Skill UI

This skill outlines a comprehensive methodology for detecting compromised email accounts in Microsoft 365 and Google Workspace. It analyzes critical indicators such as unauthorized inbox rule creation (e.g., forwarding rules, deletion rules), suspicious sign-in locations (impossible travel), and unusual API access patterns using Microsoft Graph and Unified Audit Logs. It is essential for threat hunting and incident response (IR) to mitigate Business Email Compromise (BEC) and account takeover.

This skill provides structured methods for detecting credential stuffing attacks by analyzing authentication logs. It focuses on identifying complex patterns such as login velocity anomalies, high IP diversity, password spray techniques, and suspicious geographical distributions of failed logins. It is essential for SOC analysts conducting threat hunting or building robust detection rules against account takeover attempts.

EvilGinx3 is an advanced Adversary-in-the-Middle (AiTM) framework designed for red teaming simulations. It goes beyond traditional credential harvesting by acting as a transparent proxy to intercept the entire authentication flow, including session cookies and Multi-Factor Authentication (MFA) tokens. This capability allows security professionals to assess the robustness of an organization's security posture against sophisticated account takeover attacks.

An expert playbook detailing advanced attacks against JWT and OAuth 2.0 tokens. Covers cryptographic weaknesses like alg:none, key confusion (RS256 to HS256), and header injection (kid, jku). It also addresses critical OAuth flow abuses, such as missing state parameters, account takeover, and token leakage, essential for robust application security testing.

This framework provides comprehensive detection capabilities for compromised cloud credentials across major platforms including AWS, Azure, and GCP. It analyzes critical threat indicators such as anomalous API activity, impossible travel patterns (impossible login locations), and unauthorized resource provisioning. Designed for incident response, security monitoring, and building robust detection rules to mitigate account takeover and credential abuse.

Builds comprehensive identity governance and lifecycle management processes. Automates the entire employee journey (Joiner, Mover, Leaver) from the authoritative HR source of truth. This process handles role-based access provisioning, access request workflows, periodic recertification, and remediation of orphaned accounts, ensuring continuous compliance with standards like SOX and GDPR.

This guide details the forensic process of extracting sensitive credentials, including password hashes, Kerberos tickets, and authentication tokens, from memory dumps. Utilizing industry-standard tools like Volatility and Mimikatz, this technique is crucial for incident response, determining the scope of a breach, and identifying compromised accounts during digital forensics investigations.

A comprehensive guide detailing the structured process for responding to phishing incidents. It covers email header analysis, malicious content sandboxing (URLs/attachments), scoping the impact across the organization, and performing thorough remediation, including mailbox purging and credential reset.

A comprehensive guide covering the end-to-end configuration of SAML 2.0 Single Sign-On (SSO) using Okta as the Identity Provider (IdP). This skill details configuring authentication flows (SP/IdP initiated), attribute mapping, secure certificate management, and implementing advanced security hardening like SHA-256 signatures and AES-256 encryption for robust, enterprise-grade access control.