by mukul975
detecting-service-account-abuse is a threat-hunting skill for finding service account misuse across Windows, AD, SIEM, and EDR telemetry. It focuses on suspicious interactive logons, privilege escalation, lateral movement, and access anomalies, with a hunt template, event IDs, and workflow references for repeatable investigation.
by mukul975
detecting-privilege-escalation-attempts helps hunt privilege escalation on Windows and Linux, including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse. Built for threat hunting teams that need a practical workflow, reference queries, and helper scripts.
by mukul975
detecting-pass-the-hash-attacks skill for hunting NTLM-based lateral movement, suspicious Type 3 logons, and T1550.002 activity with Windows Security logs, Splunk, and KQL.
by mukul975
detecting-insider-threat-behaviors helps analysts hunt insider-risk signals like unusual data access, off-hours activity, mass downloads, privilege abuse, and resignation-correlated theft. Use this detecting-insider-threat-behaviors guide for threat hunting, UEBA-style triage, and threat modeling with workflow templates, SIEM query examples, and risk weights.
by mukul975
detecting-fileless-attacks-on-endpoints helps build detections for memory-only attacks on Windows endpoints, including PowerShell abuse, WMI persistence, reflective loading, and process injection. Use it for Security Audit, threat hunting, and detection engineering with Sysmon, AMSI, and PowerShell logging.
by mukul975
containing-active-breach is an incident-response skill for live breach containment. It helps isolate hosts, block suspicious traffic, disable compromised accounts, and slow lateral movement using a structured containing-active-breach guide with practical API and script references.
