Skill UI

A comprehensive guide and methodology for proactively hunting adversary abuse of legitimate cloud services (Azure, AWS, GCP, SaaS). This technique focuses on identifying Command and Control (C2), data staging, and exfiltration methods that leverage normal cloud functionality, making detection challenging.

Provides a structured methodology for proactive threat hunting against Living-off-the-Land Binaries (LOLBins). It guides practitioners in identifying techniques where adversaries abuse legitimate system tools (like certutil, mshta, rundll32) to execute payloads while bypassing traditional security controls (AV/EDR). Ideal for incident response, red team validation, and improving detection coverage against fileless attacks.

This skill focuses on threat hunting techniques to detect adversaries leveraging Living Off the Land Binaries (LOLBins). By analyzing detailed endpoint process creation logs (e.g., Sysmon), practitioners can identify suspicious execution patterns of legitimate Windows system binaries (like certutil, mshta, rundll32) used for malicious fileless attacks or defense evasion. It is crucial for improving detection coverage against advanced persistent threats.

This skill provides advanced threat hunting capabilities to detect NTLM relay attacks within Active Directory environments. It analyzes critical Windows Security Event 4624 logs, specifically focusing on logon type 3 using NTLMSSP authentication. The detection logic identifies suspicious patterns, including IP-to-hostname mismatches, rapid multi-host authentications, and lack of SMB signing enforcement, helping SOC analysts pinpoint unauthorized credential access attempts.

This guide details a systematic methodology for proactive threat hunting across Windows endpoints. It focuses on identifying various adversary persistence techniques, such as registry modifications (Run Keys), malicious services, WMI event subscriptions, and scheduled tasks. It is essential for incident response, security audits, and improving detection coverage against dormant backdoors.

This guide details advanced threat hunting techniques to proactively uncover adversary persistence mechanisms leveraging Windows Management Instrumentation (WMI) event subscriptions. It monitors the creation and binding of WMI events (Filter, Consumer, Binding) to detect malicious, fileless backdoors used by sophisticated threat actors, especially when standard persistence locations are clean.

This skill provides a structured methodology for detecting process injection techniques (MITRE ATT&CK T1055), which adversaries use for defense evasion and privilege escalation. It analyzes granular security logs, specifically utilizing Sysmon Event IDs 8 (CreateRemoteThread) and 10 (ProcessAccess), alongside source-target process relationship mapping to identify suspicious malicious behavior over general system activity.

A detailed methodology for proactive threat hunting focused on identifying deep-seated persistence mechanisms within Windows operating systems. This guide covers advanced techniques such as monitoring Run keys, analyzing Winlogon modifications, detecting IFEO injection, and identifying COM object hijacking. It is crucial for incident response, purple teaming, and ensuring system integrity against advanced persistent threats (APTs).

This guide provides a structured methodology for proactively hunting adversaries who establish persistence using Windows Scheduled Tasks (T1053). It outlines the necessary prerequisites (EDR, SIEM, Sysmon) and a comprehensive workflow—from hypothesis formulation to threat correlation—for detecting suspicious task creation, unusual scheduling patterns, and attacker TTPs during incident response or red teaming.

This methodology guides security professionals in proactively hunting for suspicious activity related to Volume Shadow Copy deletion. By monitoring commands like vssadmin, wmic, and PowerShell usage, it helps detect anti-forensics techniques and preparatory steps often executed by ransomware actors, crucial during incident response or threat hunting exercises.

This guide details a structured threat hunting methodology designed to proactively detect sophisticated spearphishing campaigns. It instructs users on correlating indicators across email logs, endpoint telemetry (EDR), and network data (SIEM) to identify targeted threats, supporting incident response and security posture improvement.

This guide details proactive threat hunting techniques focused on detecting supply chain compromises. Use it when investigating trojanized software updates, compromised dependencies (npm/PyPI), or tampered build artifacts. It outlines a structured workflow using EDR/SIEM data (CrowdStrike, Splunk) to identify hidden threats and scope the impact of sophisticated attacks.