Can this skill be used for proactive hunting?

Absolutely. It is designed for proactive hypothesis-based hunting to find stealthy indicators of compromise that traditional automated alerts might miss.

Does this skill follow the MITRE ATT&CK framework?

Yes, it specifically maps to technique T1550.002 (Pass the Hash) and helps identify related tactics like Credential Access and Lateral Movement.

What is a Pass-the-Hash attack?

A Pass-the-Hash (PtH) attack is a technique where an attacker captures a password hash and uses it to authenticate to a remote system without needing the plaintext password.

How does this skill assist in incident response?

It helps responders quickly scope the extent of a compromise by identifying which accounts and hosts were involved in lateral movement using stolen hashes.

Which security tools does this skill support?

This skill provides guidance and query patterns for major platforms including CrowdStrike Falcon, Microsoft Defender for Endpoint, Splunk, Elastic Security, and Sysmon.

Pass-the-Hash Attack Detection

Name: Pass-the-Hash Attack Detection
Author: micsapp

bymicsapp

0•

安全与测试

Identifies unauthorized credential usage by analyzing NTLM authentication patterns and correlating them with credential dumping activities.

This skill empowers Claude to act as a specialized threat hunter for identifying Pass-the-Hash (PtH) attacks within enterprise Windows environments. It provides a structured methodology for analyzing NTLM authentication patterns, specifically detecting anomalous Type 3 logons where Kerberos is the expected protocol. By leveraging telemetry from EDR platforms like CrowdStrike and Microsoft Defender for Endpoint, along with SIEM logs from Splunk or Elastic, this skill enables security professionals to proactively discover lateral movement and unauthorized access indicators across the attack surface.

主要功能

010 GitHub stars

02Correlation with credential dumping (MITRE T1550.002)

03NTLM authentication pattern analysis

04Standardized threat hunting reporting format

05Cross-platform query generation for EDR and SIEM tools

06Type 3 logon anomaly detection

使用场景

01Incident response scoping following a suspected credential breach

02Proactive threat hunting for lateral movement indicators

03Purple team exercises to validate organizational defensive coverage

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills detecting-pass-the-hash-attacks

For use in Claude.ai and ChatGPT

主要功能

010 GitHub stars

02Correlation with credential dumping (MITRE T1550.002)

03NTLM authentication pattern analysis

04Standardized threat hunting reporting format

05Cross-platform query generation for EDR and SIEM tools

06Type 3 logon anomaly detection

使用场景

01Incident response scoping following a suspected credential breach

02Proactive threat hunting for lateral movement indicators

03Purple team exercises to validate organizational defensive coverage

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills detecting-pass-the-hash-attacks

For use in Claude.ai and ChatGPT