creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-15 23:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/performing-active-directory-compromise-investigation/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

82 lines
2.6 KiB
Markdown
Raw Blame History

# Active Directory Compromise Investigation - API Reference
## Windows Security Event IDs
| Event ID | Description | Compromise Indicator |
|----------|-------------|---------------------|
| 4662 | Directory service object accessed | DCSync (replication GUIDs) |
| 4769 | Kerberos service ticket requested | Kerberoasting (RC4 encryption) |
| 4768 | Kerberos TGT requested | Golden Ticket (anomalous source) |
| 4672 | Special privileges assigned | Privileged logon tracking |
| 4624 | Successful logon | Lateral movement (Type 3) |
| 4648 | Explicit credential logon | Pass-the-hash, PsExec |
| 4720 | User account created | Persistence |
| 4728 | Member added to global group | Privilege escalation |
| 4732 | Member added to local group | Privilege escalation |
## DCSync Detection
### Replication GUIDs (Event 4662 ObjectType)
| GUID | Right |
|------|-------|
| `1131f6aa-9c07-11d1-f79f-00c04fc2dcd2` | DS-Replication-Get-Changes |
| `1131f6ad-9c07-11d1-f79f-00c04fc2dcd2` | DS-Replication-Get-Changes-All |
| `89e95b76-444d-4c62-991a-0facbeda640c` | DS-Replication-Get-Changes-In-Filtered-Set |
When a non-DC account triggers 4662 with these GUIDs, it indicates DCSync attack (Mimikatz lsadump::dcsync).
## Kerberoasting Detection
Event 4769 with `TicketEncryptionType = 0x17` (RC4-HMAC) for service accounts. Normal behavior uses AES (0x11 or 0x12). RC4 requests by user accounts against service SPNs indicate offline cracking attempts.
## Golden Ticket Detection
Event 4768 TGT requests from IPs that are not domain controllers. Golden tickets forged offline will show TGT requests from workstations rather than DCs.
## Lateral Movement Detection
- **Type 3 logon** (Event 4624, LogonType=3): Network logon via SMB, WMI, PsExec
- **Event 4648**: Explicit credential use (runas, remote tools)
- Pattern: Multiple Type 3 logons from same source to different targets
## Event Log JSON Format
The agent accepts JSON-exported event logs:
```json
[
{
"EventID": 4769,
"TimeCreated": "2024-01-15T10:30:00Z",
"EventData": {
"TargetUserName": "svc_sql",
"ServiceName": "MSSQLSvc/db01:1433",
"TicketEncryptionType": "0x17"
}
}
]
```
Export from PowerShell:
```powershell
Get-WinEvent -LogName Security | ConvertTo-Json -Depth 5 > events.json
```
## Output Schema
```json
{
"report": "ad_compromise_investigation",
"total_events_analyzed": 50000,
"total_findings": 15,
"severity_summary": {"critical": 3, "high": 7, "medium": 5},
"findings": [{"type": "dcsync_detected", "severity": "critical"}]
}
```
## CLI Usage
```bash
python agent.py --log events.json --output report.json
```
Reference in New Issue View Git Blame Copy Permalink