Skill UI

A comprehensive guide and workflow for investigating compromised Docker containers. This tool assists digital forensic experts in analyzing layers, volumes, logs, runtime artifacts, and host configurations to identify malicious activity, privilege escalation attempts, and system breaches during incident response.

This skill guides users through analyzing suspicious URLs using the URLScan.io platform or API. It provides a safe environment to capture screenshots, DOM content, network traffic, and analyze JavaScript behavior to investigate phishing attempts, credential harvesting, and sophisticated malicious redirects without risking the analyst's system.

This tool parses NetFlow v9 and IPFIX records to conduct deep network security analysis. It is crucial for investigating security incidents by building traffic baselines and applying statistical methods. Key detection capabilities include identifying port scanning, data exfiltration attempts, command and control (C2) beaconing patterns, and general volumetric anomalies in network traffic.

This comprehensive toolkit provides deep static analysis capabilities for suspicious PDF documents. Using tools like PDFiD, pdf-parser, and peepdf, it identifies embedded malicious structures—including JavaScript code, shellcode, auto-actions, and exploit kits—without opening or rendering the file. It is essential for security analysts conducting threat triage, forensic investigation, and assessing potential attack vectors from suspicious attachments.

This guide details the comprehensive workflow for conducting memory forensics using Volatility 3. It covers the entire incident response lifecycle, from acquiring raw RAM dumps to analyzing processes, detecting rootkits, investigating network connections, and extracting sensitive artifacts like credentials and injected code. Essential for live memory analysis in cybersecurity investigations.

This skill guides the advanced configuration of Windows Event Logging using Group Policy Objects (GPO) and advanced audit policies. It enables high-fidelity logging for critical security events, including process creation (Event 4688), logon/logoff activities, and object access. The process covers optimizing log sizes and implementing Windows Event Forwarding (WEF) to centralize data into SIEM platforms for effective threat detection and forensic investigation.

This skill guides SOC analysts and detection engineers on how to correlate complex, multi-stage attacks within the IBM QRadar SIEM platform. It covers advanced usage of AQL (Ariel Query Language) for deep event investigation, building custom correlation rules (Building Blocks and Offenses), and cross-source data correlation (e.g., auth failures with network flows). It is essential for reducing false positives and improving threat detection accuracy.

A comprehensive guide for security professionals on detecting and preventing ARP spoofing and poisoning attacks. The skill covers multiple layers of defense, including implementing Dynamic ARP Inspection (DAI) on managed switches, utilizing ARPWatch for continuous monitoring, performing deep packet inspection with Wireshark, and developing custom Python scripts for real-time anomaly detection. Essential for mitigating Man-in-the-Middle (MitM) attacks at Layer 2.

This skill detects unauthorized modifications (container drift) to running containers by monitoring for deviations from the original image state. It monitors binary execution drift, file system changes, and configuration deviations using tools like Falco and Kubernetes security contexts. Essential for SOC analysts and security teams investigating runtime compromises and enforcing immutable infrastructure.

This skill provides comprehensive detection methods for credential dumping techniques, a critical post-exploitation phase in cyber attacks. It targets the extraction of sensitive credentials from LSASS memory, SAM registry hives, and NTDS.dit using advanced security visibility. Detection relies on analyzing Sysmon Event ID 10 (ProcessAccess), Windows Security logs, and complex SIEM correlation rules, making it essential for SOC analysts and threat hunters investigating advanced persistent threats (APTs).

This skill outlines a comprehensive methodology for detecting compromised email accounts in Microsoft 365 and Google Workspace. It analyzes critical indicators such as unauthorized inbox rule creation (e.g., forwarding rules, deletion rules), suspicious sign-in locations (impossible travel), and unusual API access patterns using Microsoft Graph and Unified Audit Logs. It is essential for threat hunting and incident response (IR) to mitigate Business Email Compromise (BEC) and account takeover.

This guide details advanced threat hunting techniques to proactively detect Mimikatz execution. It focuses on identifying command-line patterns, unauthorized access to LSASS memory, binary indicators, and known credential dumping techniques (e.g., DCSync, Golden Tickets). Ideal for security analysts, threat hunters, and incident response teams during proactive assessments or active compromise investigation.