Skill UI

This tool parses NetFlow v9 and IPFIX records to conduct deep network security analysis. It is crucial for investigating security incidents by building traffic baselines and applying statistical methods. Key detection capabilities include identifying port scanning, data exfiltration attempts, command and control (C2) beaconing patterns, and general volumetric anomalies in network traffic.

A comprehensive guide for analyzing PCAP files captured during malware execution. It demonstrates advanced techniques using Wireshark, Zeek, Suricata, and Python (scapy) to identify Command and Control (C2) communications, data exfiltration channels, Domain Generation Algorithms (DGA), and periodic beaconing patterns. Essential for malware reverse engineering and network threat detection.

A comprehensive guide for deep packet inspection and network forensics using Wireshark and tshark. This skill is critical for incident response, where it allows users to capture, filter, and analyze network packet data to identify malicious command-and-control traffic, diagnose complex protocol issues, extract indicators of compromise (IOCs), and reconstruct data exfiltration paths. Use it for validating security rules and understanding network anomalies.

This comprehensive skill analyzes Zeek conn.log and NetFlow data to proactively detect advanced indicators of ransomware activity. It identifies critical threats such as Command and Control (C2) beaconing patterns, connections to TOR exit nodes, large-scale data exfiltration flows, and suspicious DNS anomalies. It is essential for threat hunting and complex security incident response.

This comprehensive guide outlines how to plan and execute a full-scope red team engagement. It simulates real-world Advanced Persistent Threat (APT) behavior, covering the entire cyber kill chain from initial reconnaissance (OSINT) through lateral movement, credential harvesting, and data exfiltration. It utilizes MITRE ATT&CK frameworks to rigorously test an organization's detection, prevention, and incident response capabilities.

A comprehensive guide and workflow for detecting unauthorized data exfiltration from AWS S3 buckets. It details how to leverage multiple AWS services—including CloudTrail, GuardDuty, Amazon Macie, and Athena—to analyze access patterns, identify bulk downloads, and detect cross-account data transfers, ensuring robust cloud compliance and security monitoring.

A comprehensive guide and detection methodology for identifying covert communication channels utilizing DNS records. This technique analyzes Zeek dns.log for indicators such as high-entropy subdomains, excessive query volume, unusually long query lengths, and abnormal record type distributions, which suggest data exfiltration or Command and Control (C2) activity.

A proactive methodology for detecting signs of compromise by analyzing outbound network traffic. This technique focuses on identifying anomalous patterns, such as connections to rare destinations, non-standard ports (T1571), or unusual connection frequencies, which often indicate Command and Control (C2) activity or data exfiltration.

This skill guides the deployment and configuration of Data Loss Prevention (DLP) controls directly on endpoints. It detects and prevents the unauthorized exfiltration of sensitive data (PII, PHI, PCI) via common vectors like email, USB drives, cloud storage uploads, and printing. Use this when establishing compliance policies (HIPAA, GDPR) or securing data against internal data movement risks.

This skill provides a comprehensive guide to implementing robust USB device control policies. It restricts unauthorized removable media access to mitigate data exfiltration risks and prevent malware introduction via USB endpoints. Learn how to deploy granular policies using Group Policy Objects (GPO), Microsoft Intune, or advanced Endpoint Detection and Response (EDR) platforms to meet strict compliance standards.

This guide details how to implement NextDNS as a zero-trust DNS filtering layer. By utilizing encrypted resolution (DoH/DoT) and real-time threat intelligence, it blocks malicious domains, prevents data exfiltration, filters ads/trackers, and enforces granular security policies across all endpoints, aligning with Zero Trust principles and enhancing overall network security.

This guide outlines the implementation of Remote Browser Isolation (RBI) as a core component of a Zero Trust architecture. It details policies for URL risk classification, Data Loss Prevention (DLP) controls, and Content Disarm and Reconstruction (CDR). This is essential for hardening web access, protecting against zero-day exploits, phishing, and preventing data exfiltration from untrusted web content.