Stats
Actions
Tags
Detects credential dumping attacks like LSASS access via Sysmon Event ID 10, SAM exports, NTDS.dit theft using Windows security logs and SIEM correlation rules. For Windows threat hunting.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:detecting-credential-dumping-techniquesThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
凭据转储(MITRE ATT&CK T1003)是后利用技术,攻击者从操作系统内存、注册表配置单元或域控制器数据库中提取认证凭据。本技能涵盖通过 Sysmon 事件 ID 10(ProcessAccess)检测 LSASS 内存访问、通过 reg.exe 导出 SAM 注册表配置单元、通过 ntdsutil/vssadmin 提取 NTDS.dit,以及滥用 comsvcs.dll MiniDump。检测规则分析 GrantedAccess 位掩码、可疑调用进程和已知工具特征。
凭据转储(MITRE ATT&CK T1003)是后利用技术,攻击者从操作系统内存、注册表配置单元或域控制器数据库中提取认证凭据。本技能涵盖通过 Sysmon 事件 ID 10(ProcessAccess)检测 LSASS 内存访问、通过 reg.exe 导出 SAM 注册表配置单元、通过 ntdsutil/vssadmin 提取 NTDS.dit,以及滥用 comsvcs.dll MiniDump。检测规则分析 GrantedAccess 位掩码、可疑调用进程和已知工具特征。
JSON 报告,包含检测到的凭据转储指标,含技术分类、严重性评级、进程详情、MITRE ATT&CK 映射和 Splunk/Elastic 检测查询。
npx claudepluginhub killvxk/cybersecurity-skills-zhDetects LSASS credential dumping, SAM hive extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows Security logs, and SIEM rules. For SOC threat hunting and detection rule building.
Detects credential dumping techniques (LSASS, SAM, NTDS.dit) using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules for SOC investigations.
Detects credential dumping techniques (LSASS access, SAM extraction, NTDS.dit theft) using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules.