Does this skill require specific logging to be enabled?

Yes, it requires Windows Security Event Logs (like 4624 and 4672), Sysmon (EventCodes 1, 3, 17, 18), and network flow data for effective correlation.

Which frameworks does this skill support?

This skill is mapped to five major frameworks: MITRE ATT&CK (TA0008), NIST CSF 2.0, MITRE ATLAS, D3FEND, and NIST AI RMF.

What is lateral movement detection?

It is the process of identifying an attacker's movement between internal hosts after they have gained initial access to a network, often to reach more sensitive data or systems.

Can it detect Pass-the-Hash and Golden Ticket attacks?

Yes, it includes specific SPL queries for detecting Pass-the-Hash via NTLM network logons and Golden/Silver Ticket attacks via abnormal Kerberos ticket properties.

Can I use this for external attack detection?

No, this skill is specifically focused on internal host-to-host pivot activity. It should not be used for detecting initial access or external perimeter attacks.

Lateral Movement Detection

Name: Lateral Movement Detection
Author: mukul975

bymukul975

•

4,121

•

セキュリティとテスト

Detects and analyzes internal network pivoting techniques by correlating Windows event logs, Sysmon telemetry, and network flow data.

This skill empowers security analysts and AI agents to identify attackers moving through a network post-compromise. It provides pre-configured SIEM queries and detection logic for common lateral movement techniques such as Pass-the-Hash, remote execution via PsExec or WMI, and RDP pivoting. By mapping these activities to the MITRE ATT&CK framework (TA0008), it helps SOC teams build robust monitoring, investigate incident paths, and close security gaps identified during red team exercises.

主な機能

014,121 GitHub stars

02Correlation logic for DCOM and remote scheduled task creation

03Multi-vector detection for PtH, PsExec, WMI, RDP, and SMB spreading

04MITRE ATT&CK TA0008 framework mapping and alignment

05Attack path visualization and movement graph generation logic

06Pre-configured Splunk (SPL) queries for Event Logs and Sysmon

ユースケース

01SOC analysts investigating potential breaches after initial access

02Incident response teams mapping an attacker's movement path during an investigation

03Detection engineers building alerting rules for internal network traffic

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills performing-lateral-movement-detection

For use in Claude.ai and ChatGPT

主な機能

014,121 GitHub stars

02Correlation logic for DCOM and remote scheduled task creation

03Multi-vector detection for PtH, PsExec, WMI, RDP, and SMB spreading

04MITRE ATT&CK TA0008 framework mapping and alignment

05Attack path visualization and movement graph generation logic

06Pre-configured Splunk (SPL) queries for Event Logs and Sysmon

ユースケース

01SOC analysts investigating potential breaches after initial access

02Incident response teams mapping an attacker's movement path during an investigation

03Detection engineers building alerting rules for internal network traffic

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills performing-lateral-movement-detection

For use in Claude.ai and ChatGPT