Threat Intelligence

building-ioc-defanging-and-sharing-pipeline skill for extracting IOCs, defanging URLs, IPs, domains, emails, and hashes, then converting and sharing them as STIX 2.1 via TAXII or MISP for security audit and threat intel workflows.

building-incident-timeline-with-timesketch helps DFIR teams build collaborative incident timelines in Timesketch by ingesting Plaso, CSV, or JSONL evidence, normalizing timestamps, correlating events, and documenting attack chains for incident triage and reporting.

The detecting-mobile-malware-behavior skill analyzes suspicious Android and iOS apps for permission abuse, runtime activity, network indicators, and malware-like patterns. Use it for triage, incident response, and detecting-mobile-malware-behavior for Security Audit workflows with evidence-backed mobile analysis.

The detecting-business-email-compromise skill helps analysts, SOC teams, and incident responders identify BEC attempts using email-header checks, social-engineering clues, detection logic, and response-oriented workflows. Use it as a practical detecting-business-email-compromise guide for triage, validation, and containment.

detecting-beaconing-patterns-with-zeek helps analyze Zeek conn.log intervals to detect C2-style beaconing. It uses ZAT, groups flows by source, destination, and port, and scores low-jitter patterns with statistical checks. Ideal for SOC, threat hunting, incident response, and detecting-beaconing-patterns-with-zeek for Security Audit workflows.

analyzing-supply-chain-malware-artifacts is a malware-analysis skill for tracing trojanized updates, poisoned dependencies, and build-pipeline tampering. Use it to compare trusted and untrusted artifacts, extract indicators, assess compromise scope, and report findings with less guesswork.

analyzing-ransomware-network-indicators helps analyze Zeek conn.log and NetFlow to spot C2 beaconing, TOR exits, exfiltration, and suspicious DNS for Security Audit and incident response.

analyzing-ransomware-payment-wallets is a read-only blockchain-forensics skill for tracing ransomware payment wallets, following fund movement, and clustering related addresses for Security Audit and incident response. Use it when you have a BTC address, tx hash, or suspected wallet and need evidence-backed attribution support.

analyzing-ransomware-leak-site-intelligence helps monitor ransomware data leak sites, extract victim and group signals, and produce structured threat intelligence for incident response, sector risk review, and adversary tracking.

analyzing-cloud-storage-access-patterns helps security teams detect suspicious cloud storage access in AWS S3, GCS, and Azure Blob Storage. It analyzes audit logs for bulk downloads, new source IPs, unusual API calls, bucket enumeration, after-hours access, and possible exfiltration using baseline and anomaly checks.

hunting-advanced-persistent-threats is a threat-hunting skill for detecting APT-style activity across endpoint, network, and memory telemetry. It helps analysts build hypothesis-driven hunts, map findings to MITRE ATT&CK, and turn threat intel into practical queries and investigation steps instead of ad hoc searches.

The generating-threat-intelligence-reports skill turns analyzed cyber data into strategic, operational, tactical, or flash threat intelligence reports for executives, SOC teams, IR leads, and analysts. It supports finished intelligence, confidence language, TLP handling, and clear recommendations for Report Writing.

extracting-iocs-from-malware-samples skill guide for malware analysis: extract hashes, IPs, domains, URLs, host artifacts, and validation cues from samples for threat intel and detection.

evaluating-threat-intelligence-platforms helps you compare TIP products by feed ingestion, STIX/TAXII support, automation, analyst workflow, integrations, and total cost of ownership. Use this evaluating-threat-intelligence-platforms guide for procurement, migration, or maturity planning, including evaluating-threat-intelligence-platforms for Threat Modeling when platform choice affects traceability and evidence sharing.

detecting-privilege-escalation-attempts helps hunt privilege escalation on Windows and Linux, including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse. Built for threat hunting teams that need a practical workflow, reference queries, and helper scripts.

detecting-living-off-the-land-attacks skill for Security Audit, threat hunting, and incident response. Detect abuse of legitimate Windows binaries like certutil, mshta, rundll32, and regsvr32 using process creation, command-line, and parent-child telemetry. The guide focuses on actionable LOLBin detection patterns, not broad Windows hardening.

The detecting-kerberoasting-attacks skill helps hunt Kerberoasting by spotting suspicious Kerberos TGS requests, weak ticket encryption, and service-account patterns. Use it for SIEM, EDR, EVTX, and detecting-kerberoasting-attacks for Threat Modeling workflows with practical detection templates and tuning guidance.

detecting-insider-threat-with-ueba helps you build UEBA detections in Elasticsearch or OpenSearch for insider threat cases, including behavioral baselines, anomaly scoring, peer group analysis, and correlated alerts for data exfiltration, privilege abuse, and unauthorized access. It fits detecting-insider-threat-with-ueba for Incident Response workflows.

detecting-insider-threat-behaviors helps analysts hunt insider-risk signals like unusual data access, off-hours activity, mass downloads, privilege abuse, and resignation-correlated theft. Use this detecting-insider-threat-behaviors guide for threat hunting, UEBA-style triage, and threat modeling with workflow templates, SIEM query examples, and risk weights.

detecting-email-account-compromise helps incident responders and SOC analysts investigate Microsoft 365 and Google Workspace mailbox takeover by checking suspicious sign-ins, inbox rule abuse, external forwarding, OAuth grants, and Graph/audit-log activity. Use it as a practical detecting-email-account-compromise guide for fast triage.

detecting-dll-sideloading-attacks helps Security Audit, threat hunting, and incident response teams detect DLL side-loading with Sysmon, EDR, MDE, and Splunk. This detecting-dll-sideloading-attacks guide includes workflow notes, hunt templates, standards mapping, and scripts to turn suspicious DLL loads into repeatable detections.

The detecting-credential-dumping-techniques skill helps you detect LSASS access, SAM export, NTDS.dit theft, and comsvcs.dll MiniDump abuse using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules. It is built for threat hunting, detection engineering, and Security Audit workflows.

detecting-command-and-control-over-dns is a cybersecurity skill for spotting C2 over DNS, including tunneling, beaconing, DGA domains, and TXT/CNAME abuse. It supports SOC analysts, threat hunters, and security audits with entropy checks, passive DNS correlation, and Zeek or Suricata-style detection workflows.

Detect business email compromise with AI using NLP, stylometry, behavioral signals, and relationship context. This detecting-business-email-compromise-with-ai skill helps SOC, fraud, and Security Audit teams score suspicious emails, explain risk signals, and decide whether to quarantine, warn, or escalate.