Skill UI

A dedicated tool for forensic analysis of Windows PowerShell Script Block Logs (Event ID 4104) captured in EVTX files. It reconstructs multi-block scripts, applying advanced detection heuristics such as entropy analysis and pattern matching to identify obfuscated commands, encoded payloads (Base64), download cradles, and AMSI bypass attempts, crucial for threat hunting and incident response.

A comprehensive guide utilizing Splunk Enterprise Security and SPL to conduct deep forensic analysis of security incidents. This skill covers correlating disparate sources like Windows event logs, firewall records, proxy data, and Sysmon logs to detect TTPs, reconstruct timelines, and identify anomalies, making it essential for incident response and threat hunting.

This tool provides a comprehensive framework for analyzing web server logs (Apache/Nginx) to detect various security threats. It uses advanced regex matching against OWASP attack signatures to identify SQL injection, Local File Inclusion, and Directory Traversal attempts, alongside behavioral analysis for brute-force attacks and web scanner fingerprints. The system also enriches data using GeoIP for source attribution, generating a prioritized report for SOC analysts.

A comprehensive toolkit using Splunk's SPL language to analyze Windows Security, System, and Sysmon event logs. It maps advanced detection queries to specific MITRE ATT&CK techniques, enabling SOC analysts to investigate authentication attacks (e.g., brute force, password spraying), detect privilege escalation, locate persistence mechanisms, and trace lateral movement for detailed forensic timeline analysis.

Timesketch is a collaborative, open-source platform for security teams to analyze and reconstruct complex forensic timelines. It ingests and normalizes multi-source security data (logs, artifacts) using methods like Plaso, CSV, and JSONL. Users can visualize event chronology, track attack chains, and utilize advanced built-in analyzers (e.g., Sigma, Chain of Events) for comprehensive incident investigation and documentation.

This skill provides a systematic methodology for building comprehensive threat actor profiles using Open-Source Intelligence (OSINT). It involves gathering, correlating, and analyzing publicly available data from diverse sources (e.g., vendor reports, dark web forums, code repositories). Users can map adversary TTPs to MITRE ATT&CK, assess motivations, and build structured dossiers for proactive defensive strategies and attribution assessments.

A comprehensive toolkit designed for cybersecurity professionals to deobfuscate malicious JavaScript code. It reverses complex encoding layers (Base64, Hex, Unicode), eval chains, and control flow obfuscation techniques found in phishing pages, web skimmers, and dropper scripts, revealing the original malicious logic for thorough forensic analysis and threat intelligence gathering.

This skill provides systematic methods and advanced techniques to deobfuscate multi-layered PowerShell malware. It utilizes Abstract Syntax Tree (AST) analysis, dynamic execution tracing, and specialized tools to reveal hidden payloads, C2 infrastructure, and the original malicious logic. It is essential for security analysts, red teamers, and incident response teams performing deep malware analysis.

This script performs statistical analysis on Zeek connection logs (conn.log) to detect Command and Control (C2) beaconing patterns. It leverages the ZAT library to load data into Pandas DataFrames, calculates inter-arrival time statistics, and flags connections with low standard deviation relative to the mean. This technique is crucial for network threat hunting and security incident investigation when identifying malicious, periodic callbacks.

A comprehensive guide for security teams on detecting and responding to unauthorized crypto mining operations in cloud environments (AWS, Azure). It details a multi-layered approach, utilizing cost anomaly detection, compute utilization monitoring, GuardDuty findings, and network flow log analysis (VPC/KQL) to identify resource hijacking attempts and suspicious activity across EC2, ECS, and EKS workloads.

This skill provides a comprehensive framework for detecting data exfiltration attempts that utilize DNS tunneling. It analyzes DNS logs for anomalies such as high Shannon entropy in subdomains, excessive query volume, abnormal query lengths, and misuse of TXT/CNAME records. It is ideal for SOC analysts and security engineers building advanced threat detection rules and performing threat hunting.

This skill provides a methodology to detect data exfiltration attempts hidden within DNS queries. By analyzing Zeek dns.log files, the agent computes Shannon entropy of subdomains, flags unusually long labels, and monitors unique subdomain counts per parent domain. This technique is crucial for identifying malicious tunneling tools like dnscat2 or iodine that bypass traditional security controls.