Can this skill be used to generate incident reports?

Yes, it includes a standardized output format (Hunt ID, evidence, risk level, etc.) to help document findings during a security investigation.

Does this skill map to industry security frameworks?

Yes, it is fully mapped to MITRE ATT&CK (T1550.002), NIST CSF 2.0, D3FEND, and the NIST AI Risk Management Framework.

How does this skill help in threat hunting?

It provides structured workflows and detection patterns to identify anomalous NTLM logons and correlate them with credential access events across EDR and SIEM platforms.

Which security platforms are supported for detection?

The skill offers guidance and query logic for various platforms including CrowdStrike Falcon, Microsoft Defender for Endpoint (MDE), Splunk, Elastic Security, and Sysmon.

What is a Pass-the-Hash (PtH) attack?

Pass-the-Hash is a credential access and lateral movement technique where an attacker uses a stolen NTLM hash, rather than a plaintext password, to authenticate to a remote server or service.

Detecting Pass-the-Hash Attacks

Name: Detecting Pass-the-Hash Attacks
Author: mukul975

bymukul975

•

4,121

•

セキュリティとテスト

Detects and analyzes Pass-the-Hash (PtH) attacks by monitoring NTLM authentication patterns and correlating credential dumping telemetry.

This skill provides specialized guidance for identifying and hunting Pass-the-Hash (PtH) attacks within Windows environments by analyzing NTLM Type 3 logon patterns where Kerberos is typically expected. It enables AI agents to correlate suspicious authentication activity with credential dumping indicators, leveraging telemetry from EDR platforms like CrowdStrike or Microsoft Defender and SIEM logs. Designed for incident responders and threat hunters, it maps directly to MITRE ATT&CK technique T1550.002 to help validate security hypotheses, scope potential compromises, and provide standardized reporting for forensic investigations.

主な機能

014,121 GitHub stars

02Provides a standardized output format for incident response documentation

03Analyzes NTLM Type 3 logon patterns for anomalous lateral movement

04Maps findings to MITRE ATT&CK (T1550.002) and NIST CSF 2.0 frameworks

05Supports multi-platform query generation for KQL, SPL, and Sigma rules

06Correlates credential dumping telemetry with authentication events

ユースケース

01Validating security controls during purple team or red team exercises

02Proactively hunting for lateral movement indicators in enterprise environments

03Scoping compromises during incident response after suspected credential theft

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills detecting-pass-the-hash-attacks

For use in Claude.ai and ChatGPT

主な機能

014,121 GitHub stars

02Provides a standardized output format for incident response documentation

03Analyzes NTLM Type 3 logon patterns for anomalous lateral movement

04Maps findings to MITRE ATT&CK (T1550.002) and NIST CSF 2.0 frameworks

05Supports multi-platform query generation for KQL, SPL, and Sigma rules

06Correlates credential dumping telemetry with authentication events

ユースケース

01Validating security controls during purple team or red team exercises

02Proactively hunting for lateral movement indicators in enterprise environments

03Scoping compromises during incident response after suspected credential theft

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills detecting-pass-the-hash-attacks

For use in Claude.ai and ChatGPT