Skill UI

This skill detects unauthorized modifications (container drift) to running containers by monitoring for deviations from the original image state. It monitors binary execution drift, file system changes, and configuration deviations using tools like Falco and Kubernetes security contexts. Essential for SOC analysts and security teams investigating runtime compromises and enforcing immutable infrastructure.

This skill provides advanced runtime security rules using Falco, a CNCF-graduated tool. It monitors Linux syscalls to detect container escape attempts in real-time, identifying techniques such as mounting host filesystems, unauthorized namespace access (nsenter), and privileged container launches. It is crucial for SOC analysts and security teams enhancing cloud-native security coverage.

This skill provides comprehensive detection methods for credential dumping techniques, a critical post-exploitation phase in cyber attacks. It targets the extraction of sensitive credentials from LSASS memory, SAM registry hives, and NTDS.dit using advanced security visibility. Detection relies on analyzing Sysmon Event ID 10 (ProcessAccess), Windows Security logs, and complex SIEM correlation rules, making it essential for SOC analysts and threat hunters investigating advanced persistent threats (APTs).

This skill outlines a comprehensive methodology for detecting compromised email accounts in Microsoft 365 and Google Workspace. It analyzes critical indicators such as unauthorized inbox rule creation (e.g., forwarding rules, deletion rules), suspicious sign-in locations (impossible travel), and unusual API access patterns using Microsoft Graph and Unified Audit Logs. It is essential for threat hunting and incident response (IR) to mitigate Business Email Compromise (BEC) and account takeover.

This guide outlines a comprehensive threat hunting methodology for detecting Kerberoasting attacks. It focuses on monitoring for anomalous Kerberos TGS requests targeting service accounts with SPNs, which are indicators of brute-force or offline password cracking attempts. Use this workflow during proactive security assessments, incident response, or when analyzing SIEM/EDR telemetry to identify potential lateral movement.

This guide details advanced threat hunting techniques to proactively detect Mimikatz execution. It focuses on identifying command-line patterns, unauthorized access to LSASS memory, binary indicators, and known credential dumping techniques (e.g., DCSync, Golden Tickets). Ideal for security analysts, threat hunters, and incident response teams during proactive assessments or active compromise investigation.

This tool provides a comprehensive security audit framework for Azure Storage accounts. It systematically detects critical misconfigurations, such as publicly accessible blob containers, weak encryption settings, overly permissive network access rules, and missing logging. Use it when performing compliance checks, responding to security incidents, or establishing storage security baselines in Azure environments.

This skill provides comprehensive anomaly detection for Modbus/TCP and Modbus RTU traffic in Operational Technology (OT) and Industrial Control Systems (ICS). It monitors function codes, validates register access, analyzes timing, and detects unauthorized clients. By utilizing advanced tools like Zeek, Suricata, and custom Python models, it helps establish behavioral baselines and identify potential cyber threats.

This guide details advanced methods for detecting and preventing QR code phishing (quishing) attacks. It covers how malicious URLs embedded in images bypass traditional email security filters, requiring multimodal AI, OCR, and robust mobile threat defense solutions. Essential for SOC analysts and security teams.

A comprehensive skill for detecting early-stage ransomware indicators before data encryption occurs. It utilizes advanced network detection tools such as Zeek and Suricata, combined with SIEM correlation rules and threat intelligence feeds. This method monitors the entire pre-encryption kill chain, identifying precursor behaviors like initial access broker activity, Cobalt Strike C2 beaconing, credential harvesting (e.g., Mimikatz signatures), and data staging attempts, enabling timely incident response and containment.

A comprehensive methodology for detecting advanced system compromises, including rootkits, hidden processes, and kernel-level malware. It utilizes memory forensics, cross-view detection (comparing different system views), and integrity checking to identify manipulated kernel structures, hooked system calls (SSDT, IAT, IRP), and covert network connections. Ideal for deep forensic investigations where standard tools fail to reveal the true state of a compromised system.

A comprehensive guide and workflow for detecting unauthorized data exfiltration from AWS S3 buckets. It details how to leverage multiple AWS services—including CloudTrail, GuardDuty, Amazon Macie, and Athena—to analyze access patterns, identify bulk downloads, and detect cross-account data transfers, ensuring robust cloud compliance and security monitoring.