Stats
Actions
Tags
From cybersec-toolkit
Hunts for adversary abuse of legitimate cloud services (Azure, AWS, GCP, SaaS) for C2, data staging, and exfiltration using EDR/SIEM telemetry and threat intelligence.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersec-toolkit:hunting-for-living-off-the-cloud-techniquesThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- When proactively hunting for indicators of hunting for living off the cloud techniques in the environment
| Concept | Description |
|---|---|
| T1102 | Web Service |
| T1567 | Exfiltration Over Web Service |
| T1537 | Transfer Data to Cloud Account |
| Tool | Purpose |
|---|---|
| CrowdStrike Falcon | EDR telemetry and threat detection |
| Microsoft Defender for Endpoint | Advanced hunting with KQL |
| Splunk Enterprise | SIEM log analysis with SPL queries |
| Elastic Security | Detection rules and investigation timeline |
| Sysmon | Detailed Windows event monitoring |
| Velociraptor | Endpoint artifact collection and hunting |
| Sigma Rules | Cross-platform detection rule format |
Hunt ID: TH-HUNTIN-[DATE]-[SEQ]
Technique: T1102
Host: [Hostname]
User: [Account context]
Evidence: [Log entries, process trees, network data]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [Containment, investigation, monitoring]
npx claudepluginhub 26zl/cybersec-toolkit --plugin cybersec-toolkitHunts for adversary abuse of legitimate cloud services (Azure, AWS, GCP, SaaS) for C2, data staging, and exfiltration using EDR/SIEM telemetry and threat intelligence.
Hunts adversary abuse of AWS, Azure, GCP, and SaaS platforms for C2, data staging, exfiltration. Useful for threat hunting, incident response, and security assessments.
Hunts attackers abusing Azure, AWS, GCP, and SaaS platforms for C2, data staging, and exfiltration. Guides EDR/SIEM queries for proactive threat hunting and incident response.