agentskills.codes
DE

detecting-mimikatz-execution-patterns

Detect Mimikatz execution through command-line patterns, LSASS access signatures, binary indicators, and in-memory

Install

mkdir -p .claude/skills/detecting-mimikatz-execution-patterns && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/16320" && unzip -o skill.zip -d .claude/skills/detecting-mimikatz-execution-patterns && rm skill.zip

Installs to .claude/skills/detecting-mimikatz-execution-patterns

Activation

This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.

Detect Mimikatz execution through command-line patterns, LSASS access signatures, binary indicators, and in-memory
114 charsno explicit “when” trigger

About this skill

Detecting Mimikatz Execution Patterns

When to Use

  • When proactively hunting for indicators of detecting mimikatz execution patterns in the environment
  • After threat intelligence indicates active campaigns using these techniques
  • During incident response to scope compromise related to these techniques
  • When EDR or SIEM alerts trigger on related indicators
  • During periodic security assessments and purple team exercises

Prerequisites

  • EDR platform with process and network telemetry (CrowdStrike, MDE, SentinelOne)
  • SIEM with relevant log data ingested (Splunk, Elastic, Sentinel)
  • Sysmon deployed with comprehensive configuration
  • Windows Security Event Log forwarding enabled
  • Threat intelligence feeds for IOC correlation

Workflow

  1. Formulate Hypothesis: Define a testable hypothesis based on threat intelligence or ATT&CK gap analysis.
  2. Identify Data Sources: Determine which logs and telemetry are needed to validate or refute the hypothesis.
  3. Execute Queries: Run detection queries against SIEM and EDR platforms to collect relevant events.
  4. Analyze Results: Examine query results for anomalies, correlating across multiple data sources.
  5. Validate Findings: Distinguish true positives from false positives through contextual analysis.
  6. Correlate Activity: Link findings to broader attack chains and threat actor TTPs.
  7. Document and Report: Record findings, update detection rules, and recommend response actions.

Key Concepts

ConceptDescription
T1003.001LSASS Memory
T1003.006DCSync
T1558.003Kerberoasting
T1558.001Golden Ticket

Tools & Systems

ToolPurpose
CrowdStrike FalconEDR telemetry and threat detection
Microsoft Defender for EndpointAdvanced hunting with KQL
Splunk EnterpriseSIEM log analysis with SPL queries
Elastic SecurityDetection rules and investigation timeline
SysmonDetailed Windows event monitoring
VelociraptorEndpoint artifact collection and hunting
Sigma RulesCross-platform detection rule format

Common Scenarios

  1. Scenario 1: Standard sekurlsa::logonpasswords credential dump
  2. Scenario 2: PowerShell Invoke-Mimikatz reflective loading
  3. Scenario 3: DCSync from non-DC host
  4. Scenario 4: Golden ticket creation for persistence

Output Format

Hunt ID: TH-DETECT-[DATE]-[SEQ]
Technique: T1003.001
Host: [Hostname]
User: [Account context]
Evidence: [Log entries, process trees, network data]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [Containment, investigation, monitoring]

zip

aibot88

Compress, extract, list, and encrypt ZIP archives in batch. Use when archiving files, extracting packages, listing contents, encrypting backups, or batching.

00

dev-supabase

aibot88

Backend development with Supabase. Trigger when the user wants to configure auth, the database, or Supabase storage.

00

configure-hooks

aibot88

This skill should be used when the user says "configure hooks", "set up quality gates", "add PostToolUse hook", "set up permission hooks", "create hook configuration", "add typecheck hook", "set up secret-scan hook", or wants to configure event-driven hooks for their Claude Code project. Validates a

00

integration-development

aibot88

Guide for creating new OAuth-based integrations in the Orient codebase. Use when adding external service integrations (APIs like Linear, GitHub, Slack, Notion, etc.), implementing OAuth flows, or creating catalog-based integration manifests. Covers the full integration lifecycle from manifest defini

00

regulatory-compliance

aibot88

Audit codebases for cross-industry regulatory compliance across SOX, GDPR, HIPAA, PCI-DSS, CCPA/CPRA, FedRAMP, FISMA, COPPA, and FERPA. Reviews audit trail completeness (who/what/when/where/why with tamper-evident storage), data retention policies and right-to-erasure workflows, RBAC/ABAC access con

00

karpathy-metric-pre

aibot88

Use this when: red-team my optimization metric, find ways to game my metric, metric pre-mortem, adversarial metric evaluation, gaming vectors for my KPI, what could an agent exploit in my metric, metric failure modes, proxy divergence risk, eval contamination, silent degradation from optimization, m

00

Search skills

Search the agent skills registry