Search Skills
Search across 54932 indexed skills
detecting-lateral-movement-with-splunk
When hunting for adversary movement between compromised systems After detecting credential theft to trace subsequent lateral activity When investigati...
detecting-lateral-movement-with-zeek
Analyze Zeek network logs to identify lateral movement techniques including SMB admin share access, DCE/RPC remote service creation, NTLM account spra...
detecting-living-off-the-land-attacks
Monitor for suspicious use of legitimate Windows binaries (LOLBins) including certutil, mshta, rundll32, regsvr32, and others used in fileless and liv...
detecting-living-off-the-land-with-lolbas
Living Off the Land Binaries, Scripts, and Libraries (LOLBAS) are legitimate system utilities abused by attackers to execute malicious actions while e...
exploiting-type-juggling-vulnerabilities
When testing PHP web applications for authentication bypass vulnerabilities During assessment of password comparison and hash verification logic When ...
exploiting-websocket-vulnerabilities
During authorized penetration tests when the application uses WebSocket connections for real-time features When assessing chat applications, live noti...
hardening-docker-daemon-configuration
The Docker daemon (dockerd) runs with root privileges and controls all container operations. Hardening its configuration through /etc/docker/daemon.js...
hunting-advanced-persistent-threats
Use this skill when: Conducting proactive threat hunting sprints (typically 2–4 week cycles) based on newly published APT intelligence A UEBA alert or...
hunting-for-anomalous-powershell-execution
PowerShell Script Block Logging (Event ID 4104) records the full deobfuscated script text executed on a Windows endpoint, making it the primary data s...
hunting-for-beaconing-with-frequency-analysis
When proactively searching for compromised endpoints calling back to C2 infrastructure After threat intelligence reports indicate active C2 frameworks...
detecting-network-scanning-with-ids-signatures
Network scanning is typically the first phase of an attack, where adversaries enumerate live hosts, open ports, running services, and OS versions usin...
executing-active-directory-attack-simulation
Assessing the security of an Active Directory domain and forest against common and advanced attack techniques Identifying attack paths from low-privil...