Skill UI

This skill focuses on advanced threat detection techniques used to identify the abuse of legitimate Windows binaries (LOLBins) for malicious purposes. It requires monitoring process creation, command-line arguments, and network activity to pinpoint fileless and living-off-the-land attacks. Ideal for building SIEM/EDR detection rules, threat hunting, and hardening endpoint security policies.

A specialized Intrusion Detection System (IDS) designed for Operational Technology (OT) and Industrial Control Systems (ICS). It monitors Modbus TCP/RTU traffic to detect unauthorized write operations, anomalous function codes, malformed frames, and deviations from established communication baselines. Essential for securing SCADA environments against attacks like FrostyGoop.

This guide details methods for detecting and mitigating OAuth token theft and replay attacks in cloud environments, specifically targeting Microsoft Entra ID (Azure AD). It covers protection against access token theft, Primary Refresh Token (PRT) abuse, and pass-the-cookie attacks. Users can leverage Conditional Access and Token Protection features to cryptographically bind tokens to devices, significantly enhancing cloud identity security and preventing session hijacking.

A comprehensive guide for proactive threat hunting and incident response, detailing how to detect Pass-the-Hash attacks. It involves analyzing NTLM authentication patterns, identifying suspicious Type 3 logons, and correlating these anomalies with credential dumping techniques using SIEM/EDR tools.

This skill provides a structured approach to detecting Pass-the-Ticket (PtT) attacks, a severe credential theft technique utilizing stolen Kerberos tickets (TGT/TGS). It involves analyzing Windows Security Event IDs (4768, 4769, 4771) within SIEM platforms like Splunk or Elastic. Use cases include incident response, building advanced threat hunting queries, and validating security monitoring coverage against MITRE ATT&CK techniques.

A guide for security professionals and threat hunters to proactively detect advanced privilege escalation techniques across Windows and Linux environments. It covers critical attack methods including token manipulation, UAC bypass, unquoted service paths, and kernel exploits, utilizing EDR and SIEM data sources for comprehensive incident response and security assessments.

This guide details advanced methods for detecting and preventing QR code phishing (quishing) attacks. It covers how malicious URLs embedded in images bypass traditional email security filters, requiring multimodal AI, OCR, and robust mobile threat defense solutions. Essential for SOC analysts and security teams.

This skill analyzes Windows Security Event Logs (EVTX) to detect RDP brute force attacks. It parses failed logon events (ID 4625) and correlates them with successful logons (ID 4624), performing source IP frequency analysis to identify attack patterns, username spraying, and potential account compromises. This is critical for SOC analysts and threat hunters investigating lateral movement or credential stuffing attempts.

This tool detects, inventories, and analyzes undocumented or abandoned API endpoints (Shadow APIs). By comparing live network traffic logs against official OpenAPI specifications, it helps security teams identify hidden attack vectors, gaps in API governance, and unmonitored entry points, significantly improving the security posture of complex systems.

A comprehensive guide on configuring advanced email security gateways (SEGs) to detect and block sophisticated, targeted spearphishing attacks. This skill covers essential detection layers, including impersonation protection, real-time URL detonation, attachment sandboxing, and creating custom behavioral rules. It is crucial for SOC analysts and security engineers building robust email threat defense systems.

This tool analyzes Web Application Firewall (WAF) logs (ModSecurity, AWS WAF, Cloudflare) to detect sophisticated SQL injection attack campaigns. It parses diverse log formats, identifies common SQLi payloads (UNION SELECT, OR 1=1), correlates multi-stage attacks, tracks source IPs, and generates detailed incident reports classified by OWASP standards for SOC analysts and security researchers.

This skill addresses advanced threat detection for critical infrastructure (OT/ICS). It monitors sophisticated, multi-stage cyber-physical attacks, focusing specifically on PLC logic integrity monitoring, detecting unauthorized modifications, and analyzing process anomalies. It covers the entire attack chain, from initial USB-borne access (IT) to process manipulation (OT).