Stats
Actions
Tags
Detects service account abuse via abnormal interactive logins, privilege escalations, lateral movement, and unauthorized access in EDR/SIEM logs. Useful for threat hunting, incident response, and security assessments.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:detecting-service-account-abuseThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- 主动狩猎环境中服务账户滥用指标时
| 概念 | 描述 |
|---|---|
| T1078.002 | 域账户(Domain Accounts) |
| T1078.001 | 默认账户(Default Accounts) |
| T1021 | 远程服务(Remote Services) |
| 工具 | 用途 |
|---|---|
| CrowdStrike Falcon | EDR 遥测和威胁检测 |
| Microsoft Defender for Endpoint | 使用 KQL 进行高级狩猎 |
| Splunk Enterprise | 使用 SPL 查询进行 SIEM 日志分析 |
| Elastic Security | 检测规则和调查时间线 |
| Sysmon | 详细的 Windows 事件监控 |
| Velociraptor | 终端工件收集和狩猎 |
| Sigma Rules | 跨平台检测规则格式 |
Hunt ID: TH-DETECT-[DATE]-[SEQ]
Technique: T1078.002
Host: [主机名]
User: [账户上下文]
Evidence: [日志条目、进程树、网络数据]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [遏制、调查、监控]
npx claudepluginhub killvxk/cybersecurity-skills-zhDetects service account abuse through anomalous interactive logons, privilege escalation, lateral movement, and unauthorized access patterns in EDR/SIEM logs. For threat hunting, incident response, and security assessments.
Hunts for service account abuse via anomalous interactive logons, privilege escalation, and lateral movement using EDR and SIEM platforms with predefined queries.
Hunts for service account abuse via anomalous interactive logons, privilege escalation, and lateral movement using EDR and SIEM platforms with predefined queries.