Skill UI

This skill guides the security hardening of Windows endpoints (10/11, Server 2019/2022) using established CIS Benchmarks. It provides a comprehensive workflow for establishing secure organizational baselines, configuring Group Policy Objects (GPOs), and enforcing security controls across critical areas like password policies, audit logs, and firewall rules. It is essential for achieving compliance with standards like PCI DSS, HIPAA, and SOC 2.

A proactive, hypothesis-driven skill designed to hunt for Advanced Persistent Threats (APT) within complex enterprise environments. It analyzes endpoint telemetry, network logs, and memory artifacts using frameworks like MITRE ATT&CK. Use this skill when investigating anomalous behavior flagged by UEBA, conducting scheduled threat sprints, or validating exposure to known TTPs using tools like Velociraptor and osquery.

This skill provides structured methods for detecting credential stuffing attacks by analyzing authentication logs. It focuses on identifying complex patterns such as login velocity anomalies, high IP diversity, password spray techniques, and suspicious geographical distributions of failed logins. It is essential for SOC analysts conducting threat hunting or building robust detection rules against account takeover attempts.

A comprehensive tool for security analysts to hunt for malicious PowerShell activity. It analyzes Windows Event Log (EVTX) files by parsing Script Block Logging (Event 4104), Module Logging (4103), and process creation events. Detects obfuscated commands, AMSI bypass attempts, encoded payloads, and credential dumping techniques crucial for incident response and threat hunting.

This skill provides a systematic methodology for detecting Command and Control (C2) beaconing patterns in network traffic. It utilizes advanced statistical techniques, including Coefficient of Variation (CV) and jitter analysis, applied to network flow logs (Zeek, proxy, firewall). It is crucial for proactive threat hunting and incident response to identify compromised endpoints communicating periodically with malicious infrastructure.

This skill guides threat hunters in detecting Cobalt Strike Command and Control (C2) beacons. It utilizes advanced network forensic techniques, including analyzing default TLS certificate serials, JA3/JA3S/JARM fingerprints, beacon jitter, and HTTP profile matching. Detection is achieved by correlating data from Zeek logs, Suricata rules, and Python PCAP analysis to identify suspicious outbound communications.

This capability provides advanced threat hunting by analyzing network telemetry (DNS, proxy, connection logs) to detect Command and Control (C2) beaconing patterns. It uses statistical analysis, frequency detection, and jitter analysis to identify compromised endpoints communicating with adversary infrastructure, crucial for proactive threat detection and incident response.

This skill provides advanced threat hunting techniques to detect unauthorized data exfiltration. It guides the analysis of network traffic, DNS queries, and cloud uploads to identify unusual data flows, DNS tunneling, and abuse of encrypted channels, essential for incident response and preventing data loss.

This skill guides security analysts in detecting data staging activities, a critical precursor to data exfiltration. It monitors for the use of archiving tools (7-Zip, RAR), unusual file consolidation patterns, and suspicious writes to temporary or hidden directories using EDR and process telemetry. Essential for proactive threat hunting and improving detection coverage for T1074 techniques.

This skill detects anti-forensic timestomping by analyzing NTFS Master File Table (MFT) entries. It compares timestamps from the $STANDARD_INFORMATION attribute (user-modifiable) against the $FILE_NAME attribute (kernel-protected). Discrepancies, such as SI Created < FN Created, strongly indicate malicious manipulation and defense evasion. This methodology is crucial for advanced threat hunting and digital forensic investigations.

This skill detects domain fronting, an advanced technique used by attackers to mask Command and Control (C2) traffic. It analyzes proxy/web gateway logs for mismatches between the TLS SNI field and the HTTP Host header, combined with deep TLS certificate inspection using pyOpenSSL. This is crucial for security teams investigating sophisticated network threats and validating detection coverage.

This skill detects WMI-based lateral movement by analyzing key Windows Security Event ID 4688 and Sysmon Event ID 1 logs. It focuses on identifying suspicious process execution patterns, such as WmiPrvSE.exe spawning unauthorized child processes (cmd.exe, powershell.exe), suspicious command lines, and WMI event subscriptions used for persistence. Ideal for security incident response and threat detection.