detecting-evasion-techniques-in-endpoint-logs

Featured

Detects defense evasion techniques used by adversaries in endpoint logs including log tampering, timestomping, process injection, and security tool disabling. Use when investigating suspicious endpoint behavior, building detection rules for evasion tactics, or conducting threat hunting for stealthy adversary activity. Activates for requests involving evasion detection, defense evasion analysis, log tampering detection, or MITRE ATT&CK TA0005.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Evasion Techniques in Endpoint Logs ## When to Use Use this skill when: - Hunting for adversary defense evasion techniques (MITRE ATT&CK TA0005) in endpoint telemetry - Building detection rules for common evasion methods (process injection, timestomping, log clearing) - Investigating incidents where adversaries disabled or bypassed security tools - Analyzing endpoint logs for indicators of living-off-the-land binary (LOLBin) abuse **Do not use** this skill for network-level evasion (use network traffic analysis) or for malware reverse engineering. ## Prerequisites - Sysmon installed and configured with comprehensive logging rules (SwiftOnSecurity or Olaf Hartong config) - Windows Security Event Log with advanced audit policy enabled - EDR telemetry (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) - SIEM platform for log correlation (Splunk, Elastic, Sentinel) - MITRE ATT&CK Enterprise matrix for technique reference ## Workflow ### Step 1: Detect Log Tampering (T1070) **Windows Event Log clearing (T1070.001)**: ``` # Sysmon Event ID 1 (Process Create) for wevtutil EventID: 1 CommandLine contains: "wevtutil cl" OR "wevtutil clear-log" # Security Event ID 1102 - Audit log was cleared EventID: 1102 Source: Microsoft-Windows-Eventlog # System Event ID 104 - Event log was cleared EventID: 104 # PowerShell log clearing EventID: 1 (Sysmon) CommandLine contains: "Clear-EventLog" OR "Remove-EventLog" # Splunk query: index=windows (EventCode=1102 OR Ev...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-fileless-attacks-on-endpoints

Detects fileless malware and in-memory attacks that execute entirely in RAM without writing persistent files to disk, evading traditional antivirus. Use when building detections for PowerShell-based attacks, reflective DLL injection, WMI persistence, and registry-resident malware. Activates for requests involving fileless malware detection, in-memory attacks, PowerShell exploitation, or living-off-the-land techniques.

12,642 Updated today
mukul975
AI & Automation Solid

analyzing-malware-sandbox-evasion-techniques

Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports

12,642 Updated today
mukul975
AI & Automation Featured

detecting-privilege-escalation-attempts

Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse across Windows and Linux.

12,642 Updated today
mukul975
AI & Automation Featured

performing-lateral-movement-detection

Detects lateral movement techniques including Pass-the-Hash, PsExec, WMI execution, RDP pivoting, and SMB-based spreading using SIEM correlation of Windows event logs, network flow data, and endpoint telemetry mapped to MITRE ATT&CK Lateral Movement (TA0008) techniques.

12,642 Updated today
mukul975
AI & Automation Solid

detecting-credential-dumping-techniques

Detect LSASS credential dumping, SAM database extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules

12,642 Updated today
mukul975