Download

Skill UI

Browse and discover 5970+ curated skills

All Development Artificial Intelligence Design & Creative Product & Business Data Science Marketing Soft Skills Productivity Engineering Languages

Search Sysmon , found 18 results

Default Newest Most Downloaded

Splunk Windows Threat Detection

analyzing-windows-event-logs-in-splunk

mukul975/Anthropic-Cybersecurity-Skills

Runs SPL queries against Windows Security, System, and Sysmon logs in Splunk to flag authentication attacks, privilege escalations, persistence, and lateral movement, helping SOC analysts, detection engineers, and responders build investigations and timelines.

Credential Dumping Detection

detecting-credential-dumping-techniques

mukul975/Anthropic-Cybersecurity-Skills

Implements detection coverage for LSASS credential dumping by correlating Sysmon Event ID 10 ProcessAccess logs, Windows Security process creations, and SIEM rules to highlight reg.exe/ntdsutil/comsvcs abuses plus MITRE mapping such as T1003 for analyst triage.

EDR Credential Dumping Detection

detecting-credential-dumping-with-edr

mukul975/Anthropic-Cybersecurity-Skills

Provides analysts with a workflow to hunt and investigate credential dumping (LSASS, SAM, NTDS, DCSync) using EDR telemetry, Sysmon access events, and AD replication monitoring.

Email Forwarding Rules Detection

detecting-email-forwarding-rules-attack

mukul975/Anthropic-Cybersecurity-Skills

Hunt for malicious email forwarding rules that adversaries use to maintain persistence, using EDR, SIEM, and telemetry data to validate findings, correlate ATT&CK T1114 indicators, and recommend containment actions.

Fileless Endpoint Detection

detecting-fileless-attacks-on-endpoints

mukul975/Anthropic-Cybersecurity-Skills

Detects fileless and in-memory attacks on endpoints by enabling Sysmon/PowerShell telemetry and hunting for PowerShell abuse, reflective injection, WMI persistence, and registry-resident tricks before malware touches disk.

LOLBA Detection Playbook

detecting-living-off-the-land-with-lolbas

mukul975/Anthropic-Cybersecurity-Skills

Detect abuse of Living Off the Land binaries such as certutil, regsvr32, mshta, and rundll32 by ingesting Sysmon and Windows event telemetry, generating Sigma rules, and analyzing parent-child process chains to score alerts and report MITRE ATT&CK mappings.

Sysmon Scheduled Task Detection

detecting-malicious-scheduled-tasks-with-sysmon

mukul975/Anthropic-Cybersecurity-Skills

Detects malicious scheduled task creation and modification by correlating Sysmon IDs 1 and 11 with Windows Event 4698/4702, highlighting persistence hunting, suspicious parent processes, public paths, and encoded commands when tracking T1053.005 activity.

Privilege Escalation Detection

detecting-privilege-escalation-attempts

mukul975/Anthropic-Cybersecurity-Skills

Workflow for hunting privilege escalation attempts across Windows and Linux, leveraging EDR/SIEM telemetry to identify token manipulation, UAC bypasses, unquoted service paths, kernel exploits, and sudo/doas abuse.

Process Injection Detection

detecting-process-injection-techniques

mukul975/Anthropic-Cybersecurity-Skills

Detects malicious process injection techniques through memory forensics, Sysmon/API monitoring, and behavioral signals, aiding EDR/SIEM teams in spotting DLL injection, hollowing, APC/thread hijacking, reflective loading, and similar stealthy attacks.

EDR Credential Dumping Detection

detecting-t1003-credential-dumping-with-edr

mukul975/Anthropic-Cybersecurity-Skills

Detects credential dumping T1003 activity by correlating EDR telemetry, Sysmon process access, and Windows security events to flag suspicious LSASS, SAM, NTDS, and cached credential access, guiding SOCs through containment and lateral movement analysis.

Sysmon Injection Detection

detecting-t1055-process-injection-with-sysmon

mukul975/Anthropic-Cybersecurity-Skills

Detects MITRE T1055 process injection techniques by correlating Sysmon events for remote thread creation, suspicious process access, anomalous DLL loading, and process hollowing to validate detections and feed SIEM alerts in threat-hunting workflows.

WMI Persistence Detection

detecting-wmi-persistence

mukul975/Anthropic-Cybersecurity-Skills

Detect WMI subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious filters, consumers, and bindings, enabling threat hunters to validate telemetry, prioritize follow-up, and remediate attacker persistence.

Language