Cybersecurity

detecting-shadow-it-cloud-usage helps identify unauthorized SaaS and cloud usage from proxy logs, DNS queries, and netflow. It classifies domains, compares them with approved lists, and supports security audit workflows with structured evidence from the detecting-shadow-it-cloud-usage skill guide.

The detecting-network-anomalies-with-zeek skill helps deploy Zeek for passive network monitoring, review structured logs, and build custom detections for beaconing, DNS tunneling, and unusual protocol activity. It is suited for threat hunting, incident response, SIEM-ready network metadata, and Security Audit workflows—not inline prevention.

detecting-beaconing-patterns-with-zeek helps analyze Zeek conn.log intervals to detect C2-style beaconing. It uses ZAT, groups flows by source, destination, and port, and scores low-jitter patterns with statistical checks. Ideal for SOC, threat hunting, incident response, and detecting-beaconing-patterns-with-zeek for Security Audit workflows.

building-patch-tuesday-response-process helps teams build a repeatable Microsoft Patch Tuesday process to triage advisories, rank risk, test patches, approve rollout, and track compliance. Useful for security operations, vulnerability management, and building-patch-tuesday-response-process for Project Management.

analyzing-supply-chain-malware-artifacts is a malware-analysis skill for tracing trojanized updates, poisoned dependencies, and build-pipeline tampering. Use it to compare trusted and untrusted artifacts, extract indicators, assess compromise scope, and report findings with less guesswork.

The generating-threat-intelligence-reports skill turns analyzed cyber data into strategic, operational, tactical, or flash threat intelligence reports for executives, SOC teams, IR leads, and analysts. It supports finished intelligence, confidence language, TLP handling, and clear recommendations for Report Writing.

evaluating-threat-intelligence-platforms helps you compare TIP products by feed ingestion, STIX/TAXII support, automation, analyst workflow, integrations, and total cost of ownership. Use this evaluating-threat-intelligence-platforms guide for procurement, migration, or maturity planning, including evaluating-threat-intelligence-platforms for Threat Modeling when platform choice affects traceability and evidence sharing.

detecting-living-off-the-land-with-lolbas helps detect LOLBAS abuse with Sysmon and Windows Event Logs, using process telemetry, parent-child context, Sigma rules, and a practical guide for triage, hunting, and rule drafting. It supports detecting-living-off-the-land-with-lolbas for Threat Modeling and analyst workflows with certutil, regsvr32, mshta, and rundll32.

detecting-living-off-the-land-attacks skill for Security Audit, threat hunting, and incident response. Detect abuse of legitimate Windows binaries like certutil, mshta, rundll32, and regsvr32 using process creation, command-line, and parent-child telemetry. The guide focuses on actionable LOLBin detection patterns, not broad Windows hardening.

detecting-lateral-movement-in-network helps detect post-compromise lateral movement in enterprise networks using Windows event logs, Zeek telemetry, SMB, RDP, and SIEM correlation. It is useful for threat hunting, incident response, and detecting-lateral-movement-in-network for Security Audit reviews with practical detection workflows.

detecting-golden-ticket-forgery detects Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769, RC4 downgrade use (0x17), abnormal ticket lifetimes, and krbtgt anomalies in Splunk and Elastic. Built for Security Audit, incident investigation, and threat hunting with practical detection guidance.

detecting-dll-sideloading-attacks helps Security Audit, threat hunting, and incident response teams detect DLL side-loading with Sysmon, EDR, MDE, and Splunk. This detecting-dll-sideloading-attacks guide includes workflow notes, hunt templates, standards mapping, and scripts to turn suspicious DLL loads into repeatable detections.

detecting-deepfake-audio-in-vishing-attacks helps security teams analyze audio for AI-generated speech in vishing, fraud, and impersonation cases. It extracts spectral and MFCC-based features, scores suspicious samples, and produces a forensic-style report for review. Ideal for Security Audit and incident response workflows.

The detecting-credential-dumping-techniques skill helps you detect LSASS access, SAM export, NTDS.dit theft, and comsvcs.dll MiniDump abuse using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules. It is built for threat hunting, detection engineering, and Security Audit workflows.

detecting-attacks-on-historian-servers helps detect suspicious activity on OT historian servers like OSIsoft PI, Ignition, and Wonderware at the IT/OT boundary. Use this detecting-attacks-on-historian-servers guide for Incident Response, unauthorized queries, data manipulation, API abuse, and lateral-movement triage.

detecting-api-enumeration-attacks helps Security Audit teams detect API probing, BOLA, and IDOR by analyzing sequential IDs, 404 bursts, authorization failures, and docs discovery paths. It is built for log-driven detection guidance, rule drafting, and practical review of API abuse patterns.

correlating-threat-campaigns helps Threat Intelligence analysts correlate incidents, IOCs, and TTPs into campaign-level evidence. Use it to compare historical events, separate strong links from weak matches, and build defensible clustering for MISP, SIEM, and CTI reporting.

The configuring-pfsense-firewall-rules skill helps you design pfSense rules for segmentation, NAT, VPN access, and traffic shaping. Use it to create or audit firewall policy for LAN, DMZ, guest, and IoT zones, with practical guidance for install, usage, and Security Audit workflows.

configuring-ldap-security-hardening helps security engineers and auditors assess LDAP risks, including anonymous bind, weak signing, missing LDAPS, and channel binding gaps. Use this configuring-ldap-security-hardening guide to review the reference docs, run the Python audit helper, and produce practical remediation for a Security Audit.

conducting-pass-the-ticket-attack is a Security Audit and red-team skill for planning and documenting Pass-the-Ticket workflows. It helps you review Kerberos tickets, map detection signals, and produce a structured validation or report flow using the conducting-pass-the-ticket-attack skill.

conducting-memory-forensics-with-volatility helps you analyze RAM dumps with Volatility 3 to find injected code, suspicious processes, network connections, credential theft, and hidden kernel activity. It is a practical conducting-memory-forensics-with-volatility skill for Digital Forensics and incident response triage.

conducting-external-reconnaissance-with-osint skill for passive external footprinting, attack surface mapping, and Security Audit prep using public sources like DNS, crt.sh, Shodan, GitHub, and leak data. Built for authorized reconnaissance with clear scope control, source separation, and practical findings.

conducting-domain-persistence-with-dcsync guide for authorized Active Directory security audit work. Learn install, usage, and workflow notes to assess DCSync rights, KRBTGT exposure, Golden Ticket risk, and remediation steps using the included scripts, references, and report template.

conducting-api-security-testing helps authorized testers assess REST, GraphQL, and gRPC APIs for auth, authorization, rate limiting, input validation, and business-logic flaws using an OWASP API Security Top 10 workflow. Use it for structured, evidence-based API security testing and security audit reviews.