Detect Kerberos Pass-the-Ticket (PtT) attacks by analyzing Windows Event IDs 4768, 4769, and 4771 for anomalous

'Configures Fail2ban with custom filters and actions to detect port scanning activity, SSH brute force attempts,

Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel

Detect and prevent privilege escalation in Kubernetes pods by monitoring security contexts, capabilities, and

Detect process hollowing (T1055.012) by analyzing memory-mapped sections, hollowed process indicators, and parent-child

'Detects and analyzes process injection techniques used by malware including classic DLL injection, process hollowing,

Detect and prevent QR code phishing (quishing) attacks that bypass traditional email security by embedding malicious

'Detects ransomware encryption activity in real time using entropy analysis, file system I/O monitoring, and

'Detects early-stage ransomware indicators in network traffic before encryption begins, including initial access

Detect RDP brute force attacks by analyzing Windows Security Event Logs for failed authentication patterns (Event

'Detects rootkit presence on compromised systems by identifying hidden processes, hooked system calls, modified

'Detecting data exfiltration attempts from AWS S3 buckets by analyzing CloudTrail S3 data events, VPC Flow Logs,

'Detects and prevents code injection attacks targeting serverless functions (AWS Lambda, Azure Functions, Google

Detect abuse of service accounts through anomalous interactive logons, privilege escalation, lateral movement,

Discover and inventory shadow API endpoints that operate outside documented specifications using traffic analysis,

Detect unauthorized SaaS and cloud service usage (shadow IT) by analyzing proxy logs, DNS query logs, and netflow

Spearphishing targets specific individuals using personalized, researched content that bypasses generic spam

Analyze WAF (ModSecurity/AWS WAF/Cloudflare) logs to detect SQL injection attack campaigns. Parses ModSecurity

'This skill covers detecting sophisticated cyber-physical attacks that follow the Stuxnet attack pattern of modifying

'Scans GitHub Actions workflows and CI/CD pipeline configurations for supply chain attack vectors including unpinned

Detect risky OAuth application consent grants in Azure AD / Microsoft Entra ID using Microsoft Graph API, audit

Detect suspicious PowerShell execution patterns including encoded commands, download cradles, AMSI bypass attempts,

Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials

Detect process injection techniques (T1055) including classic DLL injection, process hollowing, and APC injection

Detect abuse of elevation control mechanisms including UAC bypass, sudo exploitation, and setuid/setgid manipulation

'Detects typosquatting attacks in npm and PyPI package registries by analyzing package name similarity using

Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter,

Systematically remove malware, backdoors, and attacker persistence mechanisms from infected systems while ensuring

'Evaluates and selects Threat Intelligence Platform (TIP) products based on organizational requirements including

'Executes authorized attack simulations against Active Directory environments to identify misconfigurations,

'Executes authorized phishing simulation campaigns to assess an organization''s susceptibility to email-based

Red team engagement planning is the foundational phase that defines scope, objectives, rules of engagement (ROE),

'Executes comprehensive red team exercises that simulate real-world adversary operations against an organization''s

Exploit misconfigured Active Directory Certificate Services (AD CS) ESC1 vulnerability to request certificates

BloodHound is a graph-based Active Directory reconnaissance tool that uses graph theory to reveal hidden and

'Tests APIs for injection vulnerabilities including SQL injection, NoSQL injection, OS command injection, LDAP

'Analyzes and simulates BGP hijacking scenarios in authorized lab environments to assess route origin validation,

'Tests APIs for Broken Function Level Authorization (BFLA) vulnerabilities where regular users can invoke administrative

Discover and exploit broken link hijacking vulnerabilities by identifying references to expired domains, decommissioned

Exploit Kerberos Constrained Delegation misconfigurations in Active Directory to impersonate privileged users

'Tests and exploits deep link (URL scheme and App Link) vulnerabilities in Android and iOS mobile applications

'Tests APIs for excessive data exposure where endpoints return more data than the client application needs, relying

Detecting and exploiting HTTP request smuggling vulnerabilities caused by Content-Length and Transfer-Encoding

Identifying and exploiting Insecure Direct Object Reference vulnerabilities to access unauthorized resources

'Identifies and exploits insecure local data storage vulnerabilities in Android and iOS mobile applications including

Identifying and exploiting insecure deserialization vulnerabilities in Java, PHP, Python, and .NET applications

'Identifies and exploits IPv6-specific vulnerabilities including SLAAC spoofing, Router Advertisement flooding,

'Exploits JWT algorithm confusion vulnerabilities where the server''s token verification library accepts the

Perform Kerberoasting attacks using Impacket's GetUserSPNs to extract and crack Kerberos TGS tickets for Active

Discover and exploit mass assignment vulnerabilities in REST APIs to escalate privileges, modify restricted fields,