GitHub
Skills harvested from GitHub repositories
14810 skills availabledetecting-mimikatz-execution-patterns
When proactively hunting for indicators of detecting mimikatz execution patterns in the environment After threat intelli...
detecting-malicious-scheduled-tasks-with-sysmon
Adversaries abuse Windows Task Scheduler (schtasks.exe, at.exe) for persistence (T1053.005) and lateral movement. Sysmon...
detecting-living-off-the-land-with-lolbas
Living Off the Land Binaries, Scripts, and Libraries (LOLBAS) are legitimate system utilities abused by attackers to exe...
detecting-living-off-the-land-attacks
Monitor for suspicious use of legitimate Windows binaries (LOLBins) including certutil, mshta, rundll32, regsvr32, and o...
detecting-lateral-movement-with-zeek
Analyze Zeek network logs to identify lateral movement techniques including SMB admin share access, DCE/RPC remote servi...
detecting-lateral-movement-with-splunk
When hunting for adversary movement between compromised systems After detecting credential theft to trace subsequent lat...
detecting-lateral-movement-in-network
Monitoring enterprise networks for post-compromise lateral movement patterns (pass-the-hash, RDP hopping, PSExec) Buildi...
detecting-insider-data-exfiltration-via-dlp
When investigating security incidents that require detecting insider data exfiltration via dlp When building detection r...
detecting-golden-ticket-forgery
A Golden Ticket attack (MITRE ATT&CK T1558.001) involves forging a Kerberos Ticket Granting Ticket (TGT) using the krbtg...
detecting-fileless-malware-techniques
EDR alerts indicate suspicious behavior from trusted system binaries (PowerShell, mshta, wmic, regsvr32) Investigating a...
detecting-fileless-attacks-on-endpoints
Use this skill when: Building detection rules for fileless malware that operates entirely in memory Hunting for PowerShe...
detecting-exfiltration-over-dns-with-zeek
DNS tunneling and exfiltration is a technique used by attackers to bypass firewalls and DLP controls by encoding stolen ...
detecting-evasion-techniques-in-endpoint-logs
Use this skill when: Hunting for adversary defense evasion techniques (MITRE ATT&CK TA0005) in endpoint telemetry Buildi...
detecting-email-forwarding-rules-attack
When proactively hunting for indicators of detecting email forwarding rules attack in the environment After threat intel...
detecting-dll-sideloading-attacks
When investigating potential DLL hijacking in enterprise environments After EDR alerts on unsigned DLLs loaded by signed...
detecting-dcsync-attack-in-active-directory
When hunting for credential theft in Active Directory environments After compromise of accounts with Replicating Directo...
detecting-container-escape-with-falco-rules
Falco is a CNCF-graduated runtime security tool that monitors Linux syscalls to detect anomalous container behavior. It ...
detecting-container-drift-at-runtime
Container drift occurs when running containers deviate from their original image state through unauthorized file modific...
detecting-compromised-cloud-credentials
When investigating alerts about unusual cloud API activity from unfamiliar locations When building detection rules for c...
detecting-command-and-control-over-dns
Investigating suspected DNS tunneling used for C2 communication or data exfiltration Analyzing DNS query logs for signs ...
detecting-business-email-compromise
Business Email Compromise (BEC) is a sophisticated fraud scheme where attackers impersonate executives, vendors, or trus...
detecting-business-email-compromise-with-ai
AI-powered BEC detection uses machine learning, NLP, and behavioral analytics to identify sophisticated impersonation at...
detecting-beaconing-patterns-with-zeek
When investigating security incidents that require detecting beaconing patterns with zeek When building detection rules ...
detecting-azure-lateral-movement
Lateral movement in Azure AD/Entra ID differs from on-premises environments. Attackers pivot through OAuth application c...