cybersecuritySkill
Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
Malware Analysis
androguardandroidapkapktool+4
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR), Volume Boot Record (VBR), or UEFI firmware to gain persistence below the operating system. Covers boot sector analysis, UEFI module inspection, and anti-rootkit detection techniques. Activates for requests involving bootkit analysis, MBR malware investigation, UEFI persistence analysis, or pre-OS malware detection.
Malware Analysis
bootkitmalwarembr-analysisrootkit+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure, malleable profiles, and operator tradecraft.
Malware Analysis
beaconc2cobalt-strikeconfig-extraction+3
ATT&CK10, 10 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate network detection signatures.
Malware Analysis
beacon-analysisc2-detectioncobalt-strikemalleable-c2+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Analyzes malware command-and-control (C2) communication protocols to understand beacon patterns, command structures, data encoding, and infrastructure. Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development and threat intelligence. Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse engineering, or command-and-control infrastructure mapping.
Malware Analysis
beaconc2command-and-controlmalware+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction, and type reconstruction in stripped Go binaries.
Malware Analysis
binary-analysisdisassemblyghidrago-malware+3
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large allocations in process virtual address space.
Malware Analysis
exploit-analysisheap-spraymalware-analysismemory-forensics+1
ATT&CK3, 3 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets, cryptominers, ransomware, and rootkits targeting Linux servers, containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis, ELF binary investigation, Linux server compromise assessment, or container malware analysis.
Malware Analysis
elflinuxmalwarereverse-engineering+1
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint) to identify download cradles, payload execution, persistence mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation to extract the attack chain. Activates for requests involving Office macro analysis, VBA malware investigation, maldoc analysis, or document-based threat examination.
Malware Analysis
document-malwaremacromalwareoffice+1
ATT&CK4, 4 mappingsNIST CSF4, 4 mappingsATLAS2, 2 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.
Malware Analysis
dfirmalware-analysispdfpdf-parser+4
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Executes malware samples in Cuckoo Sandbox to observe runtime behavior including process creation, file system modifications, registry changes, network communications, and API calls. Generates comprehensive behavioral reports for malware classification and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox detonation, behavioral analysis, or automated malware execution.
Malware Analysis
behavioral-analysiscuckoodynamic-analysismalware+1
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems.
Malware Analysis
autorunsincident-responsemalware-analysispersistence+4
ATT&CK6, 6 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
Malware Analysis
anyrunbehavioral-analysiscuckoomalware-analysis+3
ATT&CK6, 6 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Analyzes RAM memory dumps from compromised systems using the Volatility framework to identify malicious processes, injected code, network connections, loaded modules, and extracted credentials. Supports Windows, Linux, and macOS memory forensics. Activates for requests involving memory forensics, RAM analysis, volatile data examination, process injection detection, or memory-resident malware investigation.
Malware Analysis
incident-responsemalwarememory-forensicsram-analysis+1
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2 and data exfiltration.
Malware Analysis
c2-detectioncovert-channelsdata-exfiltrationdns-tunneling+3
ATT&CK4, 4 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Analyzes network traffic generated by malware during sandbox execution or live incident response to identify C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based malware detection.
Malware Analysis
c2-detectionmalwarenetwork-analysispcap+1
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Identifies and unpacks UPX-packed and other packed malware samples to expose the original executable code for static analysis. Covers both standard UPX unpacking and handling modified UPX headers that prevent automated decompression. Activates for requests involving malware unpacking, UPX decompression, packer removal, or preparing packed samples for analysis.
Malware Analysis
malwarepackingstatic-analysisunpacking+1
ATT&CK3, 3 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded JavaScript, shellcode, exploits, and suspicious objects without opening the document. Determines the attack vector and extracts embedded payloads for further analysis. Activates for requests involving PDF malware analysis, malicious document analysis, PDF exploit investigation, or suspicious attachment triage.
Malware Analysis
document-malwaremalwarepdf-analysispdfid+1
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Analyzes encryption algorithms, key management, and file encryption routines used by ransomware families to assess decryption feasibility, identify implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20, and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis, encryption analysis, key recovery assessment, or ransomware decryption feasibility.
Malware Analysis
cryptanalysisencryptionmalwareransomware+1
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines, and sideloaded dependencies to identify intrusion vectors and scope of compromise.
Malware Analysis
3cxdependency-confusionmalware-analysissoftware-integrity+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsATLAS2, 2 mappingsD3FEND5, 5 mappingsAI RMF3, 3 mappings
cybersecuritySkill
Deobfuscates malicious JavaScript code used in web-based attacks, phishing pages, and dropper scripts by reversing encoding layers, eval chains, string manipulation, and control flow obfuscation to reveal the original malicious logic. Activates for requests involving JavaScript malware analysis, script deobfuscation, web skimmer analysis, or obfuscated dropper investigation.
Malware Analysis
deobfuscationjavascriptmalwarescript-analysis+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Systematically deobfuscate multi-layer PowerShell malware using AST analysis, dynamic tracing, and tools like PSDecode and PowerDecode to reveal hidden payloads and C2 infrastructure.
Malware Analysis
ast-analysisdeobfuscationincident-responsemalware-analysis+3
ATT&CK7, 7 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detects and analyzes fileless malware that operates entirely in memory using PowerShell, WMI, .NET reflection, registry-resident payloads, and living-off-the-land binaries (LOLBins) without writing traditional executable files to disk. Activates for requests involving fileless threat detection, in-memory malware investigation, LOLBin abuse analysis, or WMI persistence examination.
Malware Analysis
detectionfilelesslolbinsmalware+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detects and analyzes process injection techniques used by malware including classic DLL injection, process hollowing, APC injection, thread hijacking, and reflective loading. Uses memory forensics, API monitoring, and behavioral analysis to identify injection artifacts. Activates for requests involving process injection detection, code injection analysis, hollowed process investigation, or in-memory threat detection.
Malware Analysis
defense-evasiondetectionmalwarememory-forensics+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detects rootkit presence on compromised systems by identifying hidden processes, hooked system calls, modified kernel structures, hidden files, and covert network connections using memory forensics, cross-view detection, and integrity checking techniques. Activates for requests involving rootkit detection, hidden process discovery, kernel integrity checking, or system call hook analysis.
Malware Analysis
detectionkernel-analysismalwarememory-forensics+1
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Extract embedded configuration from Agent Tesla RAT samples including SMTP/FTP/Telegram exfiltration credentials, keylogger settings, and C2 endpoints using .NET decompilation and memory analysis.
Malware Analysis
agent-teslaconfig-extractioncredential-theftdotnet+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsATLAS3, 3 mappingsAI RMF3, 3 mappings
cybersecuritySkill
Extracts indicators of compromise (IOCs) from malware samples including file hashes, network indicators (IPs, domains, URLs), host artifacts (file paths, registry keys, mutexes), and behavioral patterns for threat intelligence sharing and detection rule creation. Activates for requests involving IOC extraction, threat indicator harvesting, malware indicator collection, or building detection content from samples.
Malware Analysis
detectionindicatorsioc-extractionmalware+1
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Deploy and operate CAPEv2 sandbox for automated malware analysis with behavioral monitoring, payload extraction, configuration parsing, and anti-evasion capabilities.
Malware Analysis
automated-analysisbehavioral-analysiscapecuckoo+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Performs interactive dynamic malware analysis using the ANY.RUN cloud sandbox to observe real-time execution behavior, interact with malware prompts, and capture process trees, network traffic, and system changes. Activates for requests involving interactive sandbox analysis, cloud-based malware detonation, real-time behavioral observation, or ANY.RUN usage.
Malware Analysis
any.rundynamic-analysisinteractive-analysismalware+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Analyzes firmware images for embedded malware, backdoors, and unauthorized modifications targeting routers, IoT devices, UEFI/BIOS, and embedded systems. Covers firmware extraction, filesystem analysis, binary reverse engineering, and bootkit detection. Activates for requests involving firmware security analysis, IoT malware investigation, UEFI rootkit detection, or embedded device compromise assessment.
Malware Analysis
embedded-securityfirmwareiotmalware+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Performs rapid malware triage and classification using YARA rules to match file patterns, strings, byte sequences, and structural characteristics against known malware families and suspicious indicators. Covers rule writing, scanning, and integration with analysis pipelines. Activates for requests involving YARA rule creation, malware classification, pattern matching, sample triage, or signature-based detection.
Malware Analysis
classificationmalwarepattern-matchingtriage+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Analyze memory dumps using Volatility3 plugins to detect injected code, rootkits, credential theft, and malware artifacts in Windows, Linux, and macOS memory images.
Malware Analysis
dfirincident-responsemalware-analysismemory-forensics+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Performs static analysis of Windows PE (Portable Executable) malware samples using PEStudio to examine file headers, imports, strings, resources, and indicators without executing the binary. Identifies suspicious characteristics including packing, anti-analysis techniques, and malicious imports. Activates for requests involving static malware analysis, PE file inspection, Windows executable analysis, or pre-execution malware triage.
Malware Analysis
malwarepe-analysispestudioreverse-engineering+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Develop precise YARA rules for malware detection by identifying unique byte patterns, strings, and behavioral indicators in executable files while minimizing false positives.
Malware Analysis
indicator-developmentmalware-detectionpattern-matchingsignature-development+3
ATT&CK6, 6 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Reverse engineers .NET malware using dnSpy decompiler and debugger to analyze C#/VB.NET source code, identify obfuscation techniques, extract configurations, and understand malicious functionality including stealers, RATs, and loaders. Activates for requests involving .NET malware analysis, C# malware decompilation, managed code reverse engineering, or .NET obfuscation analysis.
Malware Analysis
decompilationdnspydotnetmalware+1
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Reverse engineers malicious Android APK files using JADX decompiler to analyze Java/Kotlin source code, identify malicious functionality including data theft, C2 communication, privilege escalation, and overlay attacks. Examines manifest permissions, receivers, services, and native libraries. Activates for requests involving Android malware analysis, APK reverse engineering, mobile malware investigation, or Android threat analysis.
Malware Analysis
androidjadxmalwaremobile-malware+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Reverse engineers malware binaries using NSA's Ghidra disassembler and decompiler to understand internal logic, cryptographic routines, C2 protocols, and evasion techniques at the assembly and pseudo-C level. Activates for requests involving malware reverse engineering, disassembly analysis, decompilation, binary analysis, or understanding malware internals.
Malware Analysis
decompilationdisassemblyghidramalware+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Reverse engineer ransomware encryption routines to identify cryptographic algorithms, key generation flaws, and potential decryption opportunities using static and dynamic analysis.
Malware Analysis
aescryptanalysisdecryptionencryption+4
ATT&CK8, 8 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Reverse engineer Rust-compiled malware using IDA Pro and Ghidra with techniques for handling non-null-terminated strings, crate dependency extraction, and Rust-specific control flow analysis.
Malware Analysis
binary-analysisghidraida-promalware-analysis+3
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings