Skill UI

This skill provides a comprehensive workflow for detecting and analyzing malware persistence mechanisms on Windows systems. It automates the use of Sysinternals Autoruns via scripting to scan hundreds of Auto-Start Extensibility Points (ASEPs), including registry keys, services, scheduled tasks, and drivers. The process flags suspicious entries like unsigned binaries, suspicious paths, or dangerous command-line arguments, making it an essential tool for security incident response and threat hunting.

This skill outlines the comprehensive process of memory forensics on compromised Linux systems. It guides users through acquiring volatile memory using the LiME kernel module and analyzing the resulting image with the Volatility 3 framework. Key artifacts extracted include process lists, network connections, bash history, and loaded kernel modules, making it an essential technique for incident response, threat hunting, and security investigations.

A comprehensive tool for detecting and analyzing covert communication channels used by sophisticated malware. It focuses on identifying anomalies in network traffic, such as DNS tunneling, ICMP exfiltration, and steganographic HTTP abuse, which are used for Command and Control (C2) communication and data exfiltration. Ideal for security incident response, threat hunting, and building advanced network detection rules.

A comprehensive guide for deep packet inspection and network forensics using Wireshark and tshark. This skill is critical for incident response, where it allows users to capture, filter, and analyze network packet data to identify malicious command-and-control traffic, diagnose complex protocol issues, extract indicators of compromise (IOCs), and reconstruct data exfiltration paths. Use it for validating security rules and understanding network anomalies.

This tool provides comprehensive forensic analysis for Microsoft Outlook PST and OST files. It extracts critical evidence such as message content, detailed headers, attachments, and deleted items using open-source libraries like libpff and Python, supporting legal investigations and incident response.

A comprehensive skill for cybersecurity threat hunting and incident response. This tool systematically scans Linux systems to detect various persistence vectors used by adversaries, including suspicious crontab entries, unauthorized systemd units, LD_PRELOAD hijacking, profile modifications (.bashrc), and SSH key backdoors. It correlates findings with auditd logs to build a detailed timeline of compromise.

A specialized threat hunting skill designed to detect remnants of the PowerShell Empire post-exploitation framework. It analyzes Windows event logs (specifically Script Block and Module Logging) for key Indicators of Compromise (IOCs), such as default launcher strings, Base64 encoded payloads, known module signatures (e.g., Mimikatz), and staging URL patterns. The output provides a detailed JSON report, comprehensive timeline, and MITRE ATT&CK mapping for incident response and security validation.

A dedicated tool for forensic analysis of Windows PowerShell Script Block Logs (Event ID 4104) captured in EVTX files. It reconstructs multi-block scripts, applying advanced detection heuristics such as entropy analysis and pattern matching to identify obfuscated commands, encoded payloads (Base64), download cradles, and AMSI bypass attempts, crucial for threat hunting and incident response.

This skill guides users through parsing Windows Prefetch files (.pf) to establish a comprehensive program execution history. It extracts critical forensic data such as run counts, timestamps (up to 8 events), and referenced files. This is essential for incident response, malware investigation, and building a reliable timeline of activity on a compromised system.

This comprehensive skill analyzes Zeek conn.log and NetFlow data to proactively detect advanced indicators of ransomware activity. It identifies critical threats such as Command and Control (C2) beaconing patterns, connections to TOR exit nodes, large-scale data exfiltration flows, and suspicious DNS anomalies. It is essential for threat hunting and complex security incident response.

A comprehensive guide utilizing Splunk Enterprise Security and SPL to conduct deep forensic analysis of security incidents. This skill covers correlating disparate sources like Windows event logs, firewall records, proxy data, and Sysmon logs to detect TTPs, reconstruct timelines, and identify anomalies, making it essential for incident response and threat hunting.

This guide provides a comprehensive workflow for deep digital forensics examination of NTFS volumes. It covers recovering hidden data from file system slack space, analyzing MFT entries for deleted metadata, reconstructing file actions using the USN Journal, and detecting hidden content via Alternate Data Streams (ADS). Essential for incident response and evidence recovery.