debugging
4.2K
hunting-for-dcsync-attacks
Detect DCSync attacks by analyzing Windows Event ID 4662 for unauthorized DS-Replication-Get-Changes requests from non-domain-controller accounts.
mukul975
tools
domain cluster
Tools & Utilities
Essential command-line tools and system utilities.
32082 스킬all categories
sorting
stars
current ordering strategy
query
all entries
refine the visible subset
debugging
4.2K
hunting-for-defense-evasion-via-timestomping
Detect NTFS timestamp manipulation (MITRE T1070.006) by comparing $STANDARD_INFORMATION vs $FILE_NAME timestamps in the MFT. Uses analyzeMFT and Python to identify files with anomalous temporal patterns indicating anti-forensic timestomping activity.
mukul975
tools
debugging
4.2K
hunting-for-dns-tunneling-with-zeek
Detect DNS tunneling and data exfiltration by analyzing Zeek dns.log for high-entropy subdomain queries, excessive query volume, long query lengths, and unusual DNS record types indicating covert channel communication.
mukul975
tools
debugging
4.2K
hunting-for-domain-fronting-c2-traffic
Detect domain fronting C2 traffic by analyzing SNI vs HTTP Host header mismatches in proxy logs and TLS certificate discrepancies using pyOpenSSL for certificate inspection
mukul975
tools
debugging
4.2K
hunting-for-lateral-movement-via-wmi
Detect WMI-based lateral movement by analyzing Windows Event ID 4688 process creation and Sysmon Event ID 1 for WmiPrvSE.exe child process patterns, remote process execution, and WMI event subscription persistence.
mukul975
tools
debugging
4.2K
hunting-for-living-off-the-cloud-techniques
Hunt for adversary abuse of legitimate cloud services for C2, data staging, and exfiltration including abuse of Azure, AWS, GCP services, and SaaS platforms.
mukul975
tools
debugging
4.2K
hunting-for-lolbins-execution-in-endpoint-logs
Hunt for adversary abuse of Living Off the Land Binaries (LOLBins) by analyzing endpoint process creation logs for suspicious execution patterns of legitimate Windows system binaries used for malicious purposes.
mukul975
tools
debugging
4.2K
hunting-for-persistence-mechanisms-in-windows
Systematically hunt for adversary persistence mechanisms across Windows endpoints including registry, services, startup folders, and WMI subscriptions.
mukul975
tools
debugging
4.2K
hunting-for-registry-persistence-mechanisms
Hunt for registry-based persistence mechanisms including Run keys, Winlogon modifications, IFEO injection, and COM hijacking in Windows environments.
mukul975
tools
debugging
4.2K
hunting-for-registry-run-key-persistence
Detect MITRE ATT&CK T1547.001 registry Run key persistence by analyzing Sysmon Event ID 13 logs and registry queries to identify malicious auto-start entries.
mukul975
tools
debugging
4.2K
hunting-for-scheduled-task-persistence
Hunt for adversary persistence via Windows Scheduled Tasks by analyzing task creation events, suspicious task actions, and unusual scheduling patterns.
mukul975
tools
debugging
4.2K
hunting-for-spearphishing-indicators
Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.
mukul975
tools
debugging
4.2K
hunting-for-startup-folder-persistence
Detect T1547.001 startup folder persistence by monitoring Windows startup directories for suspicious file creation, analyzing autoruns entries, and using Python watchdog for real-time filesystem monitoring.
mukul975
tools
debugging
4.2K
hunting-for-supply-chain-compromise
Hunt for supply chain compromise indicators including trojanized software updates, compromised dependencies, unauthorized code modifications, and tampered build artifacts.
mukul975
tools
debugging
4.2K
hunting-for-suspicious-scheduled-tasks
Hunt for adversary persistence and execution via Windows scheduled tasks by analyzing task creation events, suspicious task properties, and unusual execution patterns that indicate T1053.005 abuse.
mukul975
tools
debugging
4.2K
hunting-for-unusual-network-connections
Hunt for unusual network connections by analyzing outbound traffic patterns, rare destinations, non-standard ports, and anomalous connection frequencies from endpoints.
mukul975
tools
debugging
4.2K
hunting-for-unusual-service-installations
Detect suspicious Windows service installations (MITRE ATT&CK T1543.003) by parsing System event logs for Event ID 7045, analyzing service binary paths, and identifying indicators of persistence mechanisms.
mukul975
tools
debugging
4.2K
hunting-for-webshell-activity
Hunt for web shell deployments on internet-facing servers by analyzing file creation in web directories, suspicious process spawning from web servers, and anomalous HTTP patterns.
mukul975
tools
debugging
4.2K
implementing-aqua-security-for-container-scanning
Deploy Aqua Security's Trivy scanner to detect vulnerabilities, misconfigurations, secrets, and license issues in container images across CI/CD pipelines and registries.
mukul975
tools
debugging
4.2K
implementing-attack-surface-management
Implements external attack surface management (EASM) using Shodan, Censys, and ProjectDiscovery tools (subfinder, httpx, nuclei) for asset discovery, subdomain enumeration, service fingerprinting, and exposure scoring. Includes a weighted risk scoring algorithm based on OWASP attack surface analysis methodology and the Relative Attack Surface Quotient (RSQ). Use when building continuous ASM programs or performing external reconnaissance for security assessments.
mukul975
tools
debugging
4.2K
implementing-cloud-trail-log-analysis
Implementing AWS CloudTrail log analysis for security monitoring, threat detection, and forensic investigation using Athena, CloudWatch Logs Insights, and SIEM integration to identify unauthorized access, privilege escalation, and suspicious API activity.
mukul975
tools
debugging
4.2K
implementing-data-loss-prevention-with-microsoft-purview
Implements data loss prevention policies using Microsoft Purview to protect sensitive information across Exchange Online, SharePoint, OneDrive, Teams, endpoint devices, and Power BI. The analyst configures sensitivity labels with encryption and content marking, creates DLP policies using built-in and custom sensitive information types with regex patterns, deploys endpoint DLP rules to control file operations on Windows and macOS devices, and monitors policy effectiveness through Activity Explorer and DLP alert management. Uses PowerShell cmdlets and the Microsoft Graph API for programmatic policy management. Activates for requests involving DLP policy creation, sensitivity label configuration, data classification, endpoint data protection, or Microsoft Purview compliance administration.
mukul975
tools
debugging
4.2K
implementing-deception-based-detection-with-canarytoken
Deploy and monitor Canary Tokens via the Thinkst Canary API for deception-based breach detection using web bug tokens, DNS tokens, document tokens, and AWS key tokens.
mukul975
tools
debugging
4.2K
implementing-devsecops-security-scanning
Integrates Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA) into CI/CD pipelines using open-source tools. Covers Semgrep for SAST, Trivy for SCA and container scanning, OWASP ZAP for DAST, and Gitleaks for secrets detection. Activates for requests involving DevSecOps pipeline setup, automated security scanning in CI/CD, SAST/DAST/SCA integration, or shift-left security implementation.
mukul975
tools