Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction

'Analyzes RAM memory dumps from compromised systems using the Volatility framework to identify malicious processes,

'Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility

Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record

Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration,

Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing

Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and

'Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including

'Analyzes network traffic generated by malware during sandbox execution or live incident response to identify

'Captures and analyzes network packet data using Wireshark and tshark to identify malicious traffic patterns,

Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation,

Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments,

'Identifies and unpacks UPX-packed and other packed malware samples to expose the original executable code for

'Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded JavaScript, shellcode,

Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD

Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns,

Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded

Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced

'Analyzes encryption algorithms, key management, and file encryption routines used by ransomware families to

Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence

Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration

'Traces ransomware cryptocurrency payment flows using blockchain analysis tools such as Chainalysis Reactor,

'Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify supply chain vulnerabilities

'Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents

Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data

Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines,

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs)

'Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework

'Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators, adversary tactics,

Analyze the threat landscape using MISP (Malware Information Sharing Platform) by querying event statistics,

'Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing domains, unauthorized certificate

Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations

'Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash, EFI System Partition

Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable

Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal,

'Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application

'Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege

Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers

Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history,

Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and

Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable

'Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets, overly permissive ACLs,

'Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky authentication policies,

'This skill details how to conduct cloud security audits using Center for Internet Security benchmarks for AWS,

'Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage,

'Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles, wildcard permissions, dangerous

'Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and

'Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance, discover subdomains

'Automates the enrichment of raw indicators of compromise with multi-source threat intelligence context using

Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS