detecting-pass-the-hash-attacks

by mukul975

detecting-pass-the-hash-attacks skill for hunting NTLM-based lateral movement, suspicious Type 3 logons, and T1550.002 activity with Windows Security logs, Splunk, and KQL.

Stars0

Favorites0

Comments0

AddedMay 11, 2026

CategoryThreat Hunting

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-pass-the-hash-attacks

Curation Score

This skill scores 78/100, which means it is a solid listing candidate for users who want a ready-made Pass-the-Hash hunting workflow. The repository provides enough operational structure, sample detections, and supporting scripts that an agent can trigger and execute with less guesswork than a generic prompt, though some adoption details are still thin.

78/100

Strengths

Strong workflow signals: clear when-to-use guidance, prerequisites, and a multi-phase hunting workflow for proactive detection and incident response.
Good agent leverage: includes detection logic and concrete examples in Splunk SPL, KQL, and Python/EVTX-oriented scripts.
Helpful supporting references: standards, API notes, and a hunt template improve reuse and make the skill easier to operationalize.

Cautions

Install command is missing in SKILL.md, so users may need to infer setup steps and runtime dependencies from scripts and references.
The excerpted workflow looks detection-focused rather than end-to-end, so users should expect to adapt queries and baselines to their own telemetry and environment.

Pass The Hash Ntlm Windows Security Sysmon Microsoft Defender Splunk

Overview

Overview of detecting-pass-the-hash-attacks skill

What this skill does

The detecting-pass-the-hash-attacks skill helps you hunt for NTLM-based lateral movement by focusing on Windows authentication patterns that often indicate Pass-the-Hash activity. It is built for defenders who need a practical detecting-pass-the-hash-attacks skill, not a theory-heavy ATT&CK recap.

Best-fit users and use cases

Use it if you are a threat hunter, SOC analyst, or incident responder trying to confirm suspicious Type 3 logons, map likely T1550.002 activity, or turn raw Security logs into a defensible lead. It is especially useful for detecting-pass-the-hash-attacks for Threat Hunting when you already have Windows telemetry and need better triage, correlation, and hunt structure.

What makes it different

This repo is not just a prompt wrapper: it includes hunt templates, detection logic, standards, and executable helper scripts. That means the skill can support both analyst workflow and detection engineering, which matters when you want detecting-pass-the-hash-attacks usage that produces repeatable results instead of one-off narrative output.

How to Use detecting-pass-the-hash-attacks skill

Install and inspect the repo first

For detecting-pass-the-hash-attacks install, use the package’s normal skill add flow, then read SKILL.md before anything else. After that, inspect references/workflows.md, references/api-reference.md, references/standards.md, and assets/template.md so you understand the hunt model, the event fields the skill expects, and the output format it is designed to produce.

Give the skill the right input

The skill works best when your prompt includes the data source, the platform, and the investigation goal. A weak ask is “find Pass-the-Hash.” A stronger detecting-pass-the-hash-attacks usage prompt is: “Analyze Windows Security Event 4624 and Sysmon data for NTLM Type 3 logons from one source to multiple targets, identify likely T1550.002 activity, and return hunt notes plus a Splunk or KQL query I can run.”

Suggested workflow

Start with a hypothesis, then specify scope: time window, user population, domain, and log sources. If you have an alert, include the triggering indicator and ask the skill to correlate it with NTLM logon behavior, privileged account use, or LSASS-related compromise signals. If you are building a detection, ask for the query, the false-positive filters, and the fields needed for validation.

Files and paths worth reading

Read assets/template.md to see the hunting worksheet the skill expects you to fill. Use references/api-reference.md for the exact fields that matter in Event ID 4624, and references/workflows.md for the Splunk and KQL patterns that shape the hunt. If you want to operationalize the output, inspect scripts/agent.py and scripts/process.py to understand how the repo normalizes events and filters obvious noise.

detecting-pass-the-hash-attacks skill FAQ

Is this only for Windows incident response?

No. The strongest fit is Windows authentication telemetry, but the skill is also useful during proactive hunts, purple team validation, and detection tuning. If your environment does not forward Security logs or NTLM-related events, detecting-pass-the-hash-attacks will be less effective.

How is this different from a generic prompt?

A generic prompt can describe Pass-the-Hash, but this skill is structured around concrete hunt inputs: Event ID 4624, Logon Type 3, NTLM, source-to-target fan-out, and correlation context. That makes detecting-pass-the-hash-attacks install worthwhile when you want faster, more consistent output and less guesswork about what evidence matters.

Do I need to be a beginner or an expert?

Beginners can use it if they can name the data source and the investigation goal. More experienced users will get better results because they can specify platform syntax, baseline assumptions, and exclusion rules. The skill is most valuable when you already know enough to ask for a precise hunt rather than a broad explanation.

When should I not use it?

Do not use it as a replacement for missing telemetry, and do not expect it to confirm compromise from a single NTLM logon alone. If you only have partial logs, no source IP, or no destination context, the skill may produce noisy leads. In those cases, start by improving collection before relying on detecting-pass-the-hash-attacks output.

How to Improve detecting-pass-the-hash-attacks skill

Feed it stronger evidence

The biggest quality jump comes from including exact fields: EventID, LogonType, AuthenticationPackageName, TargetUserName, IpAddress, Computer, and time range. If you have a known-good baseline, say so. If you suspect a lateral movement path, include source host, target host set, and whether privileged accounts were involved.

Ask for output that matches the task

If you need a hunt, ask for hypotheses, queries, and validation steps. If you need detection content, ask for a concise rule and tuning notes. If you need an investigation, ask for lead prioritization and correlation logic. This matters because detecting-pass-the-hash-attacks guide results improve when the prompt names the intended deliverable instead of asking for “analysis” in general.

Watch for common failure modes

The main risk is overcalling benign NTLM use as malicious. Another common miss is ignoring system accounts, local loopback, or known management hosts. Improve the skill by explicitly telling it what to exclude, what baseline window to use, and how many target systems should trigger suspicion.

Iterate after the first run

Use the first answer to narrow the hunt, then rerun with real findings: a suspicious account, a host pair, a time slice, or a query result set. Ask for refined filters, alternate detections, or a second-pass correlation against credential dumping indicators. That is usually the fastest way to turn detecting-pass-the-hash-attacks usage into a usable investigation workflow.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

detecting-s3-data-exfiltration-attempts

by mukul975

detecting-s3-data-exfiltration-attempts helps investigate possible AWS S3 data theft by correlating CloudTrail S3 data events, GuardDuty findings, Amazon Macie alerts, and S3 access patterns. Use this detecting-s3-data-exfiltration-attempts skill for Security Audit, incident response, and suspicious bulk-download analysis.

Security Audit

Favorites 0GitHub 6.2k

analyzing-usb-device-connection-history

by mukul975

analyzing-usb-device-connection-history helps investigate USB device connection history on Windows using registry hives, event logs, and setupapi.dev.log for Digital Forensics, insider threat work, and incident response. It supports timeline reconstruction, device correlation, and removable-media evidence analysis.

Digital Forensics

Favorites 0GitHub 6.2k

analyzing-bootkit-and-rootkit-samples

by mukul975

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

Malware Analysis

Favorites 0GitHub 6.2k

detecting-ransomware-encryption-behavior

by mukul975

detecting-ransomware-encryption-behavior helps defenders spot ransomware-style encryption using entropy analysis, file I/O monitoring, and behavioral heuristics. It is suited for incident response, SOC tuning, and red-team validation when you need to detect mass file changes, rename bursts, and suspicious process activity quickly.

Incident Response

Favorites 0GitHub 0

detecting-privilege-escalation-attempts

by mukul975

detecting-privilege-escalation-attempts helps hunt privilege escalation on Windows and Linux, including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse. Built for threat hunting teams that need a practical workflow, reference queries, and helper scripts.

Threat Hunting

Favorites 0GitHub 0

detecting-evasion-techniques-in-endpoint-logs

by mukul975

The detecting-evasion-techniques-in-endpoint-logs skill helps hunt defense evasion in Windows endpoint logs, including log clearing, timestomping, process injection, and security tool disabling. Use it for threat hunting, detection engineering, and incident triage with Sysmon, Windows Security, or EDR telemetry.

Threat Hunting

Favorites 0GitHub 0

analyzing-network-traffic-for-incidents

by mukul975

analyzing-network-traffic-for-incidents helps incident responders analyze PCAPs, flow logs, and packet captures to confirm C2, lateral movement, exfiltration, and exploitation attempts. Built for analyzing-network-traffic-for-incidents for Incident Response with Wireshark, Zeek, and NetFlow-style investigation.

Incident Response

Favorites 0GitHub 0

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

detecting-process-hollowing-technique

by mukul975

detecting-process-hollowing-technique helps hunt process hollowing (T1055.012) in Windows telemetry by correlating suspended launches, memory tampering, parent-child anomalies, and API evidence. Built for threat hunters, detection engineers, and responders who need a practical detecting-process-hollowing-technique for Threat Hunting workflow.

Threat Hunting

Favorites 0GitHub 0

detecting-rdp-brute-force-attacks

by mukul975

detecting-rdp-brute-force-attacks helps analyze Windows Security Event Logs for RDP brute force patterns, including repeated 4625 failures, 4624 success after failures, NLA-related logons, and source-IP concentration. Use it for Security Audit, threat hunting, and repeatable EVTX-based investigations.

Security Audit

Favorites 0GitHub 6.2k

analyzing-linux-kernel-rootkits

by mukul975

analyzing-linux-kernel-rootkits helps DFIR and threat-hunting workflows detect Linux kernel rootkits with Volatility3 cross-view checks, rkhunter scans, and /proc vs /sys analysis for hidden modules, hooked syscalls, and tampered kernel structures. It is a practical analyzing-linux-kernel-rootkits guide for forensic triage.

Digital Forensics

Favorites 0GitHub 0

detecting-mimikatz-execution-patterns

by mukul975

detecting-mimikatz-execution-patterns helps analysts detect Mimikatz execution using command-line patterns, LSASS access signals, binary indicators, and memory artifacts. Use this detecting-mimikatz-execution-patterns skill install for Security Audit, hunting, and incident response with templates, references, and workflow guidance.

Security Audit

Favorites 0GitHub 0

exploiting-kerberoasting-with-impacket

by mukul975

exploiting-kerberoasting-with-impacket helps authorized testers plan Kerberoasting with Impacket GetUserSPNs.py, from SPN enumeration to TGS ticket extraction, offline cracking, and detection-aware reporting. Use this exploiting-kerberoasting-with-impacket guide for penetration testing workflows with clear install and usage context.

Penetration Testing

Favorites 0GitHub 6.2k

detecting-shadow-it-cloud-usage

by mukul975

detecting-shadow-it-cloud-usage helps identify unauthorized SaaS and cloud usage from proxy logs, DNS queries, and netflow. It classifies domains, compares them with approved lists, and supports security audit workflows with structured evidence from the detecting-shadow-it-cloud-usage skill guide.

Security Audit

Favorites 0GitHub 6.2k

detecting-service-account-abuse

by mukul975

detecting-service-account-abuse is a threat-hunting skill for finding service account misuse across Windows, AD, SIEM, and EDR telemetry. It focuses on suspicious interactive logons, privilege escalation, lateral movement, and access anomalies, with a hunt template, event IDs, and workflow references for repeatable investigation.

Threat Hunting

Favorites 0GitHub 6.2k

analyzing-browser-forensics-with-hindsight

by mukul975

analyzing-browser-forensics-with-hindsight helps Digital Forensics teams analyze Chromium browser artifacts with Hindsight, including history, downloads, cookies, autofill, bookmarks, saved credentials metadata, cache, and extensions. Use it to reconstruct web activity, review timelines, and investigate Chrome, Edge, Brave, and Opera profiles.

Digital Forensics

Favorites 0GitHub 6.2k