Search Skills
Search across 54932 indexed skills
detecting-port-scanning-with-fail2ban
Automatically blocking IP addresses that perform port scans against internet-facing servers Defending SSH, HTTP, FTP, and other services against brute...
detecting-rootkit-activity
System shows signs of compromise but standard tools (Task Manager, netstat) show nothing abnormal Antivirus/EDR detects rootkit signatures but cannot ...
detecting-s3-data-exfiltration-attempts
When GuardDuty detects anomalous S3 access patterns such as bulk downloads from unusual IPs When investigating suspected data breach involving S3-stor...
detecting-spearphishing-with-email-gateway
Spearphishing targets specific individuals using personalized, researched content that bypasses generic spam filters. Email security gateways (SEGs) l...
detecting-t1003-credential-dumping-with-edr
When hunting for credential theft activity in the environment After compromise indicators suggest attacker has elevated privileges When EDR alerts fir...
detecting-t1548-abuse-elevation-control-mechanism
When hunting for privilege escalation via UAC bypass in Windows environments After threat intelligence indicates use of UAC bypass exploits by active ...
hunting-for-lolbins-execution-in-endpoint-logs
When hunting for fileless attack techniques that abuse built-in Windows binaries After threat intelligence indicates LOLBin-based campaigns targeting ...
hunting-for-persistence-mechanisms-in-windows
During periodic proactive threat hunts for dormant backdoors After an incident to identify all persistence mechanisms an attacker planted When investi...
hunting-for-registry-run-key-persistence
Registry Run keys (T1547.001) are one of the most commonly used persistence mechanisms by adversaries. When a program is added to a Run key in the Win...
hunting-for-spearphishing-indicators
When proactively hunting for indicators of hunting for spearphishing indicators in the environment After threat intelligence indicates active campaign...
hunting-for-t1098-account-manipulation
MITRE ATT&CK T1098 (Account Manipulation) covers adversary actions to maintain or expand access to compromised accounts, including adding credentials,...
detecting-lateral-movement-in-network
Monitoring enterprise networks for post-compromise lateral movement patterns (pass-the-hash, RDP hopping, PSExec) Building SIEM detection rules and al...