Threat Hunting

detecting-beaconing-patterns-with-zeek helps analyze Zeek conn.log intervals to detect C2-style beaconing. It uses ZAT, groups flows by source, destination, and port, and scores low-jitter patterns with statistical checks. Ideal for SOC, threat hunting, incident response, and detecting-beaconing-patterns-with-zeek for Security Audit workflows.

detecting-azure-lateral-movement helps security analysts hunt lateral movement in Azure AD/Entra ID and Microsoft Sentinel using Microsoft Graph audit logs, sign-in telemetry, and KQL correlation. Use it for incident triage, detection engineering, and security audit workflows covering consent abuse, service principal misuse, token theft, and cross-tenant pivoting.

analyzing-security-logs-with-splunk helps investigate security events in Splunk by correlating Windows, firewall, proxy, and authentication logs into timelines and evidence. This analyzing-security-logs-with-splunk skill is a practical guide for Security Audit, incident response, and threat hunting.

analyzing-golang-malware-with-ghidra helps analysts reverse engineer Go-compiled malware in Ghidra with workflows for function recovery, string extraction, build metadata, and dependency mapping. The analyzing-golang-malware-with-ghidra skill is useful for malware triage, incident response, and Security Audit tasks that need practical, Go-specific analysis steps.

detecting-living-off-the-land-with-lolbas helps detect LOLBAS abuse with Sysmon and Windows Event Logs, using process telemetry, parent-child context, Sigma rules, and a practical guide for triage, hunting, and rule drafting. It supports detecting-living-off-the-land-with-lolbas for Threat Modeling and analyst workflows with certutil, regsvr32, mshta, and rundll32.

The detecting-kerberoasting-attacks skill helps hunt Kerberoasting by spotting suspicious Kerberos TGS requests, weak ticket encryption, and service-account patterns. Use it for SIEM, EDR, EVTX, and detecting-kerberoasting-attacks for Threat Modeling workflows with practical detection templates and tuning guidance.

detecting-insider-threat-behaviors helps analysts hunt insider-risk signals like unusual data access, off-hours activity, mass downloads, privilege abuse, and resignation-correlated theft. Use this detecting-insider-threat-behaviors guide for threat hunting, UEBA-style triage, and threat modeling with workflow templates, SIEM query examples, and risk weights.

The detecting-fileless-malware-techniques skill supports Malware Analysis workflows for investigating fileless malware that runs in memory through PowerShell, WMI, .NET reflection, registry-resident payloads, and LOLBins. Use it to move from suspicious alerts to evidence-backed triage, detection ideas, and next-step hunting.

The detecting-email-forwarding-rules-attack skill helps Security Audit, threat hunting, and incident response teams find malicious mailbox forwarding rules used for persistence and email collection. It guides analysts through Microsoft 365 and Exchange evidence, suspicious rule patterns, and practical triage for forwarding, redirect, delete, and hide behaviors.

detecting-dll-sideloading-attacks helps Security Audit, threat hunting, and incident response teams detect DLL side-loading with Sysmon, EDR, MDE, and Splunk. This detecting-dll-sideloading-attacks guide includes workflow notes, hunt templates, standards mapping, and scripts to turn suspicious DLL loads into repeatable detections.

detecting-attacks-on-historian-servers helps detect suspicious activity on OT historian servers like OSIsoft PI, Ignition, and Wonderware at the IT/OT boundary. Use this detecting-attacks-on-historian-servers guide for Incident Response, unauthorized queries, data manipulation, API abuse, and lateral-movement triage.

detecting-anomalous-authentication-patterns helps analyze authentication logs for impossible travel, brute force, password spraying, credential stuffing, and compromised-account activity. Built for Security Audit, SOC, IAM, and incident response workflows with baseline-aware detection and evidence-backed sign-in analysis.

deploying-osquery-for-endpoint-monitoring guide for deploying and configuring osquery for endpoint visibility, fleet-wide monitoring, and SQL-driven threat hunting. Use it to plan installation, read the workflow and API references, and operationalize scheduled queries, log collection, and centralized review across Windows, macOS, and Linux endpoints.

correlating-security-events-in-qradar helps SOC and detection teams correlate IBM QRadar offenses with AQL, offense context, custom rules, and reference data. Use this guide to investigate incidents, reduce false positives, and build stronger correlation logic for Incident Response.

containing-active-breach is an incident-response skill for live breach containment. It helps isolate hosts, block suspicious traffic, disable compromised accounts, and slow lateral movement using a structured containing-active-breach guide with practical API and script references.

building-threat-hunt-hypothesis-framework helps you build testable threat hunt hypotheses from threat intelligence, ATT&CK mapping, and telemetry. Use this building-threat-hunt-hypothesis-framework skill to plan hunts, map data sources, run queries, and document findings for threat hunting and building-threat-hunt-hypothesis-framework for Threat Modeling.

The analyzing-threat-actor-ttps-with-mitre-attack skill helps map threat reports to MITRE ATT&CK tactics, techniques, and sub-techniques, build coverage views, and prioritize detection gaps. It includes a reporting template, ATT&CK references, and scripts for technique lookup and gap analysis, making it useful for CTI, SOC, detection engineering, and threat modeling.

analyzing-powershell-empire-artifacts skill helps Security Audit teams detect PowerShell Empire artifacts in Windows logs using Script Block Logging, Base64 launcher patterns, stager IOCs, module signatures, and detection references for triage and rule writing.

analyzing-powershell-script-block-logging skill for parsing Windows PowerShell Script Block Logging Event ID 4104 from EVTX files, reconstructing split script blocks, and flagging obfuscated commands, encoded payloads, Invoke-Expression abuse, download cradles, and AMSI bypass attempts for Security Audit work.

The analyzing-persistence-mechanisms-in-linux skill helps investigate Linux persistence after compromise, including crontab jobs, systemd units, LD_PRELOAD abuse, shell profile changes, and SSH authorized_keys backdoors. It is designed for incident response, threat hunting, and security audit workflows with auditd and file-integrity checks.