threat-hunting▌
67 indexed skills · max 10 per page
detecting-dll-sideloading-attacks
mukul975/Anthropic-Cybersecurity-Skills · detecting-dll-sideloading-attacks
Detect DLL side-loading attacks where adversaries place malicious DLLs alongside legitimate applications to hijack execution flow for defense evasion.
detecting-process-hollowing-technique
mukul975/Anthropic-Cybersecurity-Skills · detecting-process-hollowing-technique
Detect process hollowing (T1055.012) by analyzing memory-mapped sections, hollowed process indicators, and parent-child process anomalies in EDR telemetry.
detecting-network-anomalies-with-zeek
mukul975/Anthropic-Cybersecurity-Skills · detecting-network-anomalies-with-zeek
Deploys and configures Zeek (formerly Bro) network security monitor to passively analyze network traffic, generate structured logs, detect anomalous behavior, and create custom detection scripts for threat hunting and incident response.
analyzing-cobaltstrike-malleable-c2-profiles
mukul975/Anthropic-Cybersecurity-Skills · analyzing-cobaltstrike-malleable-c2-profiles
Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate network detection signatures.
detecting-living-off-the-land-with-lolbas
mukul975/Anthropic-Cybersecurity-Skills · detecting-living-off-the-land-with-lolbas
Detect Living Off the Land Binaries (LOLBins/LOLBAS) abuse including certutil, regsvr32, mshta, and rundll32 via process telemetry, Sigma rules, and parent-child process analysis
hunting-for-suspicious-scheduled-tasks
mukul975/Anthropic-Cybersecurity-Skills · hunting-for-suspicious-scheduled-tasks
Hunt for adversary persistence and execution via Windows scheduled tasks by analyzing task creation events, suspicious task properties, and unusual execution patterns that indicate T1053.005 abuse.
hunting-for-dcom-lateral-movement
mukul975/Anthropic-Cybersecurity-Skills · hunting-for-dcom-lateral-movement
Hunt for DCOM-based lateral movement by detecting abuse of MMC20.Application, ShellBrowserWindow, and ShellWindows COM objects through Sysmon Event ID 1 (process creation) and Event ID 3 (network connection) correlation, WMI event analysis, RPC endpoint mapper traffic on port 135, and DCOM-specific parent-child process relationships.
detecting-malicious-scheduled-tasks-with-sysmon
mukul975/Anthropic-Cybersecurity-Skills · detecting-malicious-scheduled-tasks-with-sysmon
Detect malicious scheduled task creation and modification using Sysmon Event IDs 1 (Process Create for schtasks.exe), 11 (File Create for task XML), and Windows Security Event 4698/4702. The analyst correlates task creation with suspicious parent processes, public directory paths, and encoded command arguments to identify persistence and lateral movement via scheduled tasks. Activates for requests involving scheduled task detection, Sysmon persistence hunting, or T1053.005 Scheduled Task/Job analysis.
hunting-for-startup-folder-persistence
mukul975/Anthropic-Cybersecurity-Skills · hunting-for-startup-folder-persistence
Detect T1547.001 startup folder persistence by monitoring Windows startup directories for suspicious file creation, analyzing autoruns entries, and using Python watchdog for real-time filesystem monitoring.
hunting-for-living-off-the-land-binaries
mukul975/Anthropic-Cybersecurity-Skills · hunting-for-living-off-the-land-binaries
Proactively hunt for adversary abuse of legitimate system binaries (LOLBins) to execute malicious payloads while evading detection.