Skill UI

A specialized tool and workflow for investigating supply chain attacks. It helps security analysts analyze compromised software updates, trojanized binaries, and dependency artifacts by comparing legitimate versions against suspect files. Key functions include binary diffing, identifying injected code, and documenting code signing anomalies to determine the scope of a security breach.

This comprehensive forensic workflow guides investigators through the extraction and detailed analysis of Windows Registry hives (SAM, SYSTEM, SOFTWARE, etc.). It is used during incident response to uncover critical artifacts, including user activity history, malware persistence mechanisms (autorun keys), installed software records, and evidence of system compromise.

This skill provides a comprehensive workflow for building vendor-agnostic detection rules using the Sigma format. It empowers security operations center (SOC) engineers to translate raw threat intelligence and MITRE ATT&CK techniques into standardized, portable detection logic. The process guides users through rule validation and conversion into specific queries for major SIEM platforms, including Splunk, Elastic, and Microsoft Sentinel, ensuring robust detection coverage.

This skill details the advanced technique of DCSync, which exploits the Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to impersonate a Domain Controller. It is primarily used in authorized red-teaming and penetration testing to dump sensitive credentials, extract the KRBTGT hash, and ultimately forge Golden Tickets, establishing deep domain persistence. Ideal for security auditors and offensive security professionals.

This skill uses the Python azure-mgmt-storage SDK to perform comprehensive security audits on Azure Blob and ADLS storage accounts. It detects critical misconfigurations, including public access exposure, weak or long-lived SAS tokens, lack of encryption at rest, failure to enforce HTTPS, and outdated TLS versions. The output is a detailed, risk-scored report with remediation recommendations, essential for SOC analysts and security posture management.

This guide provides a comprehensive methodology and technical approach for detecting malicious email forwarding rules. It is crucial for threat hunting, incident response, and proactive security assessments to identify persistent access mechanisms used by adversaries for intelligence collection and Business Email Compromise (BEC) attacks. It outlines necessary prerequisites, workflow steps, and key threat indicators (T1114).

This script detects and analyzes sophisticated fileless malware techniques that operate entirely in system memory. It specializes in identifying threats that utilize Living Off the Land Binaries (LOLBins), WMI event subscriptions, and registry-resident payloads, bypassing traditional file-based security controls. It is ideal for forensic investigations, threat hunting, and building advanced detection rules in modern enterprise environments.

A comprehensive guide and workflow for the post-containment phase of incident response. This process details systematic methods for mapping all persistence mechanisms, identifying malware artifacts, removing threats, resetting compromised credentials, and patching initial access vulnerabilities to ensure complete system eradication.

A comprehensive guide for authorized penetration testing on detecting and exploiting HTTP Request Smuggling vulnerabilities. It details analyzing discrepancies between Content-Length and Transfer-Encoding header parsing in multi-tier architectures (e.g., CDN, reverse proxy, load balancers). Learn techniques to bypass access controls, capture subsequent user requests, and escalate attacks in a controlled environment.

This guide details advanced threat hunting techniques to proactively uncover adversary persistence mechanisms leveraging Windows Management Instrumentation (WMI) event subscriptions. It monitors the creation and binding of WMI events (Filter, Consumer, Binding) to detect malicious, fileless backdoors used by sophisticated threat actors, especially when standard persistence locations are clean.

A detailed methodology for proactive threat hunting focused on identifying deep-seated persistence mechanisms within Windows operating systems. This guide covers advanced techniques such as monitoring Run keys, analyzing Winlogon modifications, detecting IFEO injection, and identifying COM object hijacking. It is crucial for incident response, purple teaming, and ensuring system integrity against advanced persistent threats (APTs).

This guide details a threat hunting technique for detecting persistence mechanisms utilizing Windows Registry Run keys (T1547.001). By analyzing Sysmon Event ID 13 logs, it identifies suspicious auto-start entries pointing to temporary directories, encoded PowerShell commands, or abused LOLBins. Essential for SOC analysts and security engineers investigating incidents and developing robust detection rules.