Skill UI

Detects abnormal access patterns across major cloud storage platforms, including AWS S3, GCS, and Azure Blob Storage. By analyzing cloud audit logs (CloudTrail, etc.), this tool identifies critical security threats such as after-hours bulk data downloads, sudden spikes in API calls (GetObject spikes), access from new geographic IPs, and potential data exfiltration. It utilizes statistical baselines and time-series anomaly detection for proactive threat hunting and security incident investigation.

This skill analyzes DNS query logs to detect sophisticated threats such as data exfiltration via DNS tunneling, Domain Generation Algorithm (DGA) usage, and covert Command and Control (C2) channels. It utilizes advanced techniques like entropy analysis, query volume anomaly detection, and subdomain length analysis within SIEM platforms, helping SOC teams identify threats that bypass traditional network security controls.

A comprehensive tool for detecting and analyzing covert communication channels used by sophisticated malware. It focuses on identifying anomalies in network traffic, such as DNS tunneling, ICMP exfiltration, and steganographic HTTP abuse, which are used for Command and Control (C2) communication and data exfiltration. Ideal for security incident response, threat hunting, and building advanced network detection rules.

This tool parses NetFlow v9 and IPFIX records to conduct deep network security analysis. It is crucial for investigating security incidents by building traffic baselines and applying statistical methods. Key detection capabilities include identifying port scanning, data exfiltration attempts, command and control (C2) beaconing patterns, and general volumetric anomalies in network traffic.

Examines packet captures, Zeek logs, and NetFlow data to uncover C2 channels, lateral movement, and exfiltration during security incidents, guiding analysts through capture, filtering, and IOC extraction workflows.

A comprehensive guide for analyzing PCAP files captured during malware execution. It demonstrates advanced techniques using Wireshark, Zeek, Suricata, and Python (scapy) to identify Command and Control (C2) communications, data exfiltration channels, Domain Generation Algorithms (DGA), and periodic beaconing patterns. Essential for malware reverse engineering and network threat detection.

A comprehensive guide for deep packet inspection and network forensics using Wireshark and tshark. This skill is critical for incident response, where it allows users to capture, filter, and analyze network packet data to identify malicious command-and-control traffic, diagnose complex protocol issues, extract indicators of compromise (IOCs), and reconstruct data exfiltration paths. Use it for validating security rules and understanding network anomalies.

This comprehensive skill analyzes Zeek conn.log and NetFlow data to proactively detect advanced indicators of ransomware activity. It identifies critical threats such as Command and Control (C2) beaconing patterns, connections to TOR exit nodes, large-scale data exfiltration flows, and suspicious DNS anomalies. It is essential for threat hunting and complex security incident response.

A comprehensive digital forensics technique used to investigate removable media usage. It parses artifacts from Windows registry (USBSTOR, MountedDevices), Event Logs, and SetupAPI logs to track which USB devices were connected, when they were used, and establishing a timeline for potential data exfiltration or insider threat activity.

This guide details how to write advanced correlation searches using Splunk's Search Processing Language (SPL). It covers techniques like threshold-based detection, sequence analysis, and anomaly detection to identify sophisticated security threats (e.g., brute force, data exfiltration, lateral movement) in a Security Operations Center (SOC) environment. Mastery of SPL is essential for closing SIEM detection gaps and ensuring compliance.

This comprehensive guide outlines how to plan and execute a full-scope red team engagement. It simulates real-world Advanced Persistent Threat (APT) behavior, covering the entire cyber kill chain from initial reconnaissance (OSINT) through lateral movement, credential harvesting, and data exfiltration. It utilizes MITRE ATT&CK frameworks to rigorously test an organization's detection, prevention, and incident response capabilities.

This skill provides a comprehensive framework for detecting data exfiltration attempts that utilize DNS tunneling. It analyzes DNS logs for anomalies such as high Shannon entropy in subdomains, excessive query volume, abnormal query lengths, and misuse of TXT/CNAME records. It is ideal for SOC analysts and security engineers building advanced threat detection rules and performing threat hunting.