Skill UI

A comprehensive guide and set of detection rules for identifying OS credential dumping techniques (MITRE T1003). It leverages EDR telemetry, Sysmon process access monitoring, and Windows security event correlation to detect attacks targeting LSASS memory, SAM databases, and NTDS.dit files. Essential for proactive threat hunting and incident response.

This guide details how to detect WMI event subscription persistence, a common attacker technique (T1546.003). It focuses on analyzing suspicious Sysmon Event IDs 19, 20, and 21 to identify malicious EventFilters, EventConsumers, and Bindings. Essential for incident response and threat hunting in Windows environments.

A comprehensive guide and workflow for the post-containment phase of incident response. This process details systematic methods for mapping all persistence mechanisms, identifying malware artifacts, removing threats, resetting compromised credentials, and patching initial access vulnerabilities to ensure complete system eradication.

This utility performs comprehensive forensic analysis on memory dumps. It leverages industry-standard tools like Volatility and Mimikatz to extract sensitive information, including cached credentials, NTLM/LM hashes, Kerberos tickets, and authentication tokens. It is crucial for incident response, assessing the scope of credential compromise, and investigating lateral movement attacks.

This tool leverages the Rekall memory forensics framework to conduct deep analysis of memory dumps. It is designed to detect sophisticated threats such as process hollowing, injected code via VAD anomalies, hidden operating system processes, and rootkit presence. It applies key forensic plugins (pslist, malfind, vadinfo) essential for rigorous incident response and malware analysis.

A comprehensive workflow for extracting, parsing, and analyzing Windows Event Logs (EVTX). It guides security professionals in using advanced tools like Chainsaw and Hayabusa, combined with Sigma rules, to detect critical security incidents such as lateral movement, privilege escalation, and persistence mechanisms during incident response and digital forensic investigations.

A comprehensive tool for security analysts to hunt for malicious PowerShell activity. It analyzes Windows Event Log (EVTX) files by parsing Script Block Logging (Event 4104), Module Logging (4103), and process creation events. Detects obfuscated commands, AMSI bypass attempts, encoded payloads, and credential dumping techniques crucial for incident response and threat hunting.

This skill provides a systematic methodology for detecting Command and Control (C2) beaconing patterns in network traffic. It utilizes advanced statistical techniques, including Coefficient of Variation (CV) and jitter analysis, applied to network flow logs (Zeek, proxy, firewall). It is crucial for proactive threat hunting and incident response to identify compromised endpoints communicating periodically with malicious infrastructure.

This capability provides advanced threat hunting by analyzing network telemetry (DNS, proxy, connection logs) to detect Command and Control (C2) beaconing patterns. It uses statistical analysis, frequency detection, and jitter analysis to identify compromised endpoints communicating with adversary infrastructure, crucial for proactive threat detection and incident response.

This skill provides advanced threat hunting techniques to detect unauthorized data exfiltration. It guides the analysis of network traffic, DNS queries, and cloud uploads to identify unusual data flows, DNS tunneling, and abuse of encrypted channels, essential for incident response and preventing data loss.

This guide details how to hunt for DCSync attacks, a technique used to steal password hashes from Active Directory. It involves analyzing Windows Event ID 4662 to identify unauthorized DS-Replication-Get-Changes requests originating from non-domain-controller accounts. Essential for incident response and threat detection.

This skill detects WMI-based lateral movement by analyzing key Windows Security Event ID 4688 and Sysmon Event ID 1 logs. It focuses on identifying suspicious process execution patterns, such as WmiPrvSE.exe spawning unauthorized child processes (cmd.exe, powershell.exe), suspicious command lines, and WMI event subscriptions used for persistence. Ideal for security incident response and threat detection.