Detect AWS IAM privilege escalation paths using boto3 and Cloudsplaining policy analysis to identify overly permissive

Detect lateral movement in Azure AD/Entra ID environments using Microsoft Graph API audit logs, Azure Sentinel

Detect and investigate Azure service principal abuse including privilege escalation, credential compromise, admin

Audit Azure Blob and ADLS storage accounts for public access exposure, weak or long-lived SAS tokens, missing

'Performs statistical analysis of Zeek conn.log connection intervals to detect C2 beaconing patterns. Uses the

'Detects and analyzes Bluetooth Low Energy (BLE) security attacks including sniffing, replay attacks, GATT enumeration

Detect and test for OWASP API3:2023 Broken Object Property Level Authorization vulnerabilities including excessive

Deploy AI and NLP-powered detection systems to identify business email compromise attacks by analyzing writing

Business Email Compromise (BEC) is a sophisticated fraud scheme where attackers impersonate executives, vendors,

'This skill teaches security teams how to deploy and operationalize Amazon GuardDuty for continuous threat detection

'Detects command-and-control (C2) communications tunneled through DNS protocol including DNS tunneling tools

'Detecting compromised cloud credentials across AWS, Azure, and GCP by analyzing anomalous API activity, impossible

Detect unauthorized modifications to running containers by monitoring for binary execution drift, file system

Container escape is a critical attack technique where an adversary breaks out of container isolation to access

Detect container escape attempts in real-time using Falco runtime security rules that monitor syscalls, file

Detect LSASS credential dumping, SAM database extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows

'This skill teaches security teams how to detect and respond to unauthorized cryptocurrency mining operations

Detect DCSync attacks where adversaries abuse Active Directory replication privileges to extract password hashes

'Detects AI-generated deepfake audio used in voice phishing (vishing) attacks by extracting spectral features

Detect DLL side-loading attacks where adversaries place malicious DLLs alongside legitimate applications to hijack

'Detect anomalies in DNP3 (Distributed Network Protocol 3) communications used in SCADA systems by monitoring

Detect data exfiltration through DNS tunneling by analyzing query entropy, subdomain length, query volume, TXT

Detect compromised O365 and Google Workspace email accounts by analyzing inbox rule creation, suspicious sign-in

Detect malicious email forwarding rules created by adversaries to maintain persistent access to email communications

'Detects defense evasion techniques used by adversaries in endpoint logs including log tampering, timestomping,

Detect DNS-based data exfiltration by analyzing Zeek dns.log for high-entropy subdomains and anomalous query

'Detects fileless malware and in-memory attacks that execute entirely in RAM without writing persistent files

'Detects and analyzes fileless malware that operates entirely in memory using PowerShell, WMI, .NET reflection,

Detect Golden Ticket attacks in Active Directory by analyzing Kerberos TGT anomalies including mismatched encryption

Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 for RC4 encryption downgrades (0x17),

'Detects insider data exfiltration by analyzing DLP policy violations, file access patterns, upload volume anomalies,

Detect insider threat behavioral indicators including unusual data access, off-hours activity, mass file downloads,

Implement User and Entity Behavior Analytics using Elasticsearch/OpenSearch to build behavioral baselines, calculate

Detect Kerberoasting attacks by monitoring for anomalous Kerberos TGS requests targeting service accounts with

'Identifies lateral movement techniques in enterprise networks by analyzing authentication logs, network flows,

Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs,

'Detect lateral movement in network traffic using Zeek (formerly Bro) log analysis. Parses conn.log, smb_mapping.log,

'Detect abuse of legitimate Windows binaries (LOLBins) used for living off the land attacks. Monitors process

Detect Living Off the Land Binaries (LOLBins/LOLBAS) abuse including certutil, regsvr32, mshta, and rundll32

'Detect malicious scheduled task creation and modification using Sysmon Event IDs 1 (Process Create for schtasks.exe),

Detect Mimikatz execution through command-line patterns, LSASS access signatures, binary indicators, and in-memory

'Detecting misconfigured Azure Storage accounts including publicly accessible blob containers, missing encryption

'Detects and analyzes malicious behavior in mobile applications through behavioral analysis, permission abuse

'Detect command injection attacks against Modbus TCP/RTU protocol in ICS environments by monitoring for unauthorized

'This skill covers detecting anomalies in Modbus/TCP and Modbus RTU communications in industrial control systems.

'Deploys and configures Zeek (formerly Bro) network security monitor to passively analyze network traffic, generate

Detect network reconnaissance and port scanning using Suricata and Snort IDS signatures, threshold-based detection

'Detect NTLM relay attacks through Windows Security Event correlation by analyzing Event 4624 LogonType 3 for

'Detects and responds to OAuth token theft and replay attacks in cloud environments, focusing on Microsoft Entra

Detect Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where