Stats
Actions
Tags
From asi
Detects Pass-the-Hash attacks by analyzing NTLM authentication patterns, Type 3 logons instead of Kerberos, and correlating with credential dumping in EDR/SIEM logs. For threat hunting and incident response.
How this skill is triggered — by the user, by Claude, or both
Slash command
/asi:detecting-pass-the-hash-attacksThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- When proactively hunting for indicators of detecting pass the hash attacks in the environment
| Concept | Description |
|---|---|
| T1550.002 | Pass the Hash |
| T1550.003 | Pass the Ticket |
| T1078 | Valid Accounts |
| Tool | Purpose |
|---|---|
| CrowdStrike Falcon | EDR telemetry and threat detection |
| Microsoft Defender for Endpoint | Advanced hunting with KQL |
| Splunk Enterprise | SIEM log analysis with SPL queries |
| Elastic Security | Detection rules and investigation timeline |
| Sysmon | Detailed Windows event monitoring |
| Velociraptor | Endpoint artifact collection and hunting |
| Sigma Rules | Cross-platform detection rule format |
Hunt ID: TH-DETECT-[DATE]-[SEQ]
Technique: T1550.002
Host: [Hostname]
User: [Account context]
Evidence: [Log entries, process trees, network data]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [Containment, investigation, monitoring]
npx claudepluginhub plurigrid/asi --plugin asiDetects Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where Kerberos is expected, and correlating with credential dumping.
Detects Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where Kerberos is expected, and correlating with credential dumping.
Detects Pass-the-Hash attacks (T1550.002) by analyzing NTLM authentication patterns, unexpected NTLM type 3 logins where Kerberos expected, and credential dump associations in EDR/SIEM logs.