Skill UI

This skill provides comprehensive guidance on detecting post-exploitation credential dumping activities, such as LSASS memory access, SAM registry hive extraction, and NTDS.dit theft. It utilizes advanced log sources, including Sysmon Event ID 10 (ProcessAccess), Windows Security logs, and SIEM correlation rules, to identify suspicious process behaviors and malicious tool usage, mapping these detections to MITRE ATT&CK techniques.

This skill provides a comprehensive workflow for verifying the integrity of a system's boot chain using Trusted Platform Module (TPM 2.0). It covers local validation (event log replay against PCRs) and remote attestation (generating signed, nonce-bound quotes). Use this to detect bootkits, unauthorized firmware changes, or establish device posture for Zero Trust architectures.