log events.json --output report.json
Reference in New Issue View Git Blame Copy Permalink