Skill UI

This guide details methodologies for proactively hunting and detecting various insider threat indicators. It focuses on identifying unusual data access patterns, off-hours activity, mass file exfiltration, and unauthorized privilege abuse. By correlating data from EDR and SIEM platforms, security teams can scope compromises, simulate attack chains, and significantly enhance proactive threat detection capabilities.

This guide outlines a comprehensive threat hunting methodology for detecting Kerberoasting attacks. It focuses on monitoring for anomalous Kerberos TGS requests targeting service accounts with SPNs, which are indicators of brute-force or offline password cracking attempts. Use this workflow during proactive security assessments, incident response, or when analyzing SIEM/EDR telemetry to identify potential lateral movement.

This guide outlines a comprehensive threat hunting methodology for detecting adversary lateral movement within a network environment. It utilizes Splunk SPL queries against rich Windows event data, including authentication logs (4624, 4625), SMB traffic, and Sysmon telemetry. By correlating source-to-destination activity and identifying unusual logon types (RDP, WinRM, SMB), users can proactively track an attacker's path after initial system compromise, fulfilling MITRE ATT&CK T1021 techniques.

This skill focuses on advanced threat detection techniques used to identify the abuse of legitimate Windows binaries (LOLBins) for malicious purposes. It requires monitoring process creation, command-line arguments, and network activity to pinpoint fileless and living-off-the-land attacks. Ideal for building SIEM/EDR detection rules, threat hunting, and hardening endpoint security policies.

This skill provides a comprehensive framework for detecting Living Off the Land Binaries (LOLBAS) abuse, such as misuse of certutil, regsvr32, and mshta. It leverages process telemetry from Sysmon and Windows Event Logs, combined with advanced Sigma rule-based detection and parent-child process anomaly analysis. Ideal for SOC analysts and threat hunters investigating sophisticated adversaries aiming to evade traditional security controls.

This skill provides a structured methodology for detecting persistence and lateral movement via malicious scheduled tasks. It utilizes Sysmon Event IDs (1, 11) and Windows Security Events (4698/4702) to correlate process creation, task file writes, and task registration details. Ideal for threat hunting and building robust detection rules for T1053.005.

This guide details advanced threat hunting techniques to proactively detect Mimikatz execution. It focuses on identifying command-line patterns, unauthorized access to LSASS memory, binary indicators, and known credential dumping techniques (e.g., DCSync, Golden Tickets). Ideal for security analysts, threat hunters, and incident response teams during proactive assessments or active compromise investigation.

This tool provides a comprehensive security audit framework for Azure Storage accounts. It systematically detects critical misconfigurations, such as publicly accessible blob containers, weak encryption settings, overly permissive network access rules, and missing logging. Use it when performing compliance checks, responding to security incidents, or establishing storage security baselines in Azure environments.

This skill provides comprehensive anomaly detection for Modbus/TCP and Modbus RTU traffic in Operational Technology (OT) and Industrial Control Systems (ICS). It monitors function codes, validates register access, analyzes timing, and detects unauthorized clients. By utilizing advanced tools like Zeek, Suricata, and custom Python models, it helps establish behavioral baselines and identify potential cyber threats.

This skill provides a comprehensive guide to deploying Zeek (formerly Bro) for passive network security monitoring. It details how to generate structured logs (DNS, HTTP, SSL, etc.) and write custom Zeek scripts to detect sophisticated anomalies like DNS tunneling and beaconing. Ideal for threat hunting, security incident response, and complementing traditional IDS solutions.

This skill provides comprehensive guidance on detecting network reconnaissance and port scanning activities using industry-standard IDS/IPS systems like Suricata and Snort. It covers various scanning techniques (e.g., SYN, FIN, NULL, Xmas scans, UDP sweeps) and advanced detection methods, including signature matching, threshold-based alerting, and traffic anomaly analysis to identify tools like Nmap and Masscan.

This guide details methods for detecting and mitigating OAuth token theft and replay attacks in cloud environments, specifically targeting Microsoft Entra ID (Azure AD). It covers protection against access token theft, Primary Refresh Token (PRT) abuse, and pass-the-cookie attacks. Users can leverage Conditional Access and Token Protection features to cryptographically bind tokens to devices, significantly enhancing cloud identity security and preventing session hijacking.