Skill UI

This skill provides structured methods for detecting credential stuffing attacks by analyzing authentication logs. It focuses on identifying complex patterns such as login velocity anomalies, high IP diversity, password spray techniques, and suspicious geographical distributions of failed logins. It is essential for SOC analysts conducting threat hunting or building robust detection rules against account takeover attempts.

This skill provides a systematic methodology for detecting Command and Control (C2) beaconing patterns in network traffic. It utilizes advanced statistical techniques, including Coefficient of Variation (CV) and jitter analysis, applied to network flow logs (Zeek, proxy, firewall). It is crucial for proactive threat hunting and incident response to identify compromised endpoints communicating periodically with malicious infrastructure.

This skill guides threat hunters in detecting Cobalt Strike Command and Control (C2) beacons. It utilizes advanced network forensic techniques, including analyzing default TLS certificate serials, JA3/JA3S/JARM fingerprints, beacon jitter, and HTTP profile matching. Detection is achieved by correlating data from Zeek logs, Suricata rules, and Python PCAP analysis to identify suspicious outbound communications.

This capability provides advanced threat hunting by analyzing network telemetry (DNS, proxy, connection logs) to detect Command and Control (C2) beaconing patterns. It uses statistical analysis, frequency detection, and jitter analysis to identify compromised endpoints communicating with adversary infrastructure, crucial for proactive threat detection and incident response.

This guide details how to hunt for DCSync attacks, a technique used to steal password hashes from Active Directory. It involves analyzing Windows Event ID 4662 to identify unauthorized DS-Replication-Get-Changes requests originating from non-domain-controller accounts. Essential for incident response and threat detection.

This skill detects domain fronting, an advanced technique used by attackers to mask Command and Control (C2) traffic. It analyzes proxy/web gateway logs for mismatches between the TLS SNI field and the HTTP Host header, combined with deep TLS certificate inspection using pyOpenSSL. This is crucial for security teams investigating sophisticated network threats and validating detection coverage.

This skill detects WMI-based lateral movement by analyzing key Windows Security Event ID 4688 and Sysmon Event ID 1 logs. It focuses on identifying suspicious process execution patterns, such as WmiPrvSE.exe spawning unauthorized child processes (cmd.exe, powershell.exe), suspicious command lines, and WMI event subscriptions used for persistence. Ideal for security incident response and threat detection.

This skill focuses on threat hunting techniques to detect adversaries leveraging Living Off the Land Binaries (LOLBins). By analyzing detailed endpoint process creation logs (e.g., Sysmon), practitioners can identify suspicious execution patterns of legitimate Windows system binaries (like certutil, mshta, rundll32) used for malicious fileless attacks or defense evasion. It is crucial for improving detection coverage against advanced persistent threats.

This skill provides advanced threat hunting capabilities to detect NTLM relay attacks within Active Directory environments. It analyzes critical Windows Security Event 4624 logs, specifically focusing on logon type 3 using NTLMSSP authentication. The detection logic identifies suspicious patterns, including IP-to-hostname mismatches, rapid multi-host authentications, and lack of SMB signing enforcement, helping SOC analysts pinpoint unauthorized credential access attempts.

This skill provides a structured methodology for detecting process injection techniques (MITRE ATT&CK T1055), which adversaries use for defense evasion and privilege escalation. It analyzes granular security logs, specifically utilizing Sysmon Event IDs 8 (CreateRemoteThread) and 10 (ProcessAccess), alongside source-target process relationship mapping to identify suspicious malicious behavior over general system activity.

This guide details a threat hunting technique for detecting persistence mechanisms utilizing Windows Registry Run keys (T1547.001). By analyzing Sysmon Event ID 13 logs, it identifies suspicious auto-start entries pointing to temporary directories, encoded PowerShell commands, or abused LOLBins. Essential for SOC analysts and security engineers investigating incidents and developing robust detection rules.

This guide details a structured threat hunting methodology designed to proactively detect sophisticated spearphishing campaigns. It instructs users on correlating indicators across email logs, endpoint telemetry (EDR), and network data (SIEM) to identify targeted threats, supporting incident response and security posture improvement.