hunting-for-spearphishing-indicators
Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.
Best use case
hunting-for-spearphishing-indicators is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.
Teams using hunting-for-spearphishing-indicators should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/hunting-for-spearphishing-indicators/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How hunting-for-spearphishing-indicators Compares
| Feature / Agent | hunting-for-spearphishing-indicators | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Hunting For Spearphishing Indicators ## When to Use - When proactively hunting for indicators of hunting for spearphishing indicators in the environment - After threat intelligence indicates active campaigns using these techniques - During incident response to scope compromise related to these techniques - When EDR or SIEM alerts trigger on related indicators - During periodic security assessments and purple team exercises ## Prerequisites - EDR platform with process and network telemetry (CrowdStrike, MDE, SentinelOne) - SIEM with relevant log data ingested (Splunk, Elastic, Sentinel) - Sysmon deployed with comprehensive configuration - Windows Security Event Log forwarding enabled - Threat intelligence feeds for IOC correlation ## Workflow 1. **Formulate Hypothesis**: Define a testable hypothesis based on threat intelligence or ATT&CK gap analysis. 2. **Identify Data Sources**: Determine which logs and telemetry are needed to validate or refute the hypothesis. 3. **Execute Queries**: Run detection queries against SIEM and EDR platforms to collect relevant events. 4. **Analyze Results**: Examine query results for anomalies, correlating across multiple data sources. 5. **Validate Findings**: Distinguish true positives from false positives through contextual analysis. 6. **Correlate Activity**: Link findings to broader attack chains and threat actor TTPs. 7. **Document and Report**: Record findings, update detection rules, and recommend response actions. ## Key Concepts | Concept | Description | |---------|-------------| | T1566.001 | Spearphishing Attachment | | T1566.002 | Spearphishing Link | | T1566.003 | Spearphishing via Service | ## Tools & Systems | Tool | Purpose | |------|---------| | CrowdStrike Falcon | EDR telemetry and threat detection | | Microsoft Defender for Endpoint | Advanced hunting with KQL | | Splunk Enterprise | SIEM log analysis with SPL queries | | Elastic Security | Detection rules and investigation timeline | | Sysmon | Detailed Windows event monitoring | | Velociraptor | Endpoint artifact collection and hunting | | Sigma Rules | Cross-platform detection rule format | ## Common Scenarios 1. **Scenario 1**: Macro-enabled Excel executing PowerShell downloader 2. **Scenario 2**: HTML smuggling delivering ISO with LNK payload 3. **Scenario 3**: Credential harvesting link as SharePoint notification 4. **Scenario 4**: QR code phishing in PDF attachment ## Output Format ``` Hunt ID: TH-HUNTIN-[DATE]-[SEQ] Technique: T1566.001 Host: [Hostname] User: [Account context] Evidence: [Log entries, process trees, network data] Risk Level: [Critical/High/Medium/Low] Confidence: [High/Medium/Low] Recommended Action: [Containment, investigation, monitoring] ```
Related Skills
performing-threat-hunting-with-yara-rules
Use YARA pattern-matching rules to hunt for malware, suspicious files, and indicators of compromise across filesystems and memory dumps. Covers rule authoring, yara-python scanning, and integration with threat intel feeds.
performing-threat-hunting-with-elastic-siem
Performs proactive threat hunting in Elastic Security SIEM using KQL/EQL queries, detection rules, and Timeline investigation to identify threats that evade automated detection. Use when SOC teams need to hunt for specific ATT&CK techniques, investigate anomalous behaviors, or validate detection coverage gaps using Elasticsearch and Kibana Security.
investigating-insider-threat-indicators
Investigates insider threat indicators including data exfiltration attempts, unauthorized access patterns, policy violations, and pre-departure behaviors using SIEM analytics, DLP alerts, and HR data correlation. Use when SOC teams receive insider threat referrals from HR, detect anomalous data movement by employees, or need to build investigation timelines for potential insider threats.
hunting-for-webshell-activity
Hunt for web shell deployments on internet-facing servers by analyzing file creation in web directories, suspicious process spawning from web servers, and anomalous HTTP patterns.
hunting-for-unusual-service-installations
Detect suspicious Windows service installations (MITRE ATT&CK T1543.003) by parsing System event logs for Event ID 7045, analyzing service binary paths, and identifying indicators of persistence mechanisms.
hunting-for-unusual-network-connections
Hunt for unusual network connections by analyzing outbound traffic patterns, rare destinations, non-standard ports, and anomalous connection frequencies from endpoints.
hunting-for-t1098-account-manipulation
Hunt for MITRE ATT&CK T1098 account manipulation including shadow admin creation, SID history injection, group membership changes, and credential modifications using Windows Security Event Logs.
hunting-for-suspicious-scheduled-tasks
Hunt for adversary persistence and execution via Windows scheduled tasks by analyzing task creation events, suspicious task properties, and unusual execution patterns that indicate T1053.005 abuse.
hunting-for-supply-chain-compromise
Hunt for supply chain compromise indicators including trojanized software updates, compromised dependencies, unauthorized code modifications, and tampered build artifacts.
hunting-for-startup-folder-persistence
Detect T1547.001 startup folder persistence by monitoring Windows startup directories for suspicious file creation, analyzing autoruns entries, and using Python watchdog for real-time filesystem monitoring.
hunting-for-registry-run-key-persistence
Detect MITRE ATT&CK T1547.001 registry Run key persistence by analyzing Sysmon Event ID 13 logs and registry queries to identify malicious auto-start entries.
hunting-for-registry-persistence-mechanisms
Hunt for registry-based persistence mechanisms including Run keys, Winlogon modifications, IFEO injection, and COM hijacking in Windows environments.