Skill UI

This guide details advanced digital forensics techniques for recovering deleted file metadata and content from NTFS volumes. It focuses on analyzing the Master File Table (MFT), USN Journals, and $LogFile transaction records. Techniques include parsing MFT slack space and utilizing specialized tools like MFTECmd to reconstruct file system timelines and identify deleted evidence remnants.

This tool provides comprehensive forensic analysis for Microsoft Outlook PST and OST files. It extracts critical evidence such as message content, detailed headers, attachments, and deleted items using open-source libraries like libpff and Python, supporting legal investigations and incident response.

This skill guides users through parsing Windows Prefetch files (.pf) to establish a comprehensive program execution history. It extracts critical forensic data such as run counts, timestamps (up to 8 events), and referenced files. This is essential for incident response, malware investigation, and building a reliable timeline of activity on a compromised system.

This skill analyzes the cryptographic algorithms, key management systems, and file encryption routines employed by various ransomware families. It covers hybrid schemes like AES-RSA and modern ciphers such as ChaCha20. Use this when assessing data recovery feasibility, reverse engineering ransomware binaries, identifying implementation weaknesses (e.g., IV reuse, key derivation flaws), or developing custom decryptor tools.

This guide provides a comprehensive workflow for deep digital forensics examination of NTFS volumes. It covers recovering hidden data from file system slack space, analyzing MFT entries for deleted metadata, reconstructing file actions using the USN Journal, and detecting hidden content via Alternate Data Streams (ADS). Essential for incident response and evidence recovery.

Timesketch is a collaborative, open-source platform for security teams to analyze and reconstruct complex forensic timelines. It ingests and normalizes multi-source security data (logs, artifacts) using methods like Plaso, CSV, and JSONL. Users can visualize event chronology, track attack chains, and utilize advanced built-in analyzers (e.g., Sigma, Chain of Events) for comprehensive incident investigation and documentation.

Tailscale provides a WireGuard-based, zero-trust mesh VPN solution. It establishes end-to-end encrypted, peer-to-peer connections using identity-aware controls and granular Access Control Lists (ACLs). Ideal for modernizing network security, replacing traditional VPNs, and ensuring compliant, identity-gated access across diverse environments (Cloud, On-Prem).

This script performs statistical analysis on Zeek connection logs (conn.log) to detect Command and Control (C2) beaconing patterns. It leverages the ZAT library to load data into Pandas DataFrames, calculates inter-arrival time statistics, and flags connections with low standard deviation relative to the mean. This technique is crucial for network threat hunting and security incident investigation when identifying malicious, periodic callbacks.

This guide details methods and rules for detecting container escape attempts, a critical security vulnerability where an adversary breaks out of container isolation to access the host system or other containers. It covers monitoring syscalls, namespace manipulation (e.g., nsenter, unshare), accessing sensitive host paths (/proc), and detecting privileged operations using tools like Falco and eBPF.

This skill provides advanced runtime security rules using Falco, a CNCF-graduated tool. It monitors Linux syscalls to detect container escape attempts in real-time, identifying techniques such as mounting host filesystems, unauthorized namespace access (nsenter), and privileged container launches. It is crucial for SOC analysts and security teams enhancing cloud-native security coverage.

This skill provides comprehensive detection rules for advanced defense evasion techniques used by adversaries, including log tampering (T1070), timestomping, process injection (T1055), and disabling security tools (T1562). It is ideal for threat hunting, building detection rules, and investigating stealthy attacker activity using Sysmon and SIEM data.

This skill guides the detection of Golden Ticket attacks within Active Directory by analyzing Kerberos logs (Event IDs 4768, 4769, 4771). It hunts for critical anomalies, such as mismatched encryption types (e.g., RC4 in AES environments), impossible ticket lifetimes, or service tickets appearing without a prior ticket grant request. This is essential for post-breach assessment and advanced threat hunting in domain environments.