Skill UI

This guide provides comprehensive steps to harden the Docker daemon configuration. It covers essential security controls like user namespace remapping, disabling inter-container communication (ICC), implementing TLS authentication, and adopting rootless mode. Implementing these measures significantly reduces the attack surface and mitigates risks associated with container breakouts and privilege escalation, aligning with CIS benchmarks.

A proactive, hypothesis-driven skill designed to hunt for Advanced Persistent Threats (APT) within complex enterprise environments. It analyzes endpoint telemetry, network logs, and memory artifacts using frameworks like MITRE ATT&CK. Use this skill when investigating anomalous behavior flagged by UEBA, conducting scheduled threat sprints, or validating exposure to known TTPs using tools like Velociraptor and osquery.

This skill detects anti-forensic timestomping by analyzing NTFS Master File Table (MFT) entries. It compares timestamps from the $STANDARD_INFORMATION attribute (user-modifiable) against the $FILE_NAME attribute (kernel-protected). Discrepancies, such as SI Created < FN Created, strongly indicate malicious manipulation and defense evasion. This methodology is crucial for advanced threat hunting and digital forensic investigations.

This skill detects domain fronting, an advanced technique used by attackers to mask Command and Control (C2) traffic. It analyzes proxy/web gateway logs for mismatches between the TLS SNI field and the HTTP Host header, combined with deep TLS certificate inspection using pyOpenSSL. This is crucial for security teams investigating sophisticated network threats and validating detection coverage.

This guide details a threat hunting technique for detecting persistence mechanisms utilizing Windows Registry Run keys (T1547.001). By analyzing Sysmon Event ID 13 logs, it identifies suspicious auto-start entries pointing to temporary directories, encoded PowerShell commands, or abused LOLBins. Essential for SOC analysts and security engineers investigating incidents and developing robust detection rules.

This guide details proactive threat hunting techniques focused on detecting supply chain compromises. Use it when investigating trojanized software updates, compromised dependencies (npm/PyPI), or tampered build artifacts. It outlines a structured workflow using EDR/SIEM data (CrowdStrike, Splunk) to identify hidden threats and scope the impact of sophisticated attacks.

This skill provides a structured methodology for mitigating alert fatigue within Security Operations Centers (SOCs). It guides users through advanced techniques, including implementing Risk-Based Alerting (RBA) to replace high-volume, low-fidelity alerts with consolidated risk scores. It emphasizes quantifying alert quality by analyzing True Positive (TP) and False Positive (FP) rates, and systematically tuning detection rules to maintain analyst effectiveness.

A comprehensive guide on implementing AWS CloudTrail log analysis for robust security monitoring, threat detection, and forensic investigation. Learn how to configure CloudTrail, use Amazon Athena for SQL querying, and leverage CloudWatch Logs Insights and SIEM integration to identify unauthorized access, privilege escalation, and suspicious API activity across AWS services.

A comprehensive guide to configuring multi-layered DDoS protection using Cloudflare. This skill covers mitigating volumetric (L3/4) and application-layer (L7) attacks by setting up managed rulesets, Web Application Firewall (WAF) rules, rate limiting, and Bot Management. Ideal for strengthening security architecture and meeting compliance standards.

This skill covers the architecture, design, and implementation of Just-In-Time (JIT) access provisioning. The goal is to eliminate standing privileges by granting temporary, time-bound access only when specific business needs arise. It guides users through designing robust approval workflows, integrating JIT with PAM and IGA platforms, and enforcing zero standing privilege (ZSP) principles to drastically reduce the attack surface and ensure compliance.

This guide details the implementation of advanced, phishing-resistant, passwordless authentication using Microsoft Entra ID. It covers configuring FIDO2 security keys, Windows Hello for Business, and passkey support via Microsoft Authenticator. Use this skill to eliminate reliance on passwords, mitigate credential stuffing attacks, and satisfy strict regulatory mandates for modern identity access management.

A comprehensive guide to securing Kubernetes Role-Based Access Control (RBAC). It teaches best practices for implementing least-privilege policies, eliminating excessive cluster-admin bindings, utilizing namespace-scoped roles, and integrating external identity providers (OIDC) to mitigate risks like privilege escalation and unauthorized data access.