Detect Living Off the Land Binaries (LOLBins/LOLBAS) abuse including certutil, regsvr32, mshta, and rundll32

'Detect malicious scheduled task creation and modification using Sysmon Event IDs 1 (Process Create for schtasks.exe),

Detect Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where

Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel

Detect and prevent privilege escalation in Kubernetes pods by monitoring security contexts, capabilities, and

Detect abuse of service accounts through anomalous interactive logons, privilege escalation, lateral movement,

Detect unauthorized SaaS and cloud service usage (shadow IT) by analyzing proxy logs, DNS query logs, and netflow

'Detects typosquatting attacks in npm and PyPI package registries by analyzing package name similarity using

Detect C2 beaconing patterns in network traffic using frequency analysis, jitter detection, and domain reputation

Hunt for data exfiltration through network traffic analysis, detecting unusual data flows, DNS tunneling, cloud

Detect data staging activity before exfiltration by monitoring for archive creation with 7-Zip/RAR, unusual temp

Detect DCSync attacks by analyzing Windows Event ID 4662 for unauthorized DS-Replication-Get-Changes requests

Hunt for DNS-based persistence mechanisms including DNS hijacking, dangling CNAME records, wildcard DNS abuse,

Hunt for adversary abuse of legitimate cloud services for C2, data staging, and exfiltration including abuse

Hunt for adversary persistence through Windows Management Instrumentation event subscriptions by monitoring WMI

Hunt for registry-based persistence mechanisms including Run keys, Winlogon modifications, IFEO injection, and

Hunt for adversary persistence via Windows Scheduled Tasks by analyzing task creation events, suspicious task

Hunt for Volume Shadow Copy deletion activity that indicates ransomware preparation or anti-forensics by monitoring

Detect T1547.001 startup folder persistence by monitoring Windows startup directories for suspicious file creation,

Hunt for supply chain compromise indicators including trojanized software updates, compromised dependencies,

Hunt for adversary persistence and execution via Windows scheduled tasks by analyzing task creation events, suspicious

Hunt for MITRE ATT&CK T1098 account manipulation including shadow admin creation, SID history injection, group

Hunt for unusual network connections by analyzing outbound traffic patterns, rare destinations, non-standard

Detect suspicious Windows service installations (MITRE ATT&CK T1543.003) by parsing System event logs for Event

Deploy Aqua Security's Trivy scanner to detect vulnerabilities, misconfigurations, secrets, and license issues

Configure IAM permission boundaries in AWS to delegate role creation to developers while enforcing maximum privilege

Implement Amazon Macie to automatically discover, classify, and protect sensitive data in S3 buckets using machine

Configure Microsoft Entra Privileged Identity Management to enforce just-in-time role activation, approval workflows,

Implement the CISA Zero Trust Maturity Model v2.0 across the five pillars of identity, devices, networks, applications,

Implement Cloud Security Posture Management using AWS Security Hub, Azure Defender for Cloud, and open-source

Enforce Kubernetes network segmentation using Calico CNI network policies and global network policies to control

Deploy Breach and Attack Simulation tools to continuously validate security control effectiveness by safely emulating

The Diamond Model of Intrusion Analysis provides a structured framework for analyzing cyber intrusions by examining

'Implements eBPF-based security monitoring using Cilium Tetragon for real-time process execution tracking, network

Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself

Configure SAML 2.0 single sign-on for Google Workspace with a third-party identity provider, enabling centralized

'Deploys canary files, honeypot shares, and decoy systems to detect ransomware activity at the earliest possible

Deploy SailPoint IdentityNow or IdentityIQ for identity governance and administration. Covers identity lifecycle

Implement Just-In-Time (JIT) access provisioning to eliminate standing privileges by granting temporary, time-bound

'Implementing microsegmentation using Akamai Guardicore Segmentation to map application dependencies, create

'This skill covers implementing North American Electric Reliability Corporation Critical Infrastructure Protection

'Implements 802.1X port-based network access control using RADIUS authentication, PacketFence NAC, and switch

Deploy and manage network honeypots using OpenCanary, T-Pot, or Cowrie to detect unauthorized access, lateral

Configure and deploy Palo Alto Networks next-generation firewalls with App-ID, User-ID, zone-based policies,

Deploy CyberArk Privileged Access Management to discover, vault, rotate, and monitor privileged credentials across

Deploy and configure Proofpoint Email Protection as a secure email gateway to detect and block phishing, malware,

Harden Kubernetes Role-Based Access Control by implementing least-privilege policies, auditing role bindings,

Implement eBPF-based runtime security observability and enforcement in Kubernetes clusters using Cilium Tetragon

Implement SAML 2.0 Single Sign-On (SSO) using Okta as the Identity Provider (IdP). This skill covers end-to-end

Tune SIEM detection rules to reduce false positives by analyzing alert volumes, creating whitelists, adjusting