Skill UI

This skill provides advanced runtime security rules using Falco, a CNCF-graduated tool. It monitors Linux syscalls to detect container escape attempts in real-time, identifying techniques such as mounting host filesystems, unauthorized namespace access (nsenter), and privileged container launches. It is crucial for SOC analysts and security teams enhancing cloud-native security coverage.

This skill provides comprehensive detection methods for credential dumping techniques, a critical post-exploitation phase in cyber attacks. It targets the extraction of sensitive credentials from LSASS memory, SAM registry hives, and NTDS.dit using advanced security visibility. Detection relies on analyzing Sysmon Event ID 10 (ProcessAccess), Windows Security logs, and complex SIEM correlation rules, making it essential for SOC analysts and threat hunters investigating advanced persistent threats (APTs).

This skill outlines a comprehensive methodology for detecting compromised email accounts in Microsoft 365 and Google Workspace. It analyzes critical indicators such as unauthorized inbox rule creation (e.g., forwarding rules, deletion rules), suspicious sign-in locations (impossible travel), and unusual API access patterns using Microsoft Graph and Unified Audit Logs. It is essential for threat hunting and incident response (IR) to mitigate Business Email Compromise (BEC) and account takeover.

This guide details advanced threat hunting techniques to proactively detect Mimikatz execution. It focuses on identifying command-line patterns, unauthorized access to LSASS memory, binary indicators, and known credential dumping techniques (e.g., DCSync, Golden Tickets). Ideal for security analysts, threat hunters, and incident response teams during proactive assessments or active compromise investigation.

This tool provides a comprehensive security audit framework for Azure Storage accounts. It systematically detects critical misconfigurations, such as publicly accessible blob containers, weak encryption settings, overly permissive network access rules, and missing logging. Use it when performing compliance checks, responding to security incidents, or establishing storage security baselines in Azure environments.

This skill provides comprehensive anomaly detection for Modbus/TCP and Modbus RTU traffic in Operational Technology (OT) and Industrial Control Systems (ICS). It monitors function codes, validates register access, analyzes timing, and detects unauthorized clients. By utilizing advanced tools like Zeek, Suricata, and custom Python models, it helps establish behavioral baselines and identify potential cyber threats.

This guide details methods for detecting and mitigating OAuth token theft and replay attacks in cloud environments, specifically targeting Microsoft Entra ID (Azure AD). It covers protection against access token theft, Primary Refresh Token (PRT) abuse, and pass-the-cookie attacks. Users can leverage Conditional Access and Token Protection features to cryptographically bind tokens to devices, significantly enhancing cloud identity security and preventing session hijacking.

A comprehensive skill for detecting early-stage ransomware indicators before data encryption occurs. It utilizes advanced network detection tools such as Zeek and Suricata, combined with SIEM correlation rules and threat intelligence feeds. This method monitors the entire pre-encryption kill chain, identifying precursor behaviors like initial access broker activity, Cobalt Strike C2 beaconing, credential harvesting (e.g., Mimikatz signatures), and data staging attempts, enabling timely incident response and containment.

A comprehensive guide and workflow for detecting unauthorized data exfiltration from AWS S3 buckets. It details how to leverage multiple AWS services—including CloudTrail, GuardDuty, Amazon Macie, and Athena—to analyze access patterns, identify bulk downloads, and detect cross-account data transfers, ensuring robust cloud compliance and security monitoring.

This skill provides a methodology for proactive threat hunting to detect compromised service accounts. It focuses on identifying anomalous activities such as unusual interactive logons, unauthorized privilege escalation, lateral movement, and suspicious access patterns using SIEM/EDR platforms. Essential for incident response and compliance.

This skill addresses advanced threat detection for critical infrastructure (OT/ICS). It monitors sophisticated, multi-stage cyber-physical attacks, focusing specifically on PLC logic integrity monitoring, detecting unauthorized modifications, and analyzing process anomalies. It covers the entire attack chain, from initial USB-borne access (IT) to process manipulation (OT).

A comprehensive guide and set of detection rules for identifying OS credential dumping techniques (MITRE T1003). It leverages EDR telemetry, Sysmon process access monitoring, and Windows security event correlation to detect attacks targeting LSASS memory, SAM databases, and NTDS.dit files. Essential for proactive threat hunting and incident response.