Stats
Actions
Tags
Detects Pass-the-Hash attacks (T1550.002) by analyzing NTLM authentication patterns, unexpected NTLM type 3 logins where Kerberos expected, and credential dump associations in EDR/SIEM logs.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:detecting-pass-the-hash-attacksThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- 主动狩猎环境中哈希传递攻击指标时
| 概念 | 描述 |
|---|---|
| T1550.002 | 哈希传递(Pass the Hash) |
| T1550.003 | 票据传递(Pass the Ticket) |
| T1078 | 有效账户(Valid Accounts) |
| 工具 | 用途 |
|---|---|
| CrowdStrike Falcon | EDR 遥测和威胁检测 |
| Microsoft Defender for Endpoint | 使用 KQL 进行高级狩猎 |
| Splunk Enterprise | 使用 SPL 查询进行 SIEM 日志分析 |
| Elastic Security | 检测规则和调查时间线 |
| Sysmon | 详细的 Windows 事件监控 |
| Velociraptor | 终端工件收集和狩猎 |
| Sigma Rules | 跨平台检测规则格式 |
Hunt ID: TH-DETECT-[DATE]-[SEQ]
Technique: T1550.002
Host: [主机名]
User: [账户上下文]
Evidence: [日志条目、进程树、网络数据]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [遏制、调查、监控]
npx claudepluginhub killvxk/cybersecurity-skills-zhDetects Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons where Kerberos is expected, and correlating with credential dumping.
Detects Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where Kerberos is expected, and correlating with credential dumping.
Detects Pass-the-Hash attacks by analyzing NTLM authentication patterns, Type 3 logons instead of Kerberos, and correlating with credential dumping in EDR/SIEM logs. For threat hunting and incident response.