detecting-kerberoasting-attacks

by mukul975

The detecting-kerberoasting-attacks skill helps hunt Kerberoasting by spotting suspicious Kerberos TGS requests, weak ticket encryption, and service-account patterns. Use it for SIEM, EDR, EVTX, and detecting-kerberoasting-attacks for Threat Modeling workflows with practical detection templates and tuning guidance.

Stars0

Favorites0

Comments0

AddedMay 9, 2026

CategoryThreat Modeling

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-kerberoasting-attacks

Curation Score

This skill scores 78/100, which means it is a solid listing candidate for directory users who want a focused Kerberoasting detection workflow. The repository provides enough concrete detection logic, data-source guidance, and reusable hunting artifacts to justify installation, though users should still expect some adaptation to their SIEM/EDR environment.

78/100

Strengths

Specific trigger and use case: proactive hunting for Kerberoasting via Event 4769/TGS monitoring and ATT&CK T1558.003 mapping.
Operational support is real, with a workflow section, Splunk SPL and KQL examples, and an EVTX parsing script for Event 4769 analysis.
Good supporting references and template assets: standards, workflows, API examples, and a hunt template reduce guesswork for an agent.

Cautions

The main SKILL.md excerpt is somewhat broad and the workflow is split across references, so a user may need to read multiple files to execute it well.
No install command or packaged entrypoint is provided, so adoption depends on the user wiring the scripts and log sources themselves.

Kerberos Threat Hunting Mitre Attack Active Directory Siem Splunk Kql

Overview

Overview of detecting-kerberoasting-attacks skill

What this skill does

The detecting-kerberoasting-attacks skill helps you hunt for Kerberoasting by spotting suspicious Kerberos TGS activity, weak ticket encryption, and related service-account patterns. It is best for defenders who need a practical way to detect T1558.003 activity in SIEM, EDR, or EVTX-based workflows.

Who should use it

Use the detecting-kerberoasting-attacks skill if you are a threat hunter, SOC analyst, incident responder, or purple teamer validating whether your logs can surface Kerberoasting. It is especially useful when you already have Windows security telemetry and want a focused hunting workflow instead of a generic ATT&CK prompt.

Why it is worth installing

The main value is the detection workflow: the repo includes hunt templates, event-field references, and example queries that reduce guesswork. That makes detecting-kerberoasting-attacks for Threat Modeling and detection engineering more actionable than starting from an empty prompt, especially if you need to map inputs to Event ID 4769 and related correlation points.

How to Use detecting-kerberoasting-attacks skill

Install and open the right files first

Install with npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-kerberoasting-attacks. After installation, read SKILL.md first, then references/workflows.md, references/api-reference.md, and assets/template.md. If you want implementation details, inspect scripts/agent.py and scripts/process.py to see what fields and patterns the skill expects.

Turn a vague hunt into a usable prompt

For strong detecting-kerberoasting-attacks usage, give the skill the environment, data source, and hunt goal up front. For example: “Hunt for Kerberoasting in Microsoft Sentinel using Windows Security Event 4769, focus on RC4 tickets, exclude machine accounts, and return a short triage query plus false-positive notes.” That is much better than “detect Kerberoasting,” because it tells the skill what telemetry is available and what output you want.

What input quality matters most

The skill works best when you provide:

Log platform and format: Splunk, Sentinel, Elastic, EVTX, CSV, or JSON
Relevant event IDs: especially 4769 and any correlated logon events
Environment exceptions: service accounts, machine-account naming, known admin tools
Time window and threshold preferences: for example, 5 minutes, 10 SPNs, or RC4-only
Desired output: query, hunt plan, investigation checklist, or triage summary

Practical workflow for better results

Start by asking the skill to identify detection logic, then ask for a query tuned to your platform, then ask for tuning guidance. If you already have a sample event, include it. For detecting-kerberoasting-attacks install decisions, the repo is strongest when you use it as a hunting template and detection reference, not as a one-click detector.

detecting-kerberoasting-attacks skill FAQ

Is this only for Kerberoasting?

Yes, the detecting-kerberoasting-attacks skill is narrowly centered on Kerberoasting and closely related Kerberos abuse patterns. It is not a general credential-theft or AD security skill, so use it when T1558.003 is the actual question you need to answer.

Do I need a SIEM to use it?

No, but you do need some usable Windows telemetry. The skill is most effective with Windows Security logs, Sysmon, or exported EVTX data. If you only have high-level alerts and no event detail, the output will be much less specific.

How is this different from a normal prompt?

A normal prompt often returns generic advice. This skill gives you a repeatable hunting structure, example query shapes, and the field-level context needed for detection work. That makes it more useful for detecting-kerberoasting-attacks usage in operational environments where false positives and log coverage matter.

Is it beginner-friendly?

Yes, if you already know basic Windows logging concepts. If you are new to Kerberos, expect to spend a little time understanding Event 4769, ticket encryption types, and service-account behavior. The skill is a better fit when you want guided execution, not a full Kerberos course.

How to Improve detecting-kerberoasting-attacks skill

Provide concrete log context

The biggest quality jump comes from giving the skill real telemetry details: sample 4769 fields, your SIEM schema, and any exclusions you already use. If you can paste one or two representative events, the detecting-kerberoasting-attacks skill can produce tighter queries and better false-positive handling.

Ask for environment-specific tuning

Kerberoasting detections break when the skill is forced to stay generic. Tell it whether your domain still uses RC4, which service accounts are noisy, and whether you want strict or broad hunting thresholds. For detecting-kerberoasting-attacks for Threat Modeling, also specify the business systems and account classes that would matter most if abused.

Watch for common failure modes

The most common mistakes are over-alerting on legitimate service traffic, ignoring machine-account filters, and treating every 0x17 event as malicious. Improve the output by asking for exclusions, correlation ideas, and validation steps. If your first result is too broad, ask the skill to narrow on unique SPNs, source IP clustering, or a shorter time window.

Iterate with evidence, not just opinions

After the first output, feed back what your query returned: event volume, false positives, and any suspicious accounts or hosts. Then ask for a revised threshold, a second-pass triage query, or a hunt template using the repository’s assets/template.md. That loop usually matters more than rewriting the original prompt.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

security-threat-model

by openai

Repository-grounded security-threat-model skill for AppSec threat modeling. It maps trust boundaries, assets, attacker goals, abuse paths, and mitigations into a concise Markdown threat model. Use it when you need security-threat-model for Threat Modeling on a specific repo or path, not a generic architecture review or code check.

Threat Modeling

Favorites 0GitHub 0

solana-vulnerability-scanner

by trailofbits

solana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.

Security Audit

Favorites 0GitHub 4.9k

exploiting-insecure-data-storage-in-mobile

by mukul975

The exploiting-insecure-data-storage-in-mobile skill helps assess and extract evidence from insecure local storage in Android and iOS apps. It covers SharedPreferences, SQLite databases, plist files, world-readable files, backup exposure, and weak keychain/keystore handling for mobile pentesting and Security Audit workflows.

Security Audit

Favorites 0GitHub 6.2k

algorand-vulnerability-scanner

by trailofbits

algorand-vulnerability-scanner is a security-audit skill for Algorand TEAL and PyTeal. It helps find 11 common issues, including rekeying attacks, fee validation gaps, field checks, and access control flaws. Use the algorand-vulnerability-scanner skill for a practical first-pass review before a manual audit.

Security Audit

Favorites 0GitHub 4.9k

evaluating-threat-intelligence-platforms

by mukul975

evaluating-threat-intelligence-platforms helps you compare TIP products by feed ingestion, STIX/TAXII support, automation, analyst workflow, integrations, and total cost of ownership. Use this evaluating-threat-intelligence-platforms guide for procurement, migration, or maturity planning, including evaluating-threat-intelligence-platforms for Threat Modeling when platform choice affects traceability and evidence sharing.

Threat Modeling

Favorites 0GitHub 0

detecting-insider-threat-behaviors

by mukul975

detecting-insider-threat-behaviors helps analysts hunt insider-risk signals like unusual data access, off-hours activity, mass downloads, privilege abuse, and resignation-correlated theft. Use this detecting-insider-threat-behaviors guide for threat hunting, UEBA-style triage, and threat modeling with workflow templates, SIEM query examples, and risk weights.

Threat Modeling

Favorites 0GitHub 0

detecting-credential-dumping-techniques

by mukul975

The detecting-credential-dumping-techniques skill helps you detect LSASS access, SAM export, NTDS.dit theft, and comsvcs.dll MiniDump abuse using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules. It is built for threat hunting, detection engineering, and Security Audit workflows.

Security Audit

Favorites 0GitHub 0

collecting-threat-intelligence-with-misp

by mukul975

The collecting-threat-intelligence-with-misp skill helps you collect, normalize, search, and export threat intelligence in MISP. Use this collecting-threat-intelligence-with-misp guide for feeds, PyMISP workflows, event filtering, warninglist reduction, and practical collecting-threat-intelligence-with-misp for Threat Modeling and CTI operations.

Threat Modeling

Favorites 0GitHub 0

analyzing-threat-intelligence-feeds

by mukul975

Analyzing-threat-intelligence-feeds helps you ingest CTI feeds, normalize indicators, assess feed quality, and enrich IOCs for STIX 2.1 workflows. This analyzing-threat-intelligence-feeds skill is built for threat intel operations and Data Analysis, with practical guidance for TAXII, MISP, and commercial feeds.

Data Analysis

Favorites 0GitHub 0

cosmos-vulnerability-scanner

by trailofbits

cosmos-vulnerability-scanner finds consensus-critical bugs in Cosmos SDK modules, CosmWasm contracts, IBC integrations, and Cosmos EVM stacks. Use this cosmos-vulnerability-scanner guide for security audit workflows, chain-halt risks, fund-loss paths, and pre-launch reviews.

Security Audit

Favorites 0GitHub 4.9k

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

detecting-email-forwarding-rules-attack

by mukul975

The detecting-email-forwarding-rules-attack skill helps Security Audit, threat hunting, and incident response teams find malicious mailbox forwarding rules used for persistence and email collection. It guides analysts through Microsoft 365 and Exchange evidence, suspicious rule patterns, and practical triage for forwarding, redirect, delete, and hide behaviors.

Security Audit

Favorites 0GitHub 0

analyzing-ios-app-security-with-objection

by mukul975

The analyzing-ios-app-security-with-objection skill helps authorized testers run runtime iOS app security checks with Objection and Frida. Use it to review keychain exposure, filesystem storage, cookies, SSL pinning, jailbreak detection, and other client-side defenses during a Security Audit. Includes workflow guidance, install steps, and practical usage notes.

Security Audit

Favorites 0GitHub 0

analyzing-heap-spray-exploitation

by mukul975

analyzing-heap-spray-exploitation helps analyze heap spray exploitation in memory dumps with Volatility3. It identifies NOP sled patterns, suspicious large allocations, shellcode landing zones, and process VAD evidence for Security Audit, malware triage, and exploit validation.

Security Audit

Favorites 0GitHub 0

detecting-supply-chain-attacks-in-ci-cd

by mukul975

detecting-supply-chain-attacks-in-ci-cd skill for auditing GitHub Actions and CI/CD configs. It helps find unpinned actions, script injection, dependency confusion, secret exposure, and risky permissions for Security Audit workflows. Use it to review a repo, workflow file, or suspicious pipeline change with clear findings and fixes.

Security Audit

Favorites 0GitHub 0

detecting-api-enumeration-attacks

by mukul975

detecting-api-enumeration-attacks helps Security Audit teams detect API probing, BOLA, and IDOR by analyzing sequential IDs, 404 bursts, authorization failures, and docs discovery paths. It is built for log-driven detection guidance, rule drafting, and practical review of API abuse patterns.

Security Audit

Favorites 0GitHub 0