Stats
Actions
Tags
Detects Kerberoasting attacks by monitoring anomalous Kerberos TGS requests to SPN service accounts. Useful for threat hunting, incident response, and security assessments using EDR/SIEM tools.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:detecting-kerberoasting-attacksThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- 主动狩猎环境中 Kerberoasting 攻击指标时
| 概念 | 描述 |
|---|---|
| T1558.003 | Kerberoasting |
| T1558.004 | AS-REP Roasting |
| T1558.001 | 黄金票据(Golden Ticket) |
| 工具 | 用途 |
|---|---|
| CrowdStrike Falcon | EDR 遥测和威胁检测 |
| Microsoft Defender for Endpoint | 使用 KQL 进行高级狩猎 |
| Splunk Enterprise | 使用 SPL 查询进行 SIEM 日志分析 |
| Elastic Security | 检测规则和调查时间线 |
| Sysmon | 详细的 Windows 事件监控 |
| Velociraptor | 终端工件收集和狩猎 |
| Sigma Rules | 跨平台检测规则格式 |
Hunt ID: TH-DETECT-[DATE]-[SEQ]
Technique: T1558.003
Host: [主机名]
User: [账户上下文]
Evidence: [日志条目、进程树、网络数据]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [遏制、调查、监控]
npx claudepluginhub killvxk/cybersecurity-skills-zhDetects Kerberoasting attacks via anomalous Kerberos TGS requests to SPN service accounts in EDR/SIEM logs. Guides threat hunting, analysis, and response workflows.
Detects Kerberoasting attacks by monitoring for anomalous Kerberos TGS requests targeting service accounts with SPNs. Use during threat hunting, incident response, or purple team exercises.
Detects Kerberoasting attacks by monitoring anomalous Kerberos TGS requests targeting service accounts with SPNs in EDR and SIEM logs. Useful for threat hunting and incident response.