Skill UI

This skill provides a comprehensive framework for detecting Living Off the Land Binaries (LOLBAS) abuse, such as misuse of certutil, regsvr32, and mshta. It leverages process telemetry from Sysmon and Windows Event Logs, combined with advanced Sigma rule-based detection and parent-child process anomaly analysis. Ideal for SOC analysts and threat hunters investigating sophisticated adversaries aiming to evade traditional security controls.

This tool leverages the Rekall memory forensics framework to conduct deep analysis of memory dumps. It is designed to detect sophisticated threats such as process hollowing, injected code via VAD anomalies, hidden operating system processes, and rootkit presence. It applies key forensic plugins (pslist, malfind, vadinfo) essential for rigorous incident response and malware analysis.