Skill UI

A specialized threat hunting skill designed to detect remnants of the PowerShell Empire post-exploitation framework. It analyzes Windows event logs (specifically Script Block and Module Logging) for key Indicators of Compromise (IOCs), such as default launcher strings, Base64 encoded payloads, known module signatures (e.g., Mimikatz), and staging URL patterns. The output provides a detailed JSON report, comprehensive timeline, and MITRE ATT&CK mapping for incident response and security validation.

A dedicated tool for forensic analysis of Windows PowerShell Script Block Logs (Event ID 4104) captured in EVTX files. It reconstructs multi-block scripts, applying advanced detection heuristics such as entropy analysis and pattern matching to identify obfuscated commands, encoded payloads (Base64), download cradles, and AMSI bypass attempts, crucial for threat hunting and incident response.

This guide provides a comprehensive workflow for deep digital forensics examination of NTFS volumes. It covers recovering hidden data from file system slack space, analyzing MFT entries for deleted metadata, reconstructing file actions using the USN Journal, and detecting hidden content via Alternate Data Streams (ADS). Essential for incident response and evidence recovery.

This guide details the end-to-end process of conducting a sophisticated spearphishing simulation campaign, mirroring real red team adversary techniques. It covers initial OSINT research and pretext development, building weaponized payloads that bypass security controls, setting up robust email infrastructure (SPF/DKIM/DMARC), executing the campaign in waves, and performing detailed post-campaign metrics analysis for comprehensive security reporting.

This guide details the process of configuring microsegmentation policies to enforce least-privilege access between workloads. It covers the entire workflow, from application dependency mapping and discovery (Phase 1) to defining label-based, default-deny security zones (Phase 2). It is crucial for preventing lateral movement in highly secure, zero-trust architectures using tools like VMware NSX, Illumio, and Calico.

This skill provides systematic methods and advanced techniques to deobfuscate multi-layered PowerShell malware. It utilizes Abstract Syntax Tree (AST) analysis, dynamic execution tracing, and specialized tools to reveal hidden payloads, C2 infrastructure, and the original malicious logic. It is essential for security analysts, red teamers, and incident response teams performing deep malware analysis.

This guide teaches security teams how to deploy and operationalize Amazon GuardDuty for continuous, comprehensive threat detection across entire AWS accounts and workloads. It covers enabling protection plans for S3, EKS, EC2 runtime monitoring, and Lambda, interpreting various finding severity levels, and building robust, automated incident response playbooks using EventBridge and AWS Lambda for immediate containment actions.

A comprehensive guide for security teams on detecting and responding to unauthorized crypto mining operations in cloud environments (AWS, Azure). It details a multi-layered approach, utilizing cost anomaly detection, compute utilization monitoring, GuardDuty findings, and network flow log analysis (VPC/KQL) to identify resource hijacking attempts and suspicious activity across EC2, ECS, and EKS workloads.

This script detects and analyzes sophisticated fileless malware techniques that operate entirely in system memory. It specializes in identifying threats that utilize Living Off the Land Binaries (LOLBins), WMI event subscriptions, and registry-resident payloads, bypassing traditional file-based security controls. It is ideal for forensic investigations, threat hunting, and building advanced detection rules in modern enterprise environments.

A comprehensive guide and workflow for detecting unauthorized data exfiltration from AWS S3 buckets. It details how to leverage multiple AWS services—including CloudTrail, GuardDuty, Amazon Macie, and Athena—to analyze access patterns, identify bulk downloads, and detect cross-account data transfers, ensuring robust cloud compliance and security monitoring.

This tool analyzes Web Application Firewall (WAF) logs (ModSecurity, AWS WAF, Cloudflare) to detect sophisticated SQL injection attack campaigns. It parses diverse log formats, identifies common SQLi payloads (UNION SELECT, OR 1=1), correlates multi-stage attacks, tracks source IPs, and generates detailed incident reports classified by OWASP standards for SOC analysts and security researchers.

A comprehensive guide for authorized penetration testers on identifying and exploiting insecure deserialization vulnerabilities across multiple languages (Java, PHP, Python, .NET). Covers techniques for generating payloads using tools like ysoserial and phpggc, and testing various application components such as cookies, HTTP parameters, and message queues to achieve potential Remote Code Execution (RCE).