Skill UI

This workflow guides SOC teams in establishing a comprehensive, structured process for vulnerability management. It utilizes major scanning tools (Nessus, Qualys, OpenVAS) to discover, prioritize, and track remediation of security weaknesses across the infrastructure. It integrates threat intelligence (CISA KEV) and asset criticality into risk scoring, ensuring resources are focused on the most critical threats.

A comprehensive system for systematically collecting, categorizing, and enriching Indicators of Compromise (IOCs) from various sources (network logs, memory dumps, email, etc.). It supports the entire incident response lifecycle, ensuring structured data representation using STIX/TAXII formats for robust threat intelligence sharing and defensive system automation.

This skill provides comprehensive methods for collecting and synthesizing Open-Source Intelligence (OSINT) regarding threat actors, malicious infrastructure, and attack campaigns. It utilizes public data sources, passive reconnaissance tools (like WHOIS, Certificate Transparency), and specialized platforms (Maltego, Shodan, SpiderFoot) to map adversary context and perform pre-engagement intelligence gathering for authorized red team assessments. Emphasis is placed on passive collection techniques to ensure legality and operational security.

MISP (Malware Information Sharing Platform) is an open-source platform designed for gathering, storing, and correlating Indicators of Compromise (IOCs). This skill guides users through deploying MISP using Docker, configuring various threat feeds (MISP, TAXII, CSV), and utilizing the PyMISP Python API. It enables the building of automated pipelines to aggregate diverse threat data, such as IP addresses, domains, and hashes, for enhanced security operations.

This skill correlates disparate security incidents, Indicators of Compromise (IOCs), and adversary behaviors across time and organizations. It systematically identifies unified threat campaigns, attributes them to common threat actors, and extracts shared indicators for significantly improved detection capabilities. Ideal for cross-organizational threat intelligence sharing and building comprehensive campaign reports.

A comprehensive toolkit designed for cybersecurity professionals to deobfuscate malicious JavaScript code. It reverses complex encoding layers (Base64, Hex, Unicode), eval chains, and control flow obfuscation techniques found in phishing pages, web skimmers, and dropper scripts, revealing the original malicious logic for thorough forensic analysis and threat intelligence gathering.

This guide provides a comprehensive methodology and technical approach for detecting malicious email forwarding rules. It is crucial for threat hunting, incident response, and proactive security assessments to identify persistent access mechanisms used by adversaries for intelligence collection and Business Email Compromise (BEC) attacks. It outlines necessary prerequisites, workflow steps, and key threat indicators (T1114).

A comprehensive skill for detecting early-stage ransomware indicators before data encryption occurs. It utilizes advanced network detection tools such as Zeek and Suricata, combined with SIEM correlation rules and threat intelligence feeds. This method monitors the entire pre-encryption kill chain, identifying precursor behaviors like initial access broker activity, Cobalt Strike C2 beaconing, credential harvesting (e.g., Mimikatz signatures), and data staging attempts, enabling timely incident response and containment.

This utility provides a comprehensive framework for proactive threat hunting, focusing on detecting advanced and suspicious PowerShell execution patterns. It covers common attacker techniques such as encoded command usage, download cradles (IEX), AMSI bypass attempts, and constrained language mode evasion. It is designed for security analysts during incident response and threat intelligence validation, requiring EDR and SIEM telemetry.

This skill guides the comprehensive evaluation and selection of Threat Intelligence Platforms (TIPs). It assesses vendor capabilities, including STIX/TAXII support, workflow automation, SIEM/SOAR integration, and total cost of ownership. It is essential for procurement decisions, migrating between TIP solutions, or assessing whether the current CTI program meets required maturity levels.

This script is designed for malware analysis, specifically targeting .NET-based Remote Access Trojans (RATs) like Agent Tesla. It automatically extracts embedded and obfuscated configuration data, including SMTP credentials, FTP endpoints, Telegram tokens, and C2 webhooks. It utilizes advanced techniques such as regex pattern matching, Base64 decoding, and simulating XOR/SHA256 decryption to reveal critical threat intelligence for security research.

This skill provides a comprehensive workflow to extract Indicators of Compromise (IOCs) from malware samples and analysis reports. It covers file hashes (SHA256, MD5), network artifacts (IPs, domains, URLs from strings and PCAPs), and host-based indicators (registry keys, file paths, mutexes) from sandbox reports. It is essential for threat intelligence sharing, building blocklists, and creating detection signatures (YARA, Snort).