cybersecuritySkill
Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring
Threat Hunting
auditdcrontabincident-responseld-preload+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns, default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events.
Threat Hunting
base64c2forensicsmitre-att&ck+5
ATT&CK16, 16 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappingsAI RMF3, 3 mappings
cybersecuritySkill
Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration flows, and encryption key exchange via Zeek conn.log and NetFlow analysis
Threat Hunting
c2-beaconingexfiltrationnetflownetwork-forensics+3
ATT&CK7, 7 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Build a systematic threat hunt hypothesis framework that transforms threat intelligence, attack patterns, and environmental data into testable hunting hypotheses.
Threat Hunting
hunting-frameworkhypothesismethodologyproactive-detection+2
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Detect DCSync attacks where adversaries abuse Active Directory replication privileges to extract password hashes by monitoring for non-domain-controller accounts requesting directory replication via DsGetNCChanges.
Threat Hunting
active-directorycredential-theftdcsynckerberos+3
ATT&CK11, 11 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect DLL side-loading attacks where adversaries place malicious DLLs alongside legitimate applications to hijack execution flow for defense evasion.
Threat Hunting
defense-evasiondll-sideloadingedrmitre-attack+3
ATT&CK12, 12 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect malicious email forwarding rules created by adversaries to maintain persistent access to email communications for intelligence collection and BEC attacks.
Threat Hunting
becemail-forwardingmitre-attackpersistence+3
ATT&CK10, 10 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect Golden Ticket attacks in Active Directory by analyzing Kerberos TGT anomalies including mismatched encryption types, impossible ticket lifetimes, non-existent accounts, and forged PAC signatures in domain controller event logs.
Threat Hunting
active-directorycredential-abusegolden-ticketkerberos+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Detect insider threat behavioral indicators including unusual data access, off-hours activity, mass file downloads, privilege abuse, and resignation-correlated data theft.
Threat Hunting
data-theftinsider-threatmitre-attackproactive-detection+2
ATT&CK7, 7 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect Kerberoasting attacks by monitoring for anomalous Kerberos TGS requests targeting service accounts with SPNs for offline password cracking.
Threat Hunting
credential-accesskerberoastingkerberosmitre-attack+3
ATT&CK9, 9 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs, SMB traffic, and remote service abuse.
Threat Hunting
lateral-movementmitre-attackproactive-detectionsiem+3
ATT&CK15, 15 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect malicious scheduled task creation and modification using Sysmon Event IDs 1 (Process Create for schtasks.exe), 11 (File Create for task XML), and Windows Security Event 4698/4702. The analyst correlates task creation with suspicious parent processes, public directory paths, and encoded command arguments to identify persistence and lateral movement via scheduled tasks. Activates for requests involving scheduled task detection, Sysmon persistence hunting, or T1053.005 Scheduled Task/Job analysis.
Threat Hunting
detectionpersistencescheduled-taskssysmon+2
ATT&CK6, 6 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect Mimikatz execution through command-line patterns, LSASS access signatures, binary indicators, and in-memory detection of known modules.
Threat Hunting
credential-dumpingedrmimikatzmitre-attack+3
ATT&CK13, 13 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect NTLM relay attacks through Windows Security Event correlation by analyzing Event 4624 LogonType 3 for IP-to-hostname mismatches, identifying Responder/LLMNR poisoning artifacts, auditing SMB and LDAP signing enforcement across the domain, and detecting NTLM downgrade attacks from NTLMv2 to NTLMv1 using event log analysis.
Threat Hunting
active-directoryevent-4624event-correlationldap-signing+7
ATT&CK9, 9 mappingsNIST CSF4, 4 mappingsATLAS4, 4 mappingsD3FEND5, 5 mappingsAI RMF4, 4 mappings
cybersecuritySkill
Detect Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where Kerberos is expected, and correlating with credential dumping.
Threat Hunting
credential-accessmitre-attackpass-the-hashproactive-detection+2
ATT&CK9, 9 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse across Windows and Linux.
Threat Hunting
mitre-attackprivilege-escalationproactive-detectionthreat-hunting+2
ATT&CK16, 16 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect process hollowing (T1055.012) by analyzing memory-mapped sections, hollowed process indicators, and parent-child process anomalies in EDR telemetry.
Threat Hunting
edrmitre-attackproactive-detectionprocess-hollowing+3
ATT&CK17, 17 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect abuse of service accounts through anomalous interactive logons, privilege escalation, lateral movement, and unauthorized access patterns.
Threat Hunting
mitre-attackprivilege-escalationproactive-detectionservice-accounts+2
ATT&CK7, 7 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect suspicious PowerShell execution patterns including encoded commands, download cradles, AMSI bypass attempts, and constrained language mode evasion.
Threat Hunting
amsiexecutionmitre-attackpowershell+3
ATT&CK8, 8 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
Threat Hunting
credential-dumpingedrlsassmimikatz+4
ATT&CK7, 7 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect process injection techniques (T1055) including classic DLL injection, process hollowing, and APC injection by analyzing Sysmon events for cross-process memory operations, remote thread creation, and anomalous DLL loading patterns.
Threat Hunting
defense-evasiondll-injectionmitre-t1055process-hollowing+3
ATT&CK10, 10 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect abuse of elevation control mechanisms including UAC bypass, sudo exploitation, and setuid/setgid manipulation by monitoring registry modifications, process elevation flags, and unusual parent-child process relationships.
Threat Hunting
elevation-controlmitre-t1548privilege-escalationthreat-hunting+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creation.
Threat Hunting
dfirmitre-attackpersistencesysmon+4
ATT&CK3, 3 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Deploy a Velociraptor server and agents and write VQL hunts across a fleet.
Threat Hunting
dfirdigital-forensicsendpoint-visibilityfleet-collection+4
ATT&CK1, 1 mappingNIST CSF1, 1 mapping
cybersecuritySkill
Perform rapid Sigma and keyword hunting across Windows event logs with Chainsaw.
Threat Hunting
chainsawdetectiondfirevtx+4
ATT&CK7, 7 mappingsNIST CSF1, 1 mapping
cybersecuritySkill
Hunt for malicious PowerShell activity by analyzing Script Block Logging (Event 4104), Module Logging (Event 4103), and process creation events. The analyst parses Windows Event Log EVTX files to detect obfuscated commands, AMSI bypass attempts, encoded payloads, credential dumping keywords, and suspicious download cradles. Activates for requests involving PowerShell threat hunting, script block analysis, encoded command detection, or AMSI bypass identification.
Threat Hunting
amsievent-4104evtxobfuscation+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Identify command-and-control beaconing patterns in network traffic by applying statistical frequency analysis, jitter calculation, and coefficient of variation scoring to detect periodic callbacks from compromised endpoints.
Threat Hunting
beaconingc2-detectionfrequency-analysisjitter-detection+4
ATT&CK16, 16 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect Cobalt Strike beacon network activity using default TLS certificate signatures (serial 8BB00EE), JA3/JA3S/JARM fingerprints, HTTP C2 profile pattern matching, beacon jitter analysis, and named pipe detection via Zeek, Suricata, and Python PCAP analysis.
Threat Hunting
beaconc2cobalt-strikeja3+5
ATT&CK10, 10 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Detect C2 beaconing patterns in network traffic using frequency analysis, jitter detection, and domain reputation to identify compromised endpoints communicating with adversary infrastructure.
Threat Hunting
beaconingc2mitre-attacknetwork-analysis+2
ATT&CK19, 19 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Hunt for data exfiltration through network traffic analysis, detecting unusual data flows, DNS tunneling, cloud storage uploads, and encrypted channel abuse.
Threat Hunting
data-exfiltrationdlpmitre-attacknetwork-analysis+2
ATT&CK19, 19 mappingsNIST CSF4, 4 mappingsATLAS2, 2 mappingsD3FEND5, 5 mappingsAI RMF3, 3 mappings
cybersecuritySkill
Detect data staging activity before exfiltration by monitoring for archive creation with 7-Zip/RAR, unusual temp folder access, large file consolidation, and staging directory patterns via EDR and process telemetry
Threat Hunting
archive-detectiondata-stagingdlpedr+3
ATT&CK9, 9 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Hunt for DCOM-based lateral movement by detecting abuse of MMC20.Application, ShellBrowserWindow, and ShellWindows COM objects through Sysmon Event ID 1 (process creation) and Event ID 3 (network connection) correlation, WMI event analysis, RPC endpoint mapper traffic on port 135, and DCOM-specific parent-child process relationships.
Threat Hunting
com-objectsdcomlateral-movementmmc20+7
ATT&CK7, 7 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect DCSync attacks by analyzing Windows Event ID 4662 for unauthorized DS-Replication-Get-Changes requests from non-domain-controller accounts.
Threat Hunting
active-directorycredential-accessdcsyncdfir+4
ATT&CK6, 6 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect NTFS timestamp manipulation (MITRE T1070.006) by comparing $STANDARD_INFORMATION vs $FILE_NAME timestamps in the MFT. Uses analyzeMFT and Python to identify files with anomalous temporal patterns indicating anti-forensic timestomping activity.
Threat Hunting
defense-evasionmft-analysisntfs-forensicstimestomping
ATT&CK6, 6 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect DNS tunneling and data exfiltration by analyzing Zeek dns.log for high-entropy subdomain queries, excessive query volume, long query lengths, and unusual DNS record types indicating covert channel communication.
Threat Hunting
covert-channeldata-exfiltrationdns-tunnelingmitre-t1071-004+3
ATT&CK10, 10 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Hunt for DNS-based persistence mechanisms including DNS hijacking, dangling CNAME records, wildcard DNS abuse, and unauthorized zone modifications using passive DNS databases, SecurityTrails API, and DNS audit log analysis.
Threat Hunting
dnsdns-hijackingpassive-dnspersistence+3
ATT&CK9, 9 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Detect domain fronting C2 traffic by analyzing SNI vs HTTP Host header mismatches in proxy logs and TLS certificate discrepancies using pyOpenSSL for certificate inspection
Threat Hunting
c2-detectiondomain-frontingnetwork-securityproxy-logs+3
ATT&CK6, 6 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect WMI-based lateral movement by analyzing Windows Event ID 4688 process creation and Sysmon Event ID 1 for WmiPrvSE.exe child process patterns, remote process execution, and WMI event subscription persistence.
Threat Hunting
lateral-movementmitre-attackprocess-creationsysmon+2
ATT&CK8, 8 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Hunt for adversary abuse of legitimate cloud services for C2, data staging, and exfiltration including abuse of Azure, AWS, GCP services, and SaaS platforms.
Threat Hunting
c2cloud-abuselotcmitre-attack+3
ATT&CK11, 11 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Proactively hunt for adversary abuse of legitimate system binaries (LOLBins) to execute malicious payloads while evading detection.
Threat Hunting
defense-evasionedrlolbinsmitre-attack+3
ATT&CK28, 28 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Hunt for adversary abuse of Living Off the Land Binaries (LOLBins) by analyzing endpoint process creation logs for suspicious execution patterns of legitimate Windows system binaries used for malicious purposes.
Threat Hunting
defense-evasionendpoint-detectionliving-off-the-landlolbins+3
ATT&CK17, 17 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect NTLM relay attacks by analyzing Windows Event 4624 logon type 3 with NTLMSSP authentication, identifying IP-to-hostname mismatches, Responder traffic signatures, SMB signing status, and suspicious authentication patterns across the domain.
Threat Hunting
active-directorycredential-accessevent-4624ntlm-relay+5
ATT&CK8, 8 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Systematically hunt for adversary persistence mechanisms across Windows endpoints including registry, services, startup folders, and WMI subscriptions.
Threat Hunting
mitre-attackpersistenceproactive-detectionregistry+3
ATT&CK44, 44 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Hunt for adversary persistence through Windows Management Instrumentation event subscriptions by monitoring WMI consumer, filter, and binding creation events that execute malicious code triggered by system events.
Threat Hunting
endpoint-detectionevent-subscriptionmitre-t1546-003threat-hunting+2
ATT&CK9, 9 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect process injection techniques (T1055) including CreateRemoteThread, process hollowing, and DLL injection via Sysmon Event IDs 8 and 10 and EDR process telemetry
Threat Hunting
createremotethreaddll-injectionedrprocess-injection+3
ATT&CK11, 11 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Hunt for registry-based persistence mechanisms including Run keys, Winlogon modifications, IFEO injection, and COM hijacking in Windows environments.
Threat Hunting
mitre-attackpersistenceproactive-detectionregistry+3
ATT&CK13, 13 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect MITRE ATT&CK T1547.001 registry Run key persistence by analyzing Sysmon Event ID 13 logs and registry queries to identify malicious auto-start entries.
Threat Hunting
mitre-attackpersistenceregistry-run-keyssysmon+3
ATT&CK6, 6 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Hunt for adversary persistence via Windows Scheduled Tasks by analyzing task creation events, suspicious task actions, and unusual scheduling patterns.
Threat Hunting
mitre-attackpersistenceproactive-detectionscheduled-tasks+2
ATT&CK9, 9 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Hunt for Volume Shadow Copy deletion activity that indicates ransomware preparation or anti-forensics by monitoring vssadmin, wmic, and PowerShell shadow copy commands.
Threat Hunting
anti-forensicsmitre-attackproactive-detectionransomware+3
ATT&CK7, 7 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.
Threat Hunting
email-securityinitial-accessmitre-attackproactive-detection+3
ATT&CK8, 8 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect T1547.001 startup folder persistence by monitoring Windows startup directories for suspicious file creation, analyzing autoruns entries, and using Python watchdog for real-time filesystem monitoring.
Threat Hunting
autorunsfilesystem-monitoringpersistencestartup-folder+3
ATT&CK6, 6 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Hunt for supply chain compromise indicators including trojanized software updates, compromised dependencies, unauthorized code modifications, and tampered build artifacts.
Threat Hunting
initial-accessmitre-attackproactive-detectionsupply-chain+2
ATT&CK8, 8 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Hunt for adversary persistence and execution via Windows scheduled tasks by analyzing task creation events, suspicious task properties, and unusual execution patterns that indicate T1053.005 abuse.
Threat Hunting
endpoint-detectionmitre-t1053-005persistencescheduled-tasks+2
ATT&CK9, 9 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Hunt for MITRE ATT&CK T1098 account manipulation including shadow admin creation, SID history injection, group membership changes, and credential modifications using Windows Security Event Logs.
Threat Hunting
account-manipulationactive-directorymitre-attackpersistence+2
ATT&CK13, 13 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Hunt for unusual network connections by analyzing outbound traffic patterns, rare destinations, non-standard ports, and anomalous connection frequencies from endpoints.
Threat Hunting
anomaly-detectionc2mitre-attacknetwork-analysis+2
ATT&CK7, 7 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Detect suspicious Windows service installations (MITRE ATT&CK T1543.003) by parsing System event logs for Event ID 7045, analyzing service binary paths, and identifying indicators of persistence mechanisms.
Threat Hunting
event-7045persistenceservice-installationsysmon+3
ATT&CK6, 6 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Hunt for web shell deployments on internet-facing servers by analyzing file creation in web directories, suspicious process spawning from web servers, and anomalous HTTP patterns.
Threat Hunting
mitre-attackpersistenceproactive-detectiont1505+3
ATT&CK10, 10 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Use YARA pattern-matching rules to hunt for malware, suspicious files, and indicators of compromise across filesystems and memory dumps. Covers rule authoring, yara-python scanning, and integration with threat intel feeds.
Threat Hunting
malware-detectionpattern-matchingthreat-huntingyara
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings