Detect compromised O365 and Google Workspace email accounts by analyzing inbox rule creation, suspicious sign-in

Detect malicious email forwarding rules created by adversaries to maintain persistent access to email communications

'Detects defense evasion techniques used by adversaries in endpoint logs including log tampering, timestomping,

Detect DNS-based data exfiltration by analyzing Zeek dns.log for high-entropy subdomains and anomalous query

'Detects fileless malware and in-memory attacks that execute entirely in RAM without writing persistent files

'Detects and analyzes fileless malware that operates entirely in memory using PowerShell, WMI, .NET reflection,

Detect Golden Ticket attacks in Active Directory by analyzing Kerberos TGT anomalies including mismatched encryption

Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 for RC4 encryption downgrades (0x17),

'Detects insider data exfiltration by analyzing DLP policy violations, file access patterns, upload volume anomalies,

Detect insider threat behavioral indicators including unusual data access, off-hours activity, mass file downloads,

Implement User and Entity Behavior Analytics using Elasticsearch/OpenSearch to build behavioral baselines, calculate

Detect Kerberoasting attacks by monitoring for anomalous Kerberos TGS requests targeting service accounts with

'Identifies lateral movement techniques in enterprise networks by analyzing authentication logs, network flows,

Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs,

'Detect lateral movement in network traffic using Zeek (formerly Bro) log analysis. Parses conn.log, smb_mapping.log,

'Detect abuse of legitimate Windows binaries (LOLBins) used for living off the land attacks. Monitors process

Detect Living Off the Land Binaries (LOLBins/LOLBAS) abuse including certutil, regsvr32, mshta, and rundll32

'Detect malicious scheduled task creation and modification using Sysmon Event IDs 1 (Process Create for schtasks.exe),

Detect Mimikatz execution through command-line patterns, LSASS access signatures, binary indicators, and in-memory

'Detecting misconfigured Azure Storage accounts including publicly accessible blob containers, missing encryption

'Detects and analyzes malicious behavior in mobile applications through behavioral analysis, permission abuse

'Detect command injection attacks against Modbus TCP/RTU protocol in ICS environments by monitoring for unauthorized

'This skill covers detecting anomalies in Modbus/TCP and Modbus RTU communications in industrial control systems.

'Deploys and configures Zeek (formerly Bro) network security monitor to passively analyze network traffic, generate

Detect network reconnaissance and port scanning using Suricata and Snort IDS signatures, threshold-based detection

'Detect NTLM relay attacks through Windows Security Event correlation by analyzing Event 4624 LogonType 3 for

'Detects and responds to OAuth token theft and replay attacks in cloud environments, focusing on Microsoft Entra

Detect Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where

Detect Kerberos Pass-the-Ticket (PtT) attacks by analyzing Windows Event IDs 4768, 4769, and 4771 for anomalous

'Configures Fail2ban with custom filters and actions to detect port scanning activity, SSH brute force attempts,

Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel

Detect and prevent privilege escalation in Kubernetes pods by monitoring security contexts, capabilities, and

Detect process hollowing (T1055.012) by analyzing memory-mapped sections, hollowed process indicators, and parent-child

'Detects and analyzes process injection techniques used by malware including classic DLL injection, process hollowing,

Detect and prevent QR code phishing (quishing) attacks that bypass traditional email security by embedding malicious

'Detects ransomware encryption activity in real time using entropy analysis, file system I/O monitoring, and

'Detects early-stage ransomware indicators in network traffic before encryption begins, including initial access

Detect RDP brute force attacks by analyzing Windows Security Event Logs for failed authentication patterns (Event

'Detects rootkit presence on compromised systems by identifying hidden processes, hooked system calls, modified

'Detecting data exfiltration attempts from AWS S3 buckets by analyzing CloudTrail S3 data events, VPC Flow Logs,

'Detects and prevents code injection attacks targeting serverless functions (AWS Lambda, Azure Functions, Google

Detect abuse of service accounts through anomalous interactive logons, privilege escalation, lateral movement,

Discover and inventory shadow API endpoints that operate outside documented specifications using traffic analysis,

Detect unauthorized SaaS and cloud service usage (shadow IT) by analyzing proxy logs, DNS query logs, and netflow

Spearphishing targets specific individuals using personalized, researched content that bypasses generic spam

Analyze WAF (ModSecurity/AWS WAF/Cloudflare) logs to detect SQL injection attack campaigns. Parses ModSecurity

'This skill covers detecting sophisticated cyber-physical attacks that follow the Stuxnet attack pattern of modifying

'Scans GitHub Actions workflows and CI/CD pipeline configurations for supply chain attack vectors including unpinned

Detect risky OAuth application consent grants in Azure AD / Microsoft Entra ID using Microsoft Graph API, audit

Detect suspicious PowerShell execution patterns including encoded commands, download cradles, AMSI bypass attempts,