Stats
Actions
Tags
From cybersec-toolkit
Hunts for service account abuse via anomalous interactive logons, privilege escalation, and lateral movement using EDR and SIEM platforms with predefined queries.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersec-toolkit:detecting-service-account-abuseThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- When proactively hunting for indicators of detecting service account abuse in the environment
| Concept | Description |
|---|---|
| T1078.002 | Domain Accounts |
| T1078.001 | Default Accounts |
| T1021 | Remote Services |
| Tool | Purpose |
|---|---|
| CrowdStrike Falcon | EDR telemetry and threat detection |
| Microsoft Defender for Endpoint | Advanced hunting with KQL |
| Splunk Enterprise | SIEM log analysis with SPL queries |
| Elastic Security | Detection rules and investigation timeline |
| Sysmon | Detailed Windows event monitoring |
| Velociraptor | Endpoint artifact collection and hunting |
| Sigma Rules | Cross-platform detection rule format |
Hunt ID: TH-DETECT-[DATE]-[SEQ]
Technique: T1078.002
Host: [Hostname]
User: [Account context]
Evidence: [Log entries, process trees, network data]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [Containment, investigation, monitoring]
npx claudepluginhub 26zl/cybersec-toolkit --plugin cybersec-toolkitHunts for service account abuse via anomalous interactive logons, privilege escalation, and lateral movement using EDR and SIEM platforms with predefined queries.
Detects service account abuse through anomalous interactive logons, privilege escalation, lateral movement, and unauthorized access patterns in EDR/SIEM logs. For threat hunting, incident response, and security assessments.
Detects service account abuse via abnormal interactive logins, privilege escalations, lateral movement, and unauthorized access in EDR/SIEM logs. Useful for threat hunting, incident response, and security assessments.