Stats
Actions
Tags
From cybersecurity-skills
Detects Kerberoasting attacks by monitoring for anomalous Kerberos TGS requests targeting service accounts with SPNs. Use during threat hunting, incident response, or purple team exercises.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills:detecting-kerberoasting-attacksThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- When proactively hunting for indicators of detecting kerberoasting attacks in the environment
| Concept | Description |
|---|---|
| T1558.003 | Kerberoasting |
| T1558.004 | AS-REP Roasting |
| T1558.001 | Golden Ticket |
| Tool | Purpose |
|---|---|
| CrowdStrike Falcon | EDR telemetry and threat detection |
| Microsoft Defender for Endpoint | Advanced hunting with KQL |
| Splunk Enterprise | SIEM log analysis with SPL queries |
| Elastic Security | Detection rules and investigation timeline |
| Sysmon | Detailed Windows event monitoring |
| Velociraptor | Endpoint artifact collection and hunting |
| Sigma Rules | Cross-platform detection rule format |
Hunt ID: TH-DETECT-[DATE]-[SEQ]
Technique: T1558.003
Host: [Hostname]
User: [Account context]
Evidence: [Log entries, process trees, network data]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [Containment, investigation, monitoring]
npx claudepluginhub costrict-plugins-repo/mukul975-anthropic-cybersecurity-skills-cybersecurity-skillsDetects Kerberoasting attacks by monitoring anomalous Kerberos TGS requests targeting service accounts with SPNs in EDR and SIEM logs. Useful for threat hunting and incident response.
Detects Kerberoasting attacks via anomalous Kerberos TGS requests to SPN service accounts in EDR/SIEM logs. Guides threat hunting, analysis, and response workflows.
Detect Kerberoasting attacks by monitoring for anomalous Kerberos TGS requests targeting service accounts with SPNs for offline password cracking.