Security specialty

Threat Detection

Browse every cataloged workflow for threat detection, with source context, tags, and security framework mappings intact.

Complete collection

Skills in this domain

7 skills

cybersecuritySkill

Detecting Credential Dumping Techniques

Detect LSASS credential dumping, SAM database extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules

Threat Detection
active-directorycredential-dumpingdefense-evasionlsass+3
ATT&CK, 9 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting Golden Ticket Forgery

Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 for RC4 encryption downgrades (0x17), abnormal ticket lifetimes, and krbtgt account anomalies in Splunk and Elastic SIEM

Threat Detection
active-directorycredential-theftgolden-ticketkerberos+3
ATT&CK, 6 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting Insider Threat with UEBA

Implement User and Entity Behavior Analytics using Elasticsearch/OpenSearch to build behavioral baselines, calculate anomaly scores, perform peer group analysis, and detect insider threat indicators such as data exfiltration, privilege abuse, and unauthorized access patterns.

Threat Detection
anomaly-detectionbehavior-analyticselasticsearchinsider-threat+3
ATT&CK, 8 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting Living Off the Land Attacks

Detect abuse of legitimate Windows binaries (LOLBins) used for living off the land attacks. Monitors process creation, command-line arguments, and parent-child relationships to identify suspicious LOLBin execution patterns.

Threat Detection
fileless-attackslolbinslotlprocess-monitoring
ATT&CK, 18 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting Living Off the Land with LOLBAS

Detect Living Off the Land Binaries (LOLBins/LOLBAS) abuse including certutil, regsvr32, mshta, and rundll32 via process telemetry, Sigma rules, and parent-child process analysis

Threat Detection
endpoint-detectionlolbaslolbinsprocess-monitoring+3
ATT&CK, 8 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting Pass-the-Ticket Attacks

Detect Kerberos Pass-the-Ticket (PtT) attacks by analyzing Windows Event IDs 4768, 4769, and 4771 for anomalous ticket usage patterns in Splunk and Elastic SIEM

Threat Detection
active-directorycredential-theftelastickerberos+3
ATT&CK, 8 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting RDP Brute Force Attacks

Detect RDP brute force attacks by analyzing Windows Security Event Logs for failed authentication patterns (Event ID 4625), successful logons after failures (Event ID 4624), NLA failures, and source IP frequency analysis.

Threat Detection
blue-teambrute-forcerdpsiem+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings