detecting-privilege-escalation-attempts

by mukul975

detecting-privilege-escalation-attempts helps hunt privilege escalation on Windows and Linux, including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse. Built for threat hunting teams that need a practical workflow, reference queries, and helper scripts.

Stars0

Favorites0

Comments0

AddedMay 11, 2026

CategoryThreat Hunting

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-privilege-escalation-attempts

Curation Score

This skill scores 84/100 and is a solid directory listing: it gives agents a clear detection purpose, concrete hunting workflow, and usable scripts/references so users can install it with good confidence. Directory users should still note that it is more of a guided hunting/detection package than a turnkey one-command skill, but it offers real operational value beyond a generic prompt.

84/100

Strengths

Clear trigger and scope for privilege-escalation hunting across Windows and Linux, with when-to-use guidance and prerequisites in SKILL.md
Strong operational support files: workflow reference, standards mapping, API reference, plus two scripts that show executable detection logic and CLI usage
Good install-decision value from concrete technique coverage and telemetry mappings, including ATT&CK IDs, event IDs, and example SPL/KQL queries

Cautions

No install command in SKILL.md, so adoption requires manual wiring rather than a simple packaged install path
Some workflow sections are truncated in the repo preview, so users may need to inspect the full files to confirm completeness and fit

Mitre Attack Privilege Escalation Windows Security Sysmon Splunk Microsoft Defender Linux Detection Engineering

Overview

Overview of detecting-privilege-escalation-attempts skill

What this skill does

The detecting-privilege-escalation-attempts skill helps hunt for privilege escalation activity across Windows and Linux, including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse. It is most useful for threat hunting teams that need a practical starting point, not just a theory page.

Who should install it

Install the detecting-privilege-escalation-attempts skill if you work in SIEM, EDR, IR, or purple-team operations and need a repeatable way to turn suspicious telemetry into a hunt. It fits analysts who already have process and security logs and want better query structure, technique mapping, and triage cues.

Why it is different

This is not just a generic prompt about escalation. The skill includes hunt structure, ATT&CK-aligned technique coverage, reference queries, and helper scripts, which makes the detecting-privilege-escalation-attempts install decision easier for teams that want something operational. It is strongest when you need a guided workflow for detecting-privilege-escalation-attempts for Threat Hunting.

How to Use detecting-privilege-escalation-attempts skill

Install and inspect the right files first

Use the repo path skills/detecting-privilege-escalation-attempts and start by reading SKILL.md, assets/template.md, references/standards.md, and references/workflows.md. Then inspect references/api-reference.md for concrete detections and scripts/agent.py or scripts/process.py if you want automated log scanning.

Turn a rough idea into a usable prompt

A weak prompt says: “Find privilege escalation.” A stronger prompt says: “Hunt for UAC bypass and service modification attempts in Windows Security and Sysmon logs from the last 7 days; focus on fodhelper.exe, eventvwr.exe, sc config binpath=, and unusual 4672 activity; return hosts, users, timestamps, and likely false positives.” That kind of input improves detecting-privilege-escalation-attempts usage because it tells the skill what telemetry, time range, and technique family matter.

Best workflow for first run

Use the hunt template as your output structure: define hypothesis, target techniques, data sources, queries, findings, and IOC notes. For detecting-privilege-escalation-attempts usage, give the skill one environment at a time—Windows or Linux, then the log source, then the technique—so results stay specific instead of broad and noisy.

Practical fit and constraints

The skill works best when you have Sysmon, Windows Security logs, EDR telemetry, or Linux shell/process visibility. It is less useful if you only have sparse audit logs, no command-line capture, or no baseline for normal admin activity, because privilege escalation signals often depend on context.

detecting-privilege-escalation-attempts skill FAQ

Is this better than a normal prompt?

Yes, when you want repeatable threat-hunting structure. A normal prompt may produce one-off ideas; the detecting-privilege-escalation-attempts skill gives you a clearer path from hypothesis to query to findings, which matters for consistent investigations.

Does it work for beginners?

Beginner-friendly enough if you already understand what logs your stack collects. The main learning curve is not the skill itself, but knowing whether your data source can support the hunt. If you cannot name your EDR, SIEM, or event IDs, the result will be generic.

When should I not use it?

Do not use detecting-privilege-escalation-attempts for Threat Hunting as a substitute for endpoint hardening, forensic triage, or exploit validation. If the incident is already confirmed and you need containment steps, a response-focused skill is a better fit.

What makes it a good install decision?

The repository includes hunt templates, reference mappings, and scripts, so it is more actionable than a plain markdown checklist. That makes detecting-privilege-escalation-attempts install worthwhile when your team wants reusable hunting material instead of a one-time answer.

How to Improve detecting-privilege-escalation-attempts skill

Give tighter context up front

The biggest quality boost comes from specifying platform, log source, and technique family. For example: “Windows, Sysmon + Security logs, last 72 hours, hunt for token manipulation and UAC bypass.” That is stronger than “look for escalation,” because it narrows the search space and reduces false positives.

Include concrete indicators and exclusions

If you already know likely admin tools, service names, or sanctioned scripts, list them. For example: “Exclude SCCM maintenance windows, approved sudo -l use by ops, and known eventvwr.exe launches from the software deployment team.” This improves detecting-privilege-escalation-attempts usage by helping the output separate benign admin behavior from abuse.

Ask for output that supports action

Request hosts, users, timestamps, event IDs, command lines, and a short verdict for each hit. If the first answer is too broad, iterate by asking for only one technique at a time, then compare results against references/standards.md and the hunt template to tighten the next pass.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

detecting-s3-data-exfiltration-attempts

by mukul975

detecting-s3-data-exfiltration-attempts helps investigate possible AWS S3 data theft by correlating CloudTrail S3 data events, GuardDuty findings, Amazon Macie alerts, and S3 access patterns. Use this detecting-s3-data-exfiltration-attempts skill for Security Audit, incident response, and suspicious bulk-download analysis.

Security Audit

Favorites 0GitHub 6.2k

analyzing-usb-device-connection-history

by mukul975

analyzing-usb-device-connection-history helps investigate USB device connection history on Windows using registry hives, event logs, and setupapi.dev.log for Digital Forensics, insider threat work, and incident response. It supports timeline reconstruction, device correlation, and removable-media evidence analysis.

Digital Forensics

Favorites 0GitHub 6.2k

analyzing-bootkit-and-rootkit-samples

by mukul975

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

Malware Analysis

Favorites 0GitHub 6.2k

detecting-ransomware-encryption-behavior

by mukul975

detecting-ransomware-encryption-behavior helps defenders spot ransomware-style encryption using entropy analysis, file I/O monitoring, and behavioral heuristics. It is suited for incident response, SOC tuning, and red-team validation when you need to detect mass file changes, rename bursts, and suspicious process activity quickly.

Incident Response

Favorites 0GitHub 0

detecting-evasion-techniques-in-endpoint-logs

by mukul975

The detecting-evasion-techniques-in-endpoint-logs skill helps hunt defense evasion in Windows endpoint logs, including log clearing, timestomping, process injection, and security tool disabling. Use it for threat hunting, detection engineering, and incident triage with Sysmon, Windows Security, or EDR telemetry.

Threat Hunting

Favorites 0GitHub 0

analyzing-network-traffic-for-incidents

by mukul975

analyzing-network-traffic-for-incidents helps incident responders analyze PCAPs, flow logs, and packet captures to confirm C2, lateral movement, exfiltration, and exploitation attempts. Built for analyzing-network-traffic-for-incidents for Incident Response with Wireshark, Zeek, and NetFlow-style investigation.

Incident Response

Favorites 0GitHub 0

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

detecting-process-hollowing-technique

by mukul975

detecting-process-hollowing-technique helps hunt process hollowing (T1055.012) in Windows telemetry by correlating suspended launches, memory tampering, parent-child anomalies, and API evidence. Built for threat hunters, detection engineers, and responders who need a practical detecting-process-hollowing-technique for Threat Hunting workflow.

Threat Hunting

Favorites 0GitHub 0

detecting-rdp-brute-force-attacks

by mukul975

detecting-rdp-brute-force-attacks helps analyze Windows Security Event Logs for RDP brute force patterns, including repeated 4625 failures, 4624 success after failures, NLA-related logons, and source-IP concentration. Use it for Security Audit, threat hunting, and repeatable EVTX-based investigations.

Security Audit

Favorites 0GitHub 6.2k

analyzing-linux-kernel-rootkits

by mukul975

analyzing-linux-kernel-rootkits helps DFIR and threat-hunting workflows detect Linux kernel rootkits with Volatility3 cross-view checks, rkhunter scans, and /proc vs /sys analysis for hidden modules, hooked syscalls, and tampered kernel structures. It is a practical analyzing-linux-kernel-rootkits guide for forensic triage.

Digital Forensics

Favorites 0GitHub 0

detecting-mimikatz-execution-patterns

by mukul975

detecting-mimikatz-execution-patterns helps analysts detect Mimikatz execution using command-line patterns, LSASS access signals, binary indicators, and memory artifacts. Use this detecting-mimikatz-execution-patterns skill install for Security Audit, hunting, and incident response with templates, references, and workflow guidance.

Security Audit

Favorites 0GitHub 0

exploiting-kerberoasting-with-impacket

by mukul975

exploiting-kerberoasting-with-impacket helps authorized testers plan Kerberoasting with Impacket GetUserSPNs.py, from SPN enumeration to TGS ticket extraction, offline cracking, and detection-aware reporting. Use this exploiting-kerberoasting-with-impacket guide for penetration testing workflows with clear install and usage context.

Penetration Testing

Favorites 0GitHub 6.2k

detecting-shadow-it-cloud-usage

by mukul975

detecting-shadow-it-cloud-usage helps identify unauthorized SaaS and cloud usage from proxy logs, DNS queries, and netflow. It classifies domains, compares them with approved lists, and supports security audit workflows with structured evidence from the detecting-shadow-it-cloud-usage skill guide.

Security Audit

Favorites 0GitHub 6.2k

detecting-service-account-abuse

by mukul975

detecting-service-account-abuse is a threat-hunting skill for finding service account misuse across Windows, AD, SIEM, and EDR telemetry. It focuses on suspicious interactive logons, privilege escalation, lateral movement, and access anomalies, with a hunt template, event IDs, and workflow references for repeatable investigation.

Threat Hunting

Favorites 0GitHub 6.2k

analyzing-browser-forensics-with-hindsight

by mukul975

analyzing-browser-forensics-with-hindsight helps Digital Forensics teams analyze Chromium browser artifacts with Hindsight, including history, downloads, cookies, autofill, bookmarks, saved credentials metadata, cache, and extensions. Use it to reconstruct web activity, review timelines, and investigate Chrome, Edge, Brave, and Opera profiles.

Digital Forensics

Favorites 0GitHub 6.2k

detecting-network-anomalies-with-zeek

by mukul975

The detecting-network-anomalies-with-zeek skill helps deploy Zeek for passive network monitoring, review structured logs, and build custom detections for beaconing, DNS tunneling, and unusual protocol activity. It is suited for threat hunting, incident response, SIEM-ready network metadata, and Security Audit workflows—not inline prevention.

Security Audit

Favorites 0GitHub 6.1k