Stats
Actions
Tags
Detects privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse on Windows/Linux. Useful for threat hunting with EDR/SIEM like CrowdStrike, Splunk, Sysmon.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:detecting-privilege-escalation-attemptsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- 主动狩猎环境中权限提升尝试指标时
| 概念 | 描述 |
|---|---|
| T1134 | 访问令牌操控(Access Token Manipulation) |
| T1548.002 | UAC 绕过(UAC Bypass) |
| T1068 | 权限提升漏洞利用 |
| T1574.009 | 未加引号的服务路径(Unquoted Service Path) |
| 工具 | 用途 |
|---|---|
| CrowdStrike Falcon | EDR 遥测和威胁检测 |
| Microsoft Defender for Endpoint | 使用 KQL 进行高级狩猎 |
| Splunk Enterprise | 使用 SPL 查询进行 SIEM 日志分析 |
| Elastic Security | 检测规则和调查时间线 |
| Sysmon | 详细的 Windows 事件监控 |
| Velociraptor | 终端工件收集和狩猎 |
| Sigma Rules | 跨平台检测规则格式 |
Hunt ID: TH-DETECT-[DATE]-[SEQ]
Technique: T1134
Host: [主机名]
User: [账户上下文]
Evidence: [日志条目、进程树、网络数据]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [遏制、调查、监控]
npx claudepluginhub killvxk/cybersecurity-skills-zhDetects privilege escalation techniques (token manipulation, UAC bypass, unquoted service paths, kernel exploits, sudo/doas abuse) across Windows and Linux using EDR, SIEM, and Sysmon telemetry.
Detects privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, and kernel exploits across Windows and Linux using EDR and SIEM telemetry.
Detects privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse across Windows and Linux.