Skill UI

Hardens Windows endpoints using CIS Benchmark guidance to reduce attack surface, enforce security baselines, and stay compliant when commissioning new workstations, servers, or remediating audit findings through GPO deployments and CIS-CAT validation.

Implements full BitLocker disk encryption on Windows endpoints, covering TPM validation, GPO tuning, Intune deployment, recovery key escrow, and monitoring to help enterprises meet compliance and protect data at rest.

Walks through enabling system and per-app DEP, ASLR, CFG, and related mitigations via ProcessMitigation cmdlets, exporting configs for Intune or GPO deployment, and noting compatibility pitfalls.

Guides administrators through designing and implementing Privileged Access Workstations (PAWs) with hardened devices, just-in-time access, Intune/GPO compliance, and CyberArk or BeyondTrust integration for secure sensitive operations.

Implement eBPF-powered runtime security observability and enforcement in Kubernetes with Cilium Tetragon, letting teams define TracingPolicy CRDs, monitor process/file/network activities, and block threats before they escape containers.

Defines steps to inventory USB usage, configure GPO/Intune/EDR policies, deploy Microsoft Defender rules, and audit events to block unauthorized removable media while allowing approved devices, used for preventing data exfiltration via USB.

Investigate Active Directory compromises by analyzing authentication logs, replication metadata, Group Policy changes, and Kerberos anomalies to map persistence and lateral movement during incident response or audits.

Deploy deception-based Active Directory honeytokens—fake privileged accounts, SPNs, decoy GPOs and BloodHound paths—to detect Kerberoasting, lateral movement, credential theft and other reconnaissance activity via monitored Windows Security events.

Guides hardening Windows Active Directory via Group Policy to block ransomware execution, enforce AppLocker/WDAC rules, enable Controlled Folder Access, configure ASR, and lock down lateral movement paths.

Deploys Cilium Tetragon-based eBPF tracing to watch processes, network, file access, and enforce runtime policies while streaming JSON events to SIEM pipelines for Linux hosts or Kubernetes clusters.

A comprehensive playbook detailing advanced techniques for exploiting misconfigured Active Directory Access Control Lists (ACLs). It covers BloodHound enumeration, abusing dangerous ACE types (GenericAll, WriteDACL), conducting DCSync attacks, leveraging shadow credentials, and exploiting GPO/LAPS weaknesses for privilege escalation and lateral movement in a deep dive for security professionals.