Incident Response

exploiting-kerberoasting-with-impacket helps authorized testers plan Kerberoasting with Impacket GetUserSPNs.py, from SPN enumeration to TGS ticket extraction, offline cracking, and detection-aware reporting. Use this exploiting-kerberoasting-with-impacket guide for penetration testing workflows with clear install and usage context.

detecting-service-account-abuse is a threat-hunting skill for finding service account misuse across Windows, AD, SIEM, and EDR telemetry. It focuses on suspicious interactive logons, privilege escalation, lateral movement, and access anomalies, with a hunt template, event IDs, and workflow references for repeatable investigation.

detecting-s3-data-exfiltration-attempts helps investigate possible AWS S3 data theft by correlating CloudTrail S3 data events, GuardDuty findings, Amazon Macie alerts, and S3 access patterns. Use this detecting-s3-data-exfiltration-attempts skill for Security Audit, incident response, and suspicious bulk-download analysis.

detecting-rdp-brute-force-attacks helps analyze Windows Security Event Logs for RDP brute force patterns, including repeated 4625 failures, 4624 success after failures, NLA-related logons, and source-IP concentration. Use it for Security Audit, threat hunting, and repeatable EVTX-based investigations.

detecting-rootkit-activity is a Malware Analysis skill for finding rootkit indicators such as hidden processes, hooked system calls, altered kernel structures, hidden modules, and covert network artifacts. It uses cross-view comparison and integrity checks to help validate suspicious hosts when standard tools disagree.

analyzing-usb-device-connection-history helps investigate USB device connection history on Windows using registry hives, event logs, and setupapi.dev.log for Digital Forensics, insider threat work, and incident response. It supports timeline reconstruction, device correlation, and removable-media evidence analysis.

analyzing-browser-forensics-with-hindsight helps Digital Forensics teams analyze Chromium browser artifacts with Hindsight, including history, downloads, cookies, autofill, bookmarks, saved credentials metadata, cache, and extensions. Use it to reconstruct web activity, review timelines, and investigate Chrome, Edge, Brave, and Opera profiles.

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

The detecting-network-anomalies-with-zeek skill helps deploy Zeek for passive network monitoring, review structured logs, and build custom detections for beaconing, DNS tunneling, and unusual protocol activity. It is suited for threat hunting, incident response, SIEM-ready network metadata, and Security Audit workflows—not inline prevention.

detecting-modbus-command-injection-attacks helps security analysts spot suspicious Modbus TCP/RTU write activity, anomalous function codes, malformed frames, and baseline deviations in ICS and SCADA environments. Use it for incident triage, OT monitoring, and a Security Audit when you need Modbus-aware detection guidance, not a generic anomaly prompt.

The detecting-business-email-compromise skill helps analysts, SOC teams, and incident responders identify BEC attempts using email-header checks, social-engineering clues, detection logic, and response-oriented workflows. Use it as a practical detecting-business-email-compromise guide for triage, validation, and containment.

detecting-azure-lateral-movement helps security analysts hunt lateral movement in Azure AD/Entra ID and Microsoft Sentinel using Microsoft Graph audit logs, sign-in telemetry, and KQL correlation. Use it for incident triage, detection engineering, and security audit workflows covering consent abuse, service principal misuse, token theft, and cross-tenant pivoting.

configuring-host-based-intrusion-detection guide for setting up HIDS with Wazuh, OSSEC, or AIDE to monitor file integrity, system changes, and compliance-focused endpoint security for Security Audit workflows.

hunting-advanced-persistent-threats is a threat-hunting skill for detecting APT-style activity across endpoint, network, and memory telemetry. It helps analysts build hypothesis-driven hunts, map findings to MITRE ATT&CK, and turn threat intel into practical queries and investigation steps instead of ad hoc searches.

extracting-windows-event-logs-artifacts helps you extract, parse, and analyze Windows Event Logs (EVTX) for digital forensics, incident response, and threat hunting. It supports structured review of logons, process creation, service installs, scheduled tasks, privilege changes, and log clearing with Chainsaw, Hayabusa, and EvtxECmd.

extracting-memory-artifacts-with-rekall guide for analyzing Windows memory images with Rekall. Learn install and usage patterns to find hidden processes, injected code, suspicious VADs, loaded DLLs, and network activity for Digital Forensics.

The extracting-credentials-from-memory-dump skill helps analyze Windows memory dumps for NTLM hashes, LSA secrets, Kerberos material, and tokens using Volatility 3 and pypykatz workflows. It is built for Digital Forensics and incident response when you need defensible evidence, account impact, and remediation guidance from a valid dump.

extracting-browser-history-artifacts is a Digital Forensics skill for extracting browser history, cookies, cache, downloads, and bookmarks from Chrome, Firefox, and Edge. Use it to turn browser profile files into timeline-ready evidence with repeatable, case-focused workflow guidance.

executing-red-team-exercise is a cybersecurity skill for planning and tracking realistic red team exercises. It supports adversary emulation across reconnaissance, technique selection, execution, and detection-gap review, making it useful for Security Audit work and ATT&CK-aligned assessments.

eradicating-malware-from-infected-systems is a cybersecurity incident response skill for removing malware, backdoors, and persistence mechanisms after containment. It includes workflow guidance, reference files, and scripts for Windows and Linux cleanup, credential rotation, root-cause remediation, and validation.

The detecting-wmi-persistence skill helps threat hunters and DFIR analysts detect WMI event subscription persistence in Windows telemetry using Sysmon Event IDs 19, 20, and 21. Use it to identify malicious EventFilter, EventConsumer, and FilterToConsumerBinding activity, validate findings, and separate attacker persistence from benign admin automation.

detecting-supply-chain-attacks-in-ci-cd skill for auditing GitHub Actions and CI/CD configs. It helps find unpinned actions, script injection, dependency confusion, secret exposure, and risky permissions for Security Audit workflows. Use it to review a repo, workflow file, or suspicious pipeline change with clear findings and fixes.

The detecting-stuxnet-style-attacks skill helps defenders detect Stuxnet-like OT and ICS intrusion patterns, including PLC logic tampering, spoofed sensor data, engineering workstation compromise, and IT-to-OT lateral movement. Use it for threat hunting, incident triage, and process-integrity monitoring with protocol, host, and process evidence.

detecting-ransomware-encryption-behavior helps defenders spot ransomware-style encryption using entropy analysis, file I/O monitoring, and behavioral heuristics. It is suited for incident response, SOC tuning, and red-team validation when you need to detect mass file changes, rename bursts, and suspicious process activity quickly.