Open security library

Cybersecurity skills, mapped and searchable.

Find a practical workflow by security specialty, control framework, technique, or tool—then open the complete skill with its source context intact.

Skills
817
Domains
46
Mapped
817

817 skills

Filters combine across groups and match any choice within a group.

cybersecuritySkill

Abusing DPAPI for Credential Access

Extract DPAPI-protected secrets such as credentials and browser data offline and online.

Red Teaming
active-directorycredential-accessdpapimimikatz+4
ATT&CK, 3 mappingsNIST CSF, 1 mapping
cybersecuritySkill

Abusing Shadow Credentials for Privilege Escalation

Take over Active Directory user and computer accounts by writing alternate certificate keys to msDS-KeyCredentialLink (Shadow Credentials) with pyWhisker, Whisker, and Certipy, then authenticate via PKINIT.

Red Teaming
active-directorycertipykey-credential-linkpkinit+4
ATT&CK, 5 mappingsNIST CSF, 1 mapping
cybersecuritySkill

Achieving CMMC Level 2 Compliance

Prepare a defense-contractor environment for CMMC Level 2 certification: scope CUI and FCI, implement the 110 NIST SP 800-171 Rev 2 security requirements across 14 families, compute the SPRS score with the DoD Assessment Methodology, manage a compliant POA&M, and ready the organization for a C3PAO assessment. Use when an organization handles Controlled Unclassified Information (CUI) under a DoD contract, when a contract carries DFARS clause 252.204-7012/7019/7020/7021, when preparing for or responding to a CMMC assessment, when computing or improving an SPRS score, when building a System Security Plan or POA&M for 800-171, or when scoping which systems are in the CUI boundary. Keywords: CMMC, CMMC Level 2, NIST 800-171, SP 800-171 Rev 2, CUI, FCI, SPRS, DFARS 7012, C3PAO, POA&M, System Security Plan, DoD Assessment Methodology, 110 controls, defense industrial base, DIB, FedRAMP equivalency.

Compliance Governance
c3paocmmccompliancecui+6
ATT&CK, 5 mappingsNIST CSF, 6 mappings
cybersecuritySkill

Acquiring Disk Image with dd and dcfldd

Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.

Digital Forensics
dcfldddddisk-imagingevidence-acquisition+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Active Directory ACL Abuse

Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths

Identity Security
acl-abuseactive-directoryldapprivilege-escalation
ATT&CK, 5 mappingsNIST CSF, 3 mappings
cybersecuritySkill

Analyzing Android Malware with Apktool

Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.

Malware Analysis
androguardandroidapkapktool+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing API Gateway Access Logs

Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection. Use when investigating API abuse or building API-specific threat detection rules.

Security Operations
access-log-analysisapi-securityaws-api-gatewaybola-detection+4
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing APT Group with MITRE ATT&CK Navigator

Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.

Threat Intelligence
aptdetection-gapheatmapmitre-attack+4
ATT&CK, 6 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Analyzing Azure Activity Logs for Threats

Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.

Security Operations
activity-logsazureazure-monitorcloud-security+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Bootkit and Rootkit Samples

Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR), Volume Boot Record (VBR), or UEFI firmware to gain persistence below the operating system. Covers boot sector analysis, UEFI module inspection, and anti-rootkit detection techniques. Activates for requests involving bootkit analysis, MBR malware investigation, UEFI persistence analysis, or pre-OS malware detection.

Malware Analysis
bootkitmalwarembr-analysisrootkit+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Browser Forensics with Hindsight

Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.

Digital Forensics
browser-forensicsbrowsing-historycachechrome-forensics+6
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Campaign Attribution Evidence

Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attribution indicators using the Diamond Model and ACH (Analysis of Competing Hypotheses), analyzing infrastructure overlaps, TTP consistency, malware code similarities, operational timing patterns, and language artifacts to build confidence-weighted attribution assessments.

Threat Intelligence
attributioncampaign-analysisctiioc+3
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Certificate Transparency for Phishing

Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.

Threat Intelligence
certificate-transparencycertstreamcrt-shct-logs+4
ATT&CK, 5 mappingsNIST CSF, 4 mappingsATLAS, 1 mapping
cybersecuritySkill

Analyzing Cloud Storage Access Patterns

Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.

Cloud Security
aws-s3azure-blob-storagecloud-securitycloudtrail+3
ATT&CK, 5 mappingsNIST CSF, 4 mappingsATLAS, 2 mappingsAI RMF, 3 mappings
cybersecuritySkill

Analyzing Cobalt Strike Beacon Configuration

Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure, malleable profiles, and operator tradecraft.

Malware Analysis
beaconc2cobalt-strikeconfig-extraction+3
ATT&CK, 10 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing CobaltStrike Malleable C2 Profiles

Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate network detection signatures.

Malware Analysis
beacon-analysisc2-detectioncobalt-strikemalleable-c2+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Command-and-Control Communication

Analyzes malware command-and-control (C2) communication protocols to understand beacon patterns, command structures, data encoding, and infrastructure. Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development and threat intelligence. Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse engineering, or command-and-control infrastructure mapping.

Malware Analysis
beaconc2command-and-controlmalware+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Cyber Kill Chain

Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier phases. Use when conducting post-incident analysis, building prevention-focused security controls, or mapping detection gaps to kill chain phases. Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping, or Lockheed Martin kill chain framework.

Threat Intelligence
defense-in-depthintrusion-analysiskill-chainlockheed-martin+2
ATT&CK, 6 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Disk Image with Autopsy

Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and build investigation timelines.

Digital Forensics
artifact-analysisautopsydisk-analysisfile-recovery+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing DNS Logs for Exfiltration

Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication, and covert C2 channels using entropy analysis, query volume anomalies, and subdomain length detection in SIEM platforms. Use when SOC teams need to identify DNS-based threats that bypass traditional network security controls.

Soc Operations
c2-detectiondgadnsdns-tunneling+4
ATT&CK, 3 mappingsNIST CSF, 4 mappingsATLAS, 3 mappings
cybersecuritySkill

Analyzing Docker Container Forensics

Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to identify malicious activity and evidence.

Digital Forensics
container-forensicscontainer-securitydockerforensics+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Email Headers for Phishing Investigation

Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.

Digital Forensics
dkimdmarcemail-analysisforensics+3
ATT&CK, 3 mappingsNIST CSF, 4 mappingsATLAS, 1 mapping
cybersecuritySkill

Analyzing Ethereum Smart Contract Vulnerabilities

Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy, integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet.

Blockchain Security
auditblockchaindefiethereum+4
ATT&CK, 2 mappingsNIST CSF, 3 mappings
cybersecuritySkill

Analyzing Golang Malware with Ghidra

Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction, and type reconstruction in stripped Go binaries.

Malware Analysis
binary-analysisdisassemblyghidrago-malware+3
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Heap Spray Exploitation

Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large allocations in process virtual address space.

Malware Analysis
exploit-analysisheap-spraymalware-analysismemory-forensics+1
ATT&CK, 3 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Indicators of Compromise

Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, and email artifacts to determine maliciousness confidence, campaign attribution, and blocking priority. Use when triaging IOCs from phishing emails, security alerts, or external threat feeds; enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist decisions. Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.

Threat Intelligence
abuseipdbiocmalwarebazaarmisp+4
ATT&CK, 4 mappingsNIST CSF, 4 mappingsATLAS, 1 mapping
cybersecuritySkill

Analyzing iOS App Security with Objection

Runtime iOS app security testing with Objection (Frida): inspect keychain and filesystem data, explore app internals at runtime, and validate/bypass client-side protections during authorized mobile assessments.

Mobile Security
fridaiosmobile-securityobjection+2
ATT&CK, 4 mappingsNIST CSF, 4 mappingsATLAS, 1 mappingAI RMF, 4 mappings
cybersecuritySkill

Analyzing Kubernetes Audit Logs

Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications, privileged pod creation, and anonymous API access. Builds threat detection rules from audit event patterns. Use when investigating Kubernetes cluster compromise or building k8s-specific SIEM detection rules.

Container Security
audit-log-analysiscontainer-securityk8s-api-serverkubernetes-security+3
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Linux Audit Logs for Intrusion

Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized access, privilege escalation, and suspicious system activity. Covers audit rule configuration, log querying, timeline reconstruction, and integration with SIEM platforms. Activates for requests involving auditd analysis, Linux audit log investigation, ausearch queries, aureport summaries, or host-based intrusion detection on Linux.

Incident Response
auditdaureportausearchforensics+3
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Linux ELF Malware

Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets, cryptominers, ransomware, and rootkits targeting Linux servers, containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis, ELF binary investigation, Linux server compromise assessment, or container malware analysis.

Malware Analysis
elflinuxmalwarereverse-engineering+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Linux Kernel Rootkits

Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and tampered system structures.

Digital Forensics
forensicskernellinuxmalware-analysis+4
ATT&CK, 3 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Linux System Artifacts

Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover evidence of compromise or unauthorized activity.

Digital Forensics
forensicsincident-investigationlinux-forensicslog-analysis+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing LNK File and Jump List Artifacts

Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.

Digital Forensics
file-accessjlecmdjump-listslecmd+6
ATT&CK, 3 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Macro Malware in Office Documents

Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint) to identify download cradles, payload execution, persistence mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation to extract the attack chain. Activates for requests involving Office macro analysis, VBA malware investigation, maldoc analysis, or document-based threat examination.

Malware Analysis
document-malwaremacromalwareoffice+1
ATT&CK, 4 mappingsNIST CSF, 4 mappingsATLAS, 2 mappingsD3FEND, 5 mappings
cybersecuritySkill

Analyzing Malicious PDF with peepdf

Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.

Malware Analysis
dfirmalware-analysispdfpdf-parser+4
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Malicious URL with URLScan

URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolated environment. This skill covers using URLScan's web interface and API to investigate phishing URLs, credential harvesting pages, and malicious redirects without exposing the analyst's system to risk.

Phishing Defense
awarenessdmarcemail-securityphishing+3
ATT&CK, 6 mappingsNIST CSF, 4 mappingsATLAS, 1 mapping
cybersecuritySkill

Analyzing Malware Behavior with Cuckoo Sandbox

Executes malware samples in Cuckoo Sandbox to observe runtime behavior including process creation, file system modifications, registry changes, network communications, and API calls. Generates comprehensive behavioral reports for malware classification and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox detonation, behavioral analysis, or automated malware execution.

Malware Analysis
behavioral-analysiscuckoodynamic-analysismalware+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Malware Family Relationships with Malpedia

Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families to threat actors, and integrate YARA rules for detection across malware lineages.

Threat Intelligence
malpediamalware-familymalware-intelligencemalware-tracking+4
ATT&CK, 3 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Malware Persistence with Autoruns

Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems.

Malware Analysis
autorunsincident-responsemalware-analysispersistence+4
ATT&CK, 6 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Analyzing Malware Sandbox Evasion Techniques

Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports

Malware Analysis
anyrunbehavioral-analysiscuckoomalware-analysis+3
ATT&CK, 6 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Analyzing Memory Dumps with Volatility

Analyzes RAM memory dumps from compromised systems using the Volatility framework to identify malicious processes, injected code, network connections, loaded modules, and extracted credentials. Supports Windows, Linux, and macOS memory forensics. Activates for requests involving memory forensics, RAM analysis, volatile data examination, process injection detection, or memory-resident malware investigation.

Malware Analysis
incident-responsemalwarememory-forensicsram-analysis+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Memory Forensics with LiME and Volatility

Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility 3 framework. Extracts process lists, network connections, bash history, loaded kernel modules, and injected code from Linux memory images. Use when performing incident response on compromised Linux systems.

Security Operations
incident-responsekernel-moduleslimelinux-forensics+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing MFT for Deleted File Recovery

Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.

Digital Forensics
deleted-filesdfirfile-recoveryfile-system-forensics+6
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Network Covert Channels in Malware

Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2 and data exfiltration.

Malware Analysis
c2-detectioncovert-channelsdata-exfiltrationdns-tunneling+3
ATT&CK, 4 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Analyzing Network Flow Data with Netflow

Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing patterns. Uses the Python netflow library to decode flow records, builds traffic baselines, and applies statistical analysis to identify flows with abnormal byte counts, connection durations, and periodic timing patterns.

Network Security
analyzingdataflownetwork
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Network Packets with Scapy

Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and traffic anomaly detection in authorized security testing

Network Security
network-forensicspacket-analysispcapprotocol-dissection+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Network Traffic for Incidents

Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including command-and-control communications, lateral movement, data exfiltration, and exploitation attempts. Uses Wireshark, Zeek, and NetFlow analysis techniques. Activates for requests involving network traffic analysis, packet capture investigation, PCAP analysis, network forensics, C2 traffic detection, or exfiltration detection.

Incident Response
network-forensicspcap-analysistraffic-analysiswireshark+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Network Traffic of Malware

Analyzes network traffic generated by malware during sandbox execution or live incident response to identify C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based malware detection.

Malware Analysis
c2-detectionmalwarenetwork-analysispcap+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings