Skill UI

A comprehensive guide for security professionals on detecting and preventing ARP spoofing and poisoning attacks. The skill covers multiple layers of defense, including implementing Dynamic ARP Inspection (DAI) on managed switches, utilizing ARPWatch for continuous monitoring, performing deep packet inspection with Wireshark, and developing custom Python scripts for real-time anomaly detection. Essential for mitigating Man-in-the-Middle (MitM) attacks at Layer 2.

This skill analyzes AWS CloudTrail logs to detect suspicious API call patterns, such as new event sources, geographic anomalies, or high-frequency usage. It establishes a statistical baseline of normal activity and flags deviations indicative of compromised credentials, privilege escalation, or insider threats, providing a detailed JSON report for security investigation and threat hunting.

This skill analyzes AWS IAM policies using boto3 and Cloudsplaining principles to detect potential privilege escalation paths in AWS accounts. It identifies overly permissive policies, dangerous permission combinations (such as combining role passing and resource creation), and violations of least-privilege principles. It is designed for security incident investigation, threat hunting, and validating overall cloud security posture.

This script performs statistical analysis on Zeek connection logs (conn.log) to detect Command and Control (C2) beaconing patterns. It leverages the ZAT library to load data into Pandas DataFrames, calculates inter-arrival time statistics, and flags connections with low standard deviation relative to the mean. This technique is crucial for network threat hunting and security incident investigation when identifying malicious, periodic callbacks.

This skill detects unauthorized modifications (container drift) to running containers by monitoring for deviations from the original image state. It monitors binary execution drift, file system changes, and configuration deviations using tools like Falco and Kubernetes security contexts. Essential for SOC analysts and security teams investigating runtime compromises and enforcing immutable infrastructure.

This skill provides comprehensive detection methods for credential dumping techniques, a critical post-exploitation phase in cyber attacks. It targets the extraction of sensitive credentials from LSASS memory, SAM registry hives, and NTDS.dit using advanced security visibility. Detection relies on analyzing Sysmon Event ID 10 (ProcessAccess), Windows Security logs, and complex SIEM correlation rules, making it essential for SOC analysts and threat hunters investigating advanced persistent threats (APTs).

Provides analysts with a workflow to hunt and investigate credential dumping (LSASS, SAM, NTDS, DCSync) using EDR telemetry, Sysmon access events, and AD replication monitoring.

This guide is crucial for threat hunters investigating Active Directory compromises. It details how to monitor Windows Security Event ID 4662 to detect unauthorized attempts by non-domain-controller accounts to access critical directory replication GUIDs. These anomalies are strong indicators of DCSync attacks, which are used by attackers (e.g., using Mimikatz) to dump hashes, perform lateral movement, and execute credential theft.

This skill outlines a comprehensive methodology for detecting compromised email accounts in Microsoft 365 and Google Workspace. It analyzes critical indicators such as unauthorized inbox rule creation (e.g., forwarding rules, deletion rules), suspicious sign-in locations (impossible travel), and unusual API access patterns using Microsoft Graph and Unified Audit Logs. It is essential for threat hunting and incident response (IR) to mitigate Business Email Compromise (BEC) and account takeover.

This skill provides comprehensive detection rules for advanced defense evasion techniques used by adversaries, including log tampering (T1070), timestomping, process injection (T1055), and disabling security tools (T1562). It is ideal for threat hunting, building detection rules, and investigating stealthy attacker activity using Sysmon and SIEM data.

This script detects and analyzes sophisticated fileless malware techniques that operate entirely in system memory. It specializes in identifying threats that utilize Living Off the Land Binaries (LOLBins), WMI event subscriptions, and registry-resident payloads, bypassing traditional file-based security controls. It is ideal for forensic investigations, threat hunting, and building advanced detection rules in modern enterprise environments.

This skill provides structured procedures and Python examples for detecting internal data exfiltration. It analyzes endpoint, cloud, and email logs by establishing behavioral baselines and performing statistical anomaly detection. Use cases include investigating insider threats, monitoring DLP policy violations, and building robust User and Entity Behavior Analytics (UEBA) rules for SOC teams.