Expand 39 api-reference stubs with real tool docs, expand 15 agent.py boilerplate stubs

2026-06-11 13:44:56 +03:00 · 2026-03-19 13:29:33 +01:00
parent d63b578a2f
commit d005ae764b
191 changed files with 4300 additions and 587 deletions
@@ -1,140 +0,0 @@
-#!/usr/bin/env python3
-"""Add missing timeout= parameter to subprocess calls in agent.py files."""
-
-import glob
-import re
-
-
-def add_timeout_to_subprocess_calls(filepath):
-    """Add timeout=120 to subprocess.run/check_output/check_call calls missing it."""
-    with open(filepath, "r", encoding="utf-8", errors="replace") as f:
-        content = f.read()
-
-    original = content
-    fixes = 0
-
-    funcs = ["subprocess.run", "subprocess.check_output", "subprocess.check_call"]
-
-    for func in funcs:
-        start = 0
-        while True:
-            idx = content.find(func + "(", start)
-            if idx == -1:
-                break
-
-            # Check if this line is a comment
-            line_start = content.rfind("\n", 0, idx) + 1
-            line_prefix = content[line_start:idx].lstrip()
-            if line_prefix.startswith("#"):
-                start = idx + 1
-                continue
-
-            # Find matching closing paren with basic string tracking
-            paren_depth = 0
-            pos = idx + len(func)
-            found_close = -1
-            in_str = None
-            escape_next = False
-
-            while pos < len(content):
-                ch = content[pos]
-
-                if escape_next:
-                    escape_next = False
-                    pos += 1
-                    continue
-
-                if ch == "\\":
-                    escape_next = True
-                    pos += 1
-                    continue
-
-                if in_str is None:
-                    if ch == '"' and content[pos:pos+3] == '"""':
-                        in_str = '"""'
-                        pos += 3
-                        continue
-                    elif ch == "'" and content[pos:pos+3] == "'''":
-                        in_str = "'''"
-                        pos += 3
-                        continue
-                    elif ch == '"':
-                        in_str = '"'
-                    elif ch == "'":
-                        in_str = "'"
-                    elif ch == "(":
-                        paren_depth += 1
-                    elif ch == ")":
-                        if paren_depth == 1:
-                            found_close = pos
-                            break
-                        paren_depth -= 1
-                else:
-                    if in_str == '"""' and content[pos:pos+3] == '"""':
-                        in_str = None
-                        pos += 3
-                        continue
-                    elif in_str == "'''" and content[pos:pos+3] == "'''":
-                        in_str = None
-                        pos += 3
-                        continue
-                    elif in_str == '"' and ch == '"':
-                        in_str = None
-                    elif in_str == "'" and ch == "'":
-                        in_str = None
-
-                pos += 1
-
-            if found_close == -1:
-                start = idx + 1
-                continue
-
-            call_content = content[idx:found_close + 1]
-
-            if "timeout" not in call_content:
-                # Insert timeout=120 before the closing paren
-                before_close = content[:found_close].rstrip()
-                after_close = content[found_close + 1:]
-
-                # Determine indentation by looking at the line with the func call
-                func_line_start = content.rfind("\n", 0, idx) + 1
-                indent = ""
-                for c in content[func_line_start:]:
-                    if c in (" ", "\t"):
-                        indent += c
-                    else:
-                        break
-
-                # Check if call is multiline
-                call_text = content[idx:found_close]
-                if "\n" in call_text:
-                    # Multiline: add timeout on new line with proper indent
-                    content = before_close + ", timeout=120\n" + indent + ")" + after_close
-                else:
-                    # Single line: add inline
-                    content = content[:found_close] + ", timeout=120)" + after_close
-
-                fixes += 1
-
-            start = idx + 1
-
-    if fixes > 0:
-        with open(filepath, "w", encoding="utf-8") as f:
-            f.write(content)
-
-    return fixes
-
-
-if __name__ == "__main__":
-    files = sorted(glob.glob("skills/*/scripts/agent.py"))
-    total_fixed = 0
-    files_fixed = 0
-
-    for filepath in files:
-        n = add_timeout_to_subprocess_calls(filepath)
-        if n > 0:
-            total_fixed += n
-            files_fixed += 1
-            print(f"  Fixed {n} calls in {filepath}")
-
-    print(f"\nTotal: {total_fixed} subprocess calls fixed across {files_fixed} files")
@@ -18,6 +18,14 @@ Active Directory Access Control Lists (ACLs) define permissions on AD objects th

 This skill uses the ldap3 Python library to connect to a Domain Controller, query objects with their nTSecurityDescriptor attribute, parse the binary security descriptor into SDDL (Security Descriptor Definition Language) format, and identify ACEs that grant dangerous permissions to non-administrative principals. These misconfigurations are the basis for ACL-based attack paths discovered by tools like BloodHound.

+
+## When to Use
+
+- When investigating security incidents that require analyzing active directory acl abuse
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.9 or later with ldap3 library (`pip install ldap3`)
@@ -15,6 +15,14 @@ license: Apache-2.0

 Android malware distributed as APK files can be statically analyzed to extract permissions, activities, services, broadcast receivers, and suspicious API calls without executing the sample. This skill uses androguard for programmatic APK analysis, identifying dangerous permission combinations, obfuscated code patterns, dynamic code loading, reflection-based API calls, and network communication indicators.

+
+## When to Use
+
+- When investigating security incidents that require analyzing android malware with apktool
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.9+ with `androguard`
@@ -14,6 +14,14 @@ license: Apache-2.0

 MITRE ATT&CK Navigator is a web-based tool for annotating and exploring ATT&CK matrices, enabling analysts to visualize threat actor technique coverage, compare multiple APT groups, identify detection gaps, and build threat-informed defense strategies. This skill covers querying ATT&CK data programmatically, mapping APT group TTPs to Navigator layers, creating multi-layer overlays for gap analysis, and generating actionable intelligence reports for detection engineering teams.

+
+## When to Use
+
+- When investigating security incidents that require analyzing apt group with mitre navigator
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.9+ with `attackcti`, `mitreattack-python`, `stix2`, `requests` libraries
@@ -14,6 +14,14 @@ license: Apache-2.0

 Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attribution indicators using the Diamond Model and ACH (Analysis of Competing Hypotheses), analyzing infrastructure overlaps, TTP consistency, malware code similarities, operational timing patterns, and language artifacts to build confidence-weighted attribution assessments.

+
+## When to Use
+
+- When investigating security incidents that require analyzing campaign attribution evidence
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.9+ with `attackcti`, `stix2`, `networkx` libraries
@@ -14,6 +14,14 @@ license: Apache-2.0

 Certificate Transparency (CT) is an Internet security standard that creates a public, append-only log of all issued SSL/TLS certificates. Monitoring CT logs enables early detection of phishing domains that register certificates mimicking legitimate brands, unauthorized certificate issuance for owned domains, and certificate-based attack infrastructure. This skill covers querying CT logs via crt.sh, real-time monitoring with Certstream, building automated alerting for suspicious certificates, and integrating findings into threat intelligence workflows.

+
+## When to Use
+
+- When investigating security incidents that require analyzing certificate transparency for phishing
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.9+ with `requests`, `certstream`, `tldextract`, `Levenshtein` libraries
@@ -14,6 +14,14 @@ license: Apache-2.0

 Cobalt Strike is a commercial adversary simulation tool widely abused by threat actors for post-exploitation operations. Beacon payloads contain embedded configuration data that reveals C2 server addresses, communication protocols, sleep intervals, jitter values, malleable C2 profile settings, watermark identifiers, and encryption keys. Extracting this configuration from PE files, shellcode, or memory dumps is critical for incident responders to map attacker infrastructure and attribute campaigns. The beacon configuration is XOR-encoded using a single byte (0x69 for version 3, 0x2e for version 4) and stored in a Type-Length-Value (TLV) format within the .data section.

+
+## When to Use
+
+- When investigating security incidents that require analyzing cobalt strike beacon configuration
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.9+ with `dissect.cobaltstrike`, `pefile`, `yara-python`
@@ -14,6 +14,14 @@ license: Apache-2.0

 Cobalt Strike Malleable C2 profiles are domain-specific language scripts that customize how Beacon communicates with the team server, defining HTTP request/response transformations, sleep intervals, jitter values, user agents, URI paths, and process injection behavior. Threat actors use malleable profiles to disguise C2 traffic as legitimate services (Amazon, Google, Slack). Analyzing these profiles reveals network indicators for detection: URI patterns, HTTP headers, POST/GET transforms, DNS settings, and process injection techniques. The `dissect.cobaltstrike` library can parse both profile files and extract configurations from beacon payloads, while `pyMalleableC2` provides AST-based parsing using Lark grammar for programmatic profile manipulation and validation.

+
+## When to Use
+
+- When investigating security incidents that require analyzing cobaltstrike malleable c2 profiles
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.9+ with `dissect.cobaltstrike` and/or `pyMalleableC2`
@@ -15,6 +15,14 @@ license: Apache-2.0

 Smart contract vulnerabilities have led to billions of dollars in losses across DeFi protocols. Unlike traditional software, deployed smart contracts are immutable and handle real financial assets, making pre-deployment security analysis critical. Slither performs fast static analysis using an intermediate representation to detect over 90 vulnerability patterns in seconds, while Mythril uses symbolic execution and SMT solving to discover complex execution path vulnerabilities like reentrancy and integer overflows. This skill covers running both tools against Solidity contracts, interpreting results, triaging findings by severity, and generating audit reports.

+
+## When to Use
+
+- When investigating security incidents that require analyzing ethereum smart contract vulnerabilities
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.10+ with pip
@@ -14,6 +14,14 @@ license: Apache-2.0

 Go (Golang) has become a popular language for malware authors due to its cross-compilation capabilities, static linking that produces self-contained binaries, and the complexity it introduces for reverse engineering. Go binaries contain the entire runtime, standard library, and all dependencies statically linked, resulting in large binaries (often 5-15MB) with thousands of functions. Ghidra struggles with Go-specific string formats (non-null-terminated), stripped function names, and goroutine concurrency patterns. Specialized tools like GoResolver (Volexity, 2025) use control-flow graph similarity to automatically deobfuscate and recover function names in stripped or obfuscated Go binaries.

+
+## When to Use
+
+- When investigating security incidents that require analyzing golang malware with ghidra
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Ghidra 11.0+ with JDK 17+
@@ -14,6 +14,14 @@ license: Apache-2.0

 Heap spraying is an exploitation technique that fills large regions of a process's heap with attacker-controlled data (typically NOP sleds followed by shellcode) to increase the reliability of code execution exploits. This skill covers detecting heap spray artifacts in memory dumps using Volatility3's malfind, vadinfo, and memmap plugins, identifying suspicious contiguous memory allocations, scanning for NOP sled patterns (0x90, 0x0c0c0c0c), and extracting embedded shellcode for analysis.

+
+## When to Use
+
+- When investigating security incidents that require analyzing heap spray exploitation
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.9+ with `volatility3` framework installed
@@ -84,8 +84,8 @@ def extract_strings(filepath, min_length=6):
    """Extract ASCII strings from the binary and categorize by type."""
    stdout, _, rc = subprocess.run(
        ["strings", "-n", str(min_length), filepath],
-        capture_output=True, text=True
-, timeout=120).stdout, "", 0
+        capture_output=True, text=True, timeout=120
+    ).stdout, "", 0
    if not stdout:
        return {}
    all_strings = stdout.strip().splitlines()
@@ -15,6 +15,14 @@ license: Apache-2.0

 Linux kernel rootkits operate at ring 0, modifying kernel data structures to hide processes, files, network connections, and kernel modules from userspace tools. Detection requires either memory forensics (analyzing physical memory dumps with Volatility3) or cross-view analysis (comparing /proc, /sys, and kernel data structures for inconsistencies). This skill covers using Volatility3 Linux plugins to detect syscall table hooks, hidden kernel modules, and modified function pointers, supplemented by live system scanning with rkhunter and chkrootkit.

+
+## When to Use
+
+- When investigating security incidents that require analyzing linux kernel rootkits
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Volatility3 installed (pip install volatility3)
@@ -13,6 +13,14 @@ license: Apache-2.0
 ## Overview
 URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolated environment. This skill covers using URLScan's web interface and API to investigate phishing URLs, credential harvesting pages, and malicious redirects without exposing the analyst's system to risk.

+
+## When to Use
+
+- When investigating security incidents that require analyzing malicious url with urlscan
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 - URLScan.io account (free tier available, API key for automation)
 - Python 3.8+ with requests library
@@ -14,6 +14,14 @@ license: Apache-2.0

 Malpedia is a collaborative platform maintained by Fraunhofer FKIE that catalogs malware families with their aliases, YARA rules, threat actor associations, and reference reports. With over 2,600 malware families documented, it serves as the definitive resource for understanding malware lineages, tracking variant evolution, and linking malware to specific threat groups. This skill covers querying the Malpedia API, mapping malware family relationships, extracting YARA rules for detection, and building intelligence on malware ecosystems used by adversaries.

+
+## When to Use
+
+- When investigating security incidents that require analyzing malware family relationships with malpedia
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.9+ with `requests`, `yara-python`, `stix2` libraries
@@ -14,6 +14,14 @@ license: Apache-2.0

 Sysinternals Autoruns extracts data from hundreds of Auto-Start Extensibility Points (ASEPs) on Windows, scanning 18+ categories including Run/RunOnce keys, services, scheduled tasks, drivers, Winlogon entries, LSA providers, print monitors, WMI subscriptions, and AppInit DLLs. Digital signature verification filters Microsoft-signed entries. The compare function identifies newly added persistence via baseline diffing. VirusTotal integration checks hash reputation. Offline analysis via -z flag enables forensic disk image examination.

+
+## When to Use
+
+- When investigating security incidents that require analyzing malware persistence with autoruns
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Sysinternals Autoruns (GUI) and Autorunsc (CLI)
@@ -22,6 +22,14 @@ license: Apache-2.0

 Sandbox evasion (MITRE ATT&CK T1497) allows malware to detect analysis environments and alter behavior to avoid detection. This skill analyzes behavioral reports from Cuckoo Sandbox and AnyRun for evasion indicators including timing-based checks (GetTickCount, QueryPerformanceCounter, sleep inflation), VM artifact detection (registry keys, MAC address prefixes, process names like vmtoolsd.exe), user interaction checks (mouse movement, keyboard input), and environment fingerprinting (disk size, CPU count, RAM). Detection rules flag samples exhibiting these behaviors for deeper manual analysis.

+
+## When to Use
+
+- When investigating security incidents that require analyzing malware sandbox evasion techniques
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Cuckoo Sandbox 2.0+ or AnyRun account for behavioral analysis reports
@@ -14,6 +14,14 @@ license: Apache-2.0

 Malware uses covert channels to disguise C2 communication and data exfiltration within legitimate-looking network traffic. DNS tunneling encodes data in DNS queries and responses (used by tools like iodine, dnscat2, and malware families like FrameworkPOS). ICMP tunneling hides data in echo request/reply payloads (icmpsh, ptunnel). HTTP covert channels embed C2 data in headers, cookies, or steganographic images. Protocol abuse exploits allowed protocols to bypass firewalls. DNS tunneling detection achieves 99%+ recall with modern ML-based approaches, though low-throughput exfiltration remains challenging. Palo Alto Unit42 tracked three major DNS tunneling campaigns (TrkCdn, SecShow, Savvy Seahorse) through 2024, showing the technique's continued prevalence.

+
+## When to Use
+
+- When investigating security incidents that require analyzing network covert channels in malware
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.9+ with `scapy`, `dpkt`, `dnslib`
@@ -21,6 +21,14 @@ license: Apache-2.0

 Scapy is a Python packet manipulation library that enables crafting, sending, sniffing, and dissecting network packets at granular protocol layers. This skill covers using Scapy for security-relevant tasks including TCP/UDP/ICMP packet crafting, pcap file analysis, protocol field extraction, SYN scan implementation, DNS query analysis, and detecting anomalous traffic patterns such as unusually fragmented packets or malformed headers.

+
+## When to Use
+
+- When investigating security incidents that require analyzing network packets with scapy
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.8+ with `scapy` library installed (`pip install scapy`)
@@ -15,6 +15,14 @@ license: Apache-2.0

 Business Email Compromise (BEC) attacks often leave traces in Office 365 audit logs: suspicious inbox rule creation, email forwarding to external addresses, mailbox delegation changes, and unauthorized OAuth application consent grants. This skill uses the Microsoft Graph API to query the Unified Audit Log, enumerate inbox rules across mailboxes, detect forwarding configurations, and identify compromised account indicators.

+
+## When to Use
+
+- When investigating security incidents that require analyzing office365 audit logs for compromise
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Azure AD app registration with `AuditLog.Read.All`, `MailboxSettings.Read`, `Mail.Read` (application permissions)
@@ -15,6 +15,14 @@ license: Apache-2.0

 Adversaries establish persistence on Linux systems through crontab jobs, systemd service/timer units, LD_PRELOAD library injection, shell profile modifications (.bashrc, .profile), SSH authorized_keys backdoors, and init script manipulation. This skill scans for all known persistence vectors, checks file timestamps and integrity, and correlates findings with auditd logs to build a timeline of persistence installation.

+
+## When to Use
+
+- When investigating security incidents that require analyzing persistence mechanisms in linux
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Root or sudo access on target Linux system (or forensic image)
@@ -14,6 +14,14 @@ license: Apache-2.0

 Ransomware groups operating under double-extortion models maintain data leak sites (DLS) on Tor hidden services where they post victim names, stolen data samples, and countdown timers to pressure payment. In H1 2025, 96 unique ransomware groups were active, listing approximately 535 victims per month. Monitoring these sites provides intelligence on active threat groups, targeted sectors, geographic patterns, and emerging ransomware families. This skill covers safely collecting DLS intelligence, extracting structured data, tracking group activity trends, and producing sector-specific risk assessments.

+
+## When to Use
+
+- When investigating security incidents that require analyzing ransomware leak site intelligence
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.9+ with `requests`, `beautifulsoup4`, `pandas`, `matplotlib` libraries
@@ -15,6 +15,14 @@ license: Apache-2.0

 Before and during ransomware execution, adversaries establish C2 channels, exfiltrate data, and download encryption keys. This skill analyzes Zeek conn.log and NetFlow data to detect beaconing patterns (regular-interval callbacks), connections to known TOR exit nodes, large outbound data transfers, and suspicious DNS activity associated with ransomware families.

+
+## When to Use
+
+- When investigating security incidents that require analyzing ransomware network indicators
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Zeek conn.log files or NetFlow CSV/JSON exports
@@ -14,6 +14,14 @@ license: Apache-2.0

 Supply chain attacks compromise legitimate software distribution channels to deliver malware through trusted update mechanisms. Notable examples include SolarWinds SUNBURST (2020, affecting 18,000+ customers), 3CX SmoothOperator (2023, a cascading supply chain attack originating from Trading Technologies), and numerous npm/PyPI package poisoning campaigns. Analysis involves comparing trojanized binaries against legitimate versions, identifying injected code in build artifacts, examining code signing anomalies, and tracing the infection chain from initial compromise through payload delivery. As of 2025, supply chain attacks account for 30% of all breaches, a 100% increase from prior years.

+
+## When to Use
+
+- When investigating security incidents that require analyzing supply chain malware artifacts
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.9+ with `pefile`, `ssdeep`, `hashlib`
@@ -14,6 +14,14 @@ license: Apache-2.0

 MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor behavior to the ATT&CK framework, building technique coverage heatmaps using the ATT&CK Navigator, identifying detection gaps, and producing actionable intelligence reports that link observed IOCs to specific adversary techniques across the Enterprise, Mobile, and ICS matrices.

+
+## When to Use
+
+- When investigating security incidents that require analyzing threat actor ttps with mitre attack
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.9+ with `mitreattack-python`, `attackcti`, `stix2` libraries
@@ -23,6 +23,14 @@ Combined with the attackcti Python library (which queries ATT&CK STIX data via T
 can programmatically generate Navigator layer files mapping specific threat group TTPs, compare
 multiple groups, and assess detection coverage gaps against known adversaries.

+
+## When to Use
+
+- When investigating security incidents that require analyzing threat actor ttps with mitre navigator
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.8+ with attackcti and stix2 libraries installed
@@ -14,6 +14,14 @@ license: Apache-2.0

 DNSTwist is a domain name permutation engine that generates similar-looking domain names to detect typosquatting, homograph phishing attacks, and brand impersonation. It creates thousands of domain permutations using techniques like character substitution, transposition, insertion, omission, and homoglyph replacement, then checks DNS records (A, AAAA, NS, MX), calculates web page similarity using fuzzy hashing (ssdeep) and perceptual hashing (pHash), and identifies potentially malicious registered domains.

+
+## When to Use
+
+- When investigating security incidents that require analyzing typosquatting domains with dnstwist
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.9+ with `dnstwist` installed (`pip install dnstwist[full]`)
@@ -14,6 +14,14 @@ license: Apache-2.0

 Windows Prefetch files (.pf) record application execution data including executable names, run counts, timestamps, loaded DLLs, and accessed directories. This skill covers parsing Prefetch files using the windowsprefetch Python library to reconstruct execution timelines, detect renamed or masquerading binaries by comparing executable names with loaded resources, and identifying suspicious programs that may indicate malware execution or lateral movement.

+
+## When to Use
+
+- When investigating security incidents that require analyzing windows prefetch with python
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.9+ with `windowsprefetch` library (pip install windowsprefetch)
@@ -14,6 +14,14 @@ license: Apache-2.0

 Adversary infrastructure tracking uses passive DNS records, certificate transparency logs, WHOIS registration data, and IP enrichment to discover, map, and monitor threat actor command-and-control (C2) networks. Attackers frequently reuse hosting providers, registrars, SSL certificates, and naming patterns across campaigns, enabling analysts to pivot from known indicators to discover new infrastructure. This skill covers building an automated tracking system that identifies infrastructure relationships, detects newly registered domains matching adversary patterns, and maintains a continuously updated map of threat actor networks.

+
+## When to Use
+
+- When deploying or configuring building adversary infrastructure tracking system capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - Python 3.9+ with `requests`, `dnspython`, `python-whois`, `shodan`, `networkx` libraries
@@ -14,6 +14,14 @@ license: Apache-2.0

 Cyber threat intelligence (CTI) reports from vendors like Mandiant, CrowdStrike, Talos, and Microsoft contain detailed descriptions of adversary behaviors that can be extracted, normalized, and cataloged into a structured attack pattern library. This skill covers parsing CTI reports to extract adversary techniques, mapping behaviors to MITRE ATT&CK technique IDs, creating STIX 2.1 Attack Pattern objects, building a searchable library indexed by tactic, technique, and threat actor, and generating detection rule templates from documented patterns.

+
+## When to Use
+
+- When deploying or configuring building attack pattern library from cti reports capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - Python 3.9+ with `stix2`, `mitreattack-python`, `spacy`, `requests` libraries
@@ -15,6 +15,14 @@ license: Apache-2.0

 Identity federation enables users authenticated by one identity provider to access resources managed by another without maintaining separate credentials. This skill covers establishing SAML 2.0 federation between an organization's on-premises Active Directory (via AD FS or third-party IdP) and Microsoft Entra ID (formerly Azure AD), as well as configuring federated SSO for third-party SaaS applications. Federation eliminates password synchronization concerns and keeps authentication authority on-premises while extending SSO to cloud resources.

+
+## When to Use
+
+- When deploying or configuring building identity federation with saml azure ad capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - On-premises Active Directory domain
@@ -14,6 +14,14 @@ license: Apache-2.0

 IOC defanging modifies potentially malicious indicators (URLs, IP addresses, domains, email addresses) to prevent accidental clicks or execution while preserving readability for analysis and sharing. This skill covers building an automated pipeline that ingests raw IOCs from multiple sources, normalizes and deduplicates them, applies defanging for safe human consumption, converts them to STIX 2.1 format for machine consumption, and distributes through TAXII servers, MISP instances, and email reports.

+
+## When to Use
+
+- When deploying or configuring building ioc defanging and sharing pipeline capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - Python 3.9+ with `defang`, `ioc-fanger`, `stix2`, `requests`, `validators` libraries
@@ -14,6 +14,14 @@ license: Apache-2.0

 OpenCTI is an open-source platform for managing cyber threat intelligence knowledge, built on STIX 2.1 as its native data model. This skill covers building an automated IOC enrichment pipeline using OpenCTI's connector ecosystem to enrich indicators with context from VirusTotal, Shodan, AbuseIPDB, GreyNoise, and other sources. The pipeline automatically enriches newly ingested indicators, correlates them with known threat actors and campaigns, and scores them for analyst prioritization.

+
+## When to Use
+
+- When deploying or configuring building ioc enrichment pipeline with opencti capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - Docker and Docker Compose for OpenCTI deployment
@@ -13,6 +13,14 @@ license: Apache-2.0
 ## Overview
 Microsoft releases security updates on the second Tuesday of each month ("Patch Tuesday"), addressing vulnerabilities across Windows, Office, Exchange, SQL Server, Azure services, and other products. In 2025, Microsoft patched over 1,129 vulnerabilities across the year -- an 11.9% increase from 2024 -- making a structured response process critical. The leading risk types include elevation of privilege (49%), remote code execution (34%), and information disclosure (7%). This skill covers building a repeatable Patch Tuesday response workflow from initial advisory review through testing, deployment, and validation.

+
+## When to Use
+
+- When deploying or configuring building patch tuesday response process capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites
 - Access to Microsoft Security Response Center (MSRC) update guide
 - Vulnerability management platform (Qualys VMDR, Rapid7, Tenable)
@@ -13,6 +13,14 @@ license: Apache-2.0
 ## Overview
 A phishing reporting button empowers users to flag suspicious emails directly from their email client, creating a critical feedback loop between end users and the security operations center. Microsoft's built-in Report button is now the recommended approach, replacing the deprecated Report Message and Report Phishing add-ins. When combined with automated triage using SOAR platforms, reported emails can be classified, IOCs extracted, and remediation actions taken within minutes. Organizations with effective phishing reporting programs see 70%+ report rates in phishing simulations.

+
+## When to Use
+
+- When deploying or configuring building phishing reporting button workflow capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites
 - Microsoft 365 or Google Workspace with administrative access
 - SOAR platform or automation capability (Microsoft Sentinel, Splunk SOAR, Cortex XSOAR)
@@ -15,6 +15,14 @@ license: Apache-2.0

 Role mining is the process of analyzing existing user-permission assignments to discover optimal roles for a Role-Based Access Control (RBAC) system. Organizations accumulate excessive permissions over time through job changes, project assignments, and ad-hoc access grants, leading to "role explosion" where thousands of granular roles exist with significant overlap. Role mining uses data analysis -- including clustering algorithms, formal concept analysis, and graph-based methods -- to consolidate permissions into a minimal set of roles that accurately represent business functions while enforcing least privilege.

+
+## When to Use
+
+- When deploying or configuring building role mining for rbac optimization capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - Export of current user-permission assignments (CSV/database)
@@ -14,6 +14,14 @@ license: Apache-2.0

 Threat actor profiling using OSINT systematically gathers and analyzes publicly available information to build comprehensive profiles of adversary groups. This skill covers collecting intelligence from public sources (security vendor reports, paste sites, dark web forums, social media, code repositories), correlating indicators across platforms, mapping adversary infrastructure using tools like Maltego and SpiderFoot, and producing structured threat actor dossiers that inform defensive strategies and attribution assessments.

+
+## When to Use
+
+- When deploying or configuring building threat actor profile from osint capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - Python 3.9+ with `shodan`, `requests`, `beautifulsoup4`, `maltego-trx`, `stix2` libraries
@@ -14,6 +14,14 @@ license: Apache-2.0

 MISP is the leading open-source threat intelligence platform for collecting, storing, distributing, and sharing cybersecurity indicators and threat intelligence. It aggregates feeds from OSINT sources, commercial providers, and sharing communities into a unified platform with automatic correlation, STIX/TAXII export, and direct integration with SIEMs and security tools. This skill covers deploying MISP via Docker, configuring feeds from sources like abuse.ch, AlienVault OTX, and CIRCL, setting up automated feed synchronization, and integrating with Splunk, Elasticsearch, and SOAR platforms.

+
+## When to Use
+
+- When deploying or configuring building threat feed aggregation with misp capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - Docker and Docker Compose for deployment
@@ -14,6 +14,14 @@ license: Apache-2.0

 Building a Threat Intelligence Platform (TIP) involves deploying and integrating multiple CTI tools into a unified system for collecting, analyzing, enriching, and disseminating threat intelligence. This skill covers designing TIP architecture using open-source tools (MISP, OpenCTI, TheHive, Cortex), configuring feed ingestion pipelines, establishing enrichment workflows, implementing STIX/TAXII interoperability, and building analyst dashboards for CTI operations.

+
+## When to Use
+
+- When deploying or configuring building threat intelligence platform capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - Docker and Docker Compose for deploying platform components
@@ -13,6 +13,14 @@ license: Apache-2.0
 ## Overview
 With over 30,000 new vulnerabilities identified in 2024 (a 17% increase from the prior year), organizations must track how long vulnerabilities remain unpatched and whether remediation occurs within defined Service Level Agreements (SLAs). Vulnerability aging measures the time between discovery and remediation, while SLA tracking enforces severity-based deadlines. Industry benchmarks indicate standard SLAs of 14 days for critical, 30 days for high, 60 days for medium, and 90 days for low vulnerabilities, though more aggressive timelines (24-48 hours for actively exploited critical CVEs) are increasingly common. This skill covers designing SLA policies, building aging dashboards, implementing automated escalations, and generating compliance metrics.

+
+## When to Use
+
+- When deploying or configuring building vulnerability aging and sla tracking capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites
 - Vulnerability management platform with historical scan data
 - Asset inventory with criticality ratings
@@ -14,6 +14,14 @@ license: Apache-2.0

 MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform for gathering, sharing, storing, and correlating Indicators of Compromise (IOCs) of targeted attacks, threat intelligence, financial fraud information, vulnerability information, or counter-terrorism information. This skill covers deploying MISP, configuring threat feeds, using the PyMISP API for programmatic access, and building automated collection pipelines that aggregate IOCs from multiple community and commercial sources.

+
+## When to Use
+
+- When managing security operations that require collecting threat intelligence with misp
+- When improving security program maturity and operational processes
+- When establishing standardized procedures for security team workflows
+- When integrating threat intelligence or vulnerability data into operations
+
 ## Prerequisites

 - Python 3.9+ with `pymisp` library installed
@@ -2,8 +2,8 @@
 name: configuring-microsegmentation-for-zero-trust
 description: Configure microsegmentation policies to enforce least-privilege workload-to-workload access using tools like VMware NSX, Illumio, and Calico, preventing lateral movement in zero trust architectures.
 domain: cybersecurity
-subdomain: security-operations
-tags: [cybersecurity]
+subdomain: zero-trust-architecture
+tags: [zero-trust, microsegmentation, network-access, lateral-movement, network-security]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -11,19 +11,12 @@ license: Apache-2.0

 # Configuring Microsegmentation for Zero Trust

---
-domain: cybersecurity
-subdomain: zero-trust-architecture
-author: mahipal
-tags: [zero-trust, microsegmentation, network-access, lateral-movement, network-security]
-difficulty: advanced
-estimated_time: 4-6 hours
-prerequisites:
-  - Understanding of zero trust principles (NIST SP 800-207)
-  - Knowledge of network segmentation concepts
-  - Familiarity with firewall and SDN technologies
-  - Experience with VMware NSX, Illumio, Guardicore, or Cisco ACI
---
+## Prerequisites
+
+- Understanding of zero trust principles (NIST SP 800-207)
+- Knowledge of network segmentation concepts
+- Familiarity with firewall and SDN technologies
+- Experience with VMware NSX, Illumio, Guardicore, or Cisco ACI

 ## Overview

@@ -14,6 +14,14 @@ license: Apache-2.0

 PowerShell is heavily abused by malware authors due to its deep Windows integration and powerful scripting capabilities. Obfuscation techniques include string concatenation, Base64 encoding, character substitution, Invoke-Expression layering, SecureString abuse, environment variable manipulation, and tick-mark insertion. Modern malware uses multiple obfuscation layers requiring iterative deobfuscation. Tools like PSDecode, PowerDecode, and PowerPeeler automate much of this process, while manual AST (Abstract Syntax Tree) analysis handles custom obfuscation. PowerPeeler achieves a 95% deobfuscation correctness rate using instruction-level dynamic analysis of expression-related AST nodes.

+
+## When to Use
+
+- When performing authorized security testing that involves deobfuscating powershell obfuscated malware
+- When analyzing malware samples or attack artifacts in a controlled environment
+- When conducting red team exercises or penetration testing engagements
+- When building detection capabilities based on offensive technique understanding
+
 ## Prerequisites

 - Python 3.9+ with `base64`, `re`, `subprocess` modules
@@ -2,8 +2,8 @@
 name: deploying-software-defined-perimeter
 description: Deploy a Software-Defined Perimeter using the CSA v2.0 specification with Single Packet Authorization, mutual TLS, and SDP controller/gateway configuration to enforce zero trust network access.
 domain: cybersecurity
-subdomain: security-operations
-tags: [cybersecurity]
+subdomain: zero-trust-architecture
+tags: [zero-trust, sdp, software-defined-perimeter, network-access, ztna]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -11,19 +11,12 @@ license: Apache-2.0

 # Deploying Software-Defined Perimeter

---
-domain: cybersecurity
-subdomain: zero-trust-architecture
-author: mahipal
-tags: [zero-trust, sdp, software-defined-perimeter, network-access, ztna]
-difficulty: advanced
-estimated_time: 4-6 hours
-prerequisites:
-  - Understanding of zero trust principles (NIST SP 800-207)
-  - Knowledge of CSA Software-Defined Perimeter specification
-  - Familiarity with PKI and mutual TLS authentication
-  - Experience with network security architecture
---
+## Prerequisites
+
+- Understanding of zero trust principles (NIST SP 800-207)
+- Knowledge of CSA Software-Defined Perimeter specification
+- Familiarity with PKI and mutual TLS authentication
+- Experience with network security architecture

 ## Overview

@@ -15,6 +15,14 @@ license: Apache-2.0

 ARP poisoning (ARP spoofing) is a Layer 2 attack where an adversary sends falsified ARP messages to associate their MAC address with the IP address of a legitimate host, enabling man-in-the-middle (MitM) interception, session hijacking, or denial of service. Since ARP has no built-in authentication mechanism, any device on a broadcast domain can forge ARP replies. Detection requires monitoring ARP traffic for anomalies such as gratuitous ARP floods, IP-to-MAC mapping changes, and duplicate IP addresses. This skill covers deploying multiple detection layers including ARPWatch, Dynamic ARP Inspection (DAI), Wireshark-based analysis, and custom Python monitoring tools.

+
+## When to Use
+
+- When investigating security incidents that require detecting arp poisoning in network traffic
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Access to the target network segment (broadcast domain)
@@ -14,6 +14,14 @@ license: Apache-2.0

 AWS CloudTrail records API calls across AWS services. This skill covers querying CloudTrail events with boto3's `lookup_events` API, building statistical baselines of normal API activity, detecting anomalies such as unusual event sources, geographic anomalies, high-frequency API calls, and first-time API usage patterns that indicate compromised credentials or insider threats.

+
+## When to Use
+
+- When investigating security incidents that require detecting aws cloudtrail anomalies
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.9+ with `boto3` library
@@ -15,6 +15,14 @@ license: Apache-2.0

 This skill uses boto3 and Cloudsplaining-style analysis to identify IAM privilege escalation paths in AWS accounts. It downloads the account authorization details, analyzes each policy for dangerous permission combinations (iam:PassRole + lambda:CreateFunction, iam:CreatePolicyVersion, sts:AssumeRole), and flags policies that violate least-privilege principles.

+
+## When to Use
+
+- When investigating security incidents that require detecting aws iam privilege escalation
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.8+ with boto3 library
@@ -15,6 +15,14 @@ license: Apache-2.0

 Lateral movement in Azure AD/Entra ID differs from on-premises environments. Attackers pivot through OAuth application consent grants, service principal abuse, cross-tenant access policies, and stolen refresh tokens rather than SMB/RDP connections. Detection requires correlating Microsoft Graph API audit logs, Azure AD sign-in logs, and Entra ID protection risk events using KQL queries in Microsoft Sentinel. This skill covers building detection analytics for common Azure lateral movement techniques including application impersonation, mailbox delegation abuse, and conditional access policy bypasses.

+
+## When to Use
+
+- When investigating security incidents that require detecting azure lateral movement
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Azure subscription with Microsoft Sentinel workspace configured
@@ -13,6 +13,14 @@ license: Apache-2.0
 ## Overview
 AI-powered BEC detection uses machine learning, NLP, and behavioral analytics to identify sophisticated impersonation attacks that contain no malicious links or attachments. Traditional rule-based filters miss these attacks because BEC relies purely on social engineering. Modern AI approaches analyze writing style, tone, vocabulary, grammatical patterns, and behavioral context to determine if an email genuinely comes from the stated sender. BERT-based models achieve 98.65% accuracy in BEC detection, and AI-enhanced platforms show a 25% increase in phishing identification over keyword-based rules.

+
+## When to Use
+
+- When investigating security incidents that require detecting business email compromise with ai
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 - AI-powered email security platform (Abnormal Security, Tessian, Microsoft Defender)
 - Historical email data for baseline training (minimum 30 days)
@@ -13,6 +13,14 @@ license: Apache-2.0
 ## Overview
 Business Email Compromise (BEC) is a sophisticated fraud scheme where attackers impersonate executives, vendors, or trusted partners to trick employees into transferring funds, sharing sensitive data, or changing payment details. Unlike traditional phishing, BEC often contains no malicious links or attachments, relying purely on social engineering. This skill covers detection techniques using email gateway rules, behavioral analytics, and financial process controls.

+
+## When to Use
+
+- When investigating security incidents that require detecting business email compromise
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 - Email security gateway with BEC detection capabilities
 - Understanding of organizational financial processes and approval chains
@@ -14,6 +14,14 @@ license: Apache-2.0

 Container escape is a critical attack technique where an adversary breaks out of container isolation to access the host system or other containers. Detection involves monitoring for escape indicators such as namespace manipulation, capability abuse, kernel exploits, mounted sensitive paths, and anomalous syscall patterns using runtime security tools like Falco, Sysdig, and custom seccomp/audit rules.

+
+## When to Use
+
+- When investigating security incidents that require detecting container escape attempts
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Linux host with kernel 5.10+ (eBPF support)
@@ -22,6 +22,14 @@ license: Apache-2.0

 Credential dumping (MITRE ATT&CK T1003) is a post-exploitation technique where adversaries extract authentication credentials from OS memory, registry hives, or domain controller databases. This skill covers detection of LSASS memory access via Sysmon Event ID 10 (ProcessAccess), SAM registry hive export via reg.exe, NTDS.dit extraction via ntdsutil/vssadmin, and comsvcs.dll MiniDump abuse. Detection rules analyze GrantedAccess bitmasks, suspicious calling processes, and known tool signatures.

+
+## When to Use
+
+- When investigating security incidents that require detecting credential dumping techniques
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Sysmon v14+ deployed with ProcessAccess logging (Event ID 10) for lsass.exe
@@ -15,6 +15,14 @@ license: Apache-2.0

 DNS exfiltration exploits the Domain Name System as a covert channel to extract data from compromised networks. Attackers encode stolen data into DNS query names (subdomains) or DNS response records (TXT, CNAME, NULL), bypassing traditional security controls that typically allow DNS traffic unrestricted. Tools like iodine, dnscat2, and dns2tcp enable full TCP tunneling over DNS. Detection requires analyzing DNS query patterns for anomalies including excessive query length, high entropy subdomain strings, abnormal query volumes to single domains, and oversized TXT record responses. This skill covers building a comprehensive DNS exfiltration detection capability using passive DNS analysis, statistical methods, and machine learning approaches.

+
+## When to Use
+
+- When investigating security incidents that require detecting dns exfiltration with dns query analysis
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Access to DNS query logs (passive DNS capture, DNS server logs, or PCAP)
@@ -14,6 +14,14 @@ license: Apache-2.0

 Email account compromise (EAC) is a prevalent attack vector where adversaries gain unauthorized access to mailboxes to exfiltrate sensitive data, conduct business email compromise (BEC), or establish persistence through inbox rule manipulation. Attackers commonly create forwarding rules to siphon emails, delete rules to hide evidence, or use OAuth tokens for persistent access. Detection relies on analyzing Microsoft 365 Unified Audit Logs, Azure AD sign-in logs for impossible travel or suspicious locations, inbox rule creation events (Set-InboxRule, New-InboxRule), and Microsoft Graph API access patterns. Key indicators include forwarding rules to external addresses, rules that delete or move messages matching keywords like "invoice" or "payment", and sign-ins from unusual user agents such as python-requests.

+
+## When to Use
+
+- When investigating security incidents that require detecting email account compromise
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Microsoft 365 with Unified Audit Logging enabled
@@ -18,6 +18,14 @@ DNS tunneling and exfiltration is a technique used by attackers to bypass firewa

 This skill analyzes Zeek dns.log files (TSV format) to detect exfiltration indicators. The agent computes Shannon entropy for each subdomain component, identifies queries exceeding the 63-character DNS label limit, counts unique subdomains per parent domain, and flags domains that exceed configurable thresholds. These techniques detect tools like dnscat2, iodine, dns2tcp, and custom DNS tunneling implementations.

+
+## When to Use
+
+- When investigating security incidents that require detecting exfiltration over dns with zeek
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.9 or later with math and collections modules (stdlib)
@@ -22,6 +22,14 @@ license: Apache-2.0

 A Golden Ticket attack (MITRE ATT&CK T1558.001) involves forging a Kerberos Ticket Granting Ticket (TGT) using the krbtgt account NTLM hash, granting unrestricted access to any service in the Active Directory domain. This skill detects Golden Ticket usage by analyzing Event ID 4769 for RC4 encryption type (0x17) in environments enforcing AES, identifying tickets with abnormal lifetimes exceeding domain policy, correlating TGS requests with missing corresponding TGT requests (Event ID 4768), and detecting krbtgt password age anomalies.

+
+## When to Use
+
+- When investigating security incidents that require detecting golden ticket forgery
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Windows Domain Controller with Kerberos audit logging enabled
@@ -15,6 +15,14 @@ license: Apache-2.0

 User and Entity Behavior Analytics (UEBA) moves beyond static rule-based detection to model normal behavior for users, hosts, and applications, then flag statistically significant deviations that may indicate insider threats. Using Elasticsearch as the analytics backend, this skill covers building behavioral baselines from authentication logs, file access events, and network activity, computing risk scores using statistical deviation and peer group comparison, and correlating multiple low-confidence indicators into high-confidence insider threat alerts.

+
+## When to Use
+
+- When investigating security incidents that require detecting insider threat with ueba
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Elasticsearch 8.x or OpenSearch 2.x cluster with security audit data
@@ -15,6 +15,14 @@ license: Apache-2.0

 Living Off the Land Binaries, Scripts, and Libraries (LOLBAS) are legitimate system utilities abused by attackers to execute malicious actions while evading detection. This skill covers detecting abuse of certutil.exe, regsvr32.exe, mshta.exe, rundll32.exe, msbuild.exe, and other LOLBins using process telemetry from Sysmon and Windows Event Logs, combined with Sigma rule-based detection.

+
+## When to Use
+
+- When investigating security incidents that require detecting living off the land with lolbas
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Sysmon or Windows Security Event Log (Event ID 4688) with command-line logging enabled
@@ -26,6 +26,14 @@ This skill covers building detection rules that correlate these events to identi
 malicious scheduled tasks created from suspicious paths, with encoded payloads, or
 targeting remote systems.

+
+## When to Use
+
+- When investigating security incidents that require detecting malicious scheduled tasks with sysmon
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Sysmon installed with a detection-focused configuration (e.g., SwiftOnSecurity or Olaf Hartong)
@@ -15,6 +15,14 @@ license: Apache-2.0

 Network scanning is typically the first phase of an attack, where adversaries enumerate live hosts, open ports, running services, and OS versions using tools like Nmap, Masscan, ZMap, and custom scanners. Detecting this reconnaissance activity provides early warning of potential attacks. IDS/IPS systems like Suricata and Snort can identify scanning through signature-based detection (matching known scanner packet patterns), threshold-based detection (counting connection attempts over time), and anomaly detection (identifying unusual traffic patterns). This skill covers writing and deploying IDS signatures for scan detection, configuring threshold-based alerting, and correlating scan activity with downstream attack indicators.

+
+## When to Use
+
+- When investigating security incidents that require detecting network scanning with ids signatures
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Suricata 7.0+ or Snort 3.0+ deployed in IDS/IPS mode
@@ -22,6 +22,14 @@ license: Apache-2.0

 Pass-the-Ticket (PtT) is a credential theft technique (MITRE ATT&CK T1550.003) where adversaries steal Kerberos tickets (TGT or TGS) from one system and replay them on another to authenticate without knowing the user's password. This skill teaches detection of PtT attacks by correlating Windows Security Event IDs 4768 (TGT request), 4769 (TGS request), and 4771 (pre-authentication failure) for anomalies such as ticket reuse across different hosts, RC4 encryption downgrades, and unusual service ticket request volumes.

+
+## When to Use
+
+- When investigating security incidents that require detecting pass the ticket attacks
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Windows Domain Controller with advanced audit policy enabled (Audit Kerberos Authentication Service, Audit Kerberos Service Ticket Operations)
@@ -13,6 +13,14 @@ license: Apache-2.0
 ## Overview
 QR code phishing (quishing) is a rapidly growing attack vector where malicious URLs are embedded in QR code images within phishing emails. Quishing incidents grew fivefold from 46,000 to 250,000 between August and November 2025, with credential phishing comprising 89.3% of detected incidents. Traditional email security filters struggle because QR codes cannot be read by humans or standard URL scanners, and when scanned, users typically use personal mobile devices that lack corporate security controls. Attackers have evolved to use split QR codes (two separate images), nested QR codes, and ASCII text-based QR codes to evade detection.

+
+## When to Use
+
+- When investigating security incidents that require detecting qr code phishing with email security
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 - Email security gateway with image analysis capabilities
 - Understanding of QR code structure and encoding
@@ -14,6 +14,14 @@ license: Apache-2.0

 RDP brute force attacks target Windows Remote Desktop Protocol services by attempting rapid credential guessing against exposed RDP endpoints. Detection relies on analyzing Windows Security Event Logs for Event ID 4625 (failed logon with Logon Type 10 or 3) and correlating with Event ID 4624 (successful logon) to identify compromised accounts. This skill covers parsing EVTX files with python-evtx, identifying attack patterns through source IP frequency analysis, detecting NLA bypass attempts, and generating actionable detection reports.

+
+## When to Use
+
+- When investigating security incidents that require detecting rdp brute force attacks
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.9+ with `python-evtx`, `lxml` libraries
@@ -15,6 +15,14 @@ license: Apache-2.0

 Shadow IT refers to unauthorized SaaS applications and cloud services used without IT approval. This skill analyzes proxy logs, DNS query logs, and firewall/netflow data to identify unauthorized cloud service usage, classify discovered domains against known SaaS categories, measure data transfer volumes, and flag high-risk services based on security posture and compliance requirements.

+
+## When to Use
+
+- When investigating security incidents that require detecting shadow it cloud usage
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.9+ with `pandas`, `tldextract`
@@ -13,6 +13,14 @@ license: Apache-2.0
 ## Overview
 Spearphishing targets specific individuals using personalized, researched content that bypasses generic spam filters. Email security gateways (SEGs) like Microsoft Defender for Office 365, Proofpoint, Mimecast, and Barracuda provide advanced detection capabilities including behavioral analysis, URL detonation, attachment sandboxing, and impersonation detection. This skill covers configuring these gateways to detect and block targeted phishing attacks.

+
+## When to Use
+
+- When investigating security incidents that require detecting spearphishing with email gateway
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 - Access to email security gateway admin console
 - Understanding of email flow architecture (MX records, transport rules)
@@ -15,6 +15,14 @@ license: Apache-2.0

 Illicit consent grant attacks trick users into granting excessive permissions to malicious OAuth applications in Azure AD / Microsoft Entra ID. This skill uses the Microsoft Graph API to enumerate OAuth2 permission grants, analyze application permissions for overly broad scopes, review directory audit logs for consent events, and flag high-risk applications based on publisher verification status and permission scope.

+
+## When to Use
+
+- When investigating security incidents that require detecting suspicious oauth application consent
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Azure AD / Entra ID tenant with Global Reader or Security Reader role
@@ -13,6 +13,14 @@ license: Apache-2.0
 ## Overview
 The Metasploit Framework is the world's most widely used penetration testing platform, maintained by Rapid7. It contains over 2,300 exploits, 1,200 auxiliary modules, and 400 post-exploitation modules. Within vulnerability management, Metasploit serves as a validation tool to confirm that identified vulnerabilities are actually exploitable, enabling risk-based prioritization and demonstrating real-world impact to stakeholders.

+
+## When to Use
+
+- When performing authorized security testing that involves exploiting vulnerabilities with metasploit framework
+- When analyzing malware samples or attack artifacts in a controlled environment
+- When conducting red team exercises or penetration testing engagements
+- When building detection capabilities based on offensive technique understanding
+
 ## Prerequisites
 - Metasploit Framework installed (Kali Linux or standalone)
 - PostgreSQL database for session/credential management
@@ -14,6 +14,14 @@ license: Apache-2.0

 Agent Tesla is a .NET-based Remote Access Trojan (RAT) and keylogger that ranked among the top 10 malware variants in 2024, impacting 6.3% of corporate networks globally. It exfiltrates stolen credentials via SMTP email, FTP upload, Telegram bot API, or Discord webhooks. The malware configuration is embedded in the .NET assembly, typically obfuscated using string encryption, resource encryption, or custom loaders that decrypt and execute Agent Tesla in memory via .NET Reflection (fileless). Configuration extraction involves decompiling the .NET assembly with dnSpy or ILSpy, identifying the decryption routine for configuration strings, and extracting SMTP server addresses, credentials, FTP endpoints, Telegram bot tokens, and targeted applications.

+
+## When to Use
+
+- When performing authorized security testing that involves extracting config from agent tesla rat
+- When analyzing malware samples or attack artifacts in a controlled environment
+- When conducting red team exercises or penetration testing engagements
+- When building detection capabilities based on offensive technique understanding
+
 ## Prerequisites

 - dnSpy or ILSpy for .NET decompilation
@@ -14,6 +14,14 @@ license: Apache-2.0

 Hardening Docker containers for production involves applying security best practices aligned with CIS Docker Benchmark v1.8.0 to minimize attack surface, prevent privilege escalation, and enforce least-privilege principles across Docker daemon, images, containers, and runtime configurations.

+
+## When to Use
+
+- When deploying or configuring hardening docker containers for production capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - Docker Engine 24.0+ installed
@@ -24,6 +24,14 @@ PowerShell. Combined with Module Logging (4103) and process creation events, ana
 detect encoded commands, AMSI bypass patterns, download cradles, credential theft tools,
 and fileless attack techniques even when the attacker uses obfuscation layers.

+
+## When to Use
+
+- When investigating security incidents that require hunting for anomalous powershell execution
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Windows Event Log exports (.evtx) from Microsoft-Windows-PowerShell/Operational
@@ -15,6 +15,14 @@ license: Apache-2.0

 Cobalt Strike is the most prevalent command-and-control framework used by both red teams and threat actors. Beacon, its primary payload, communicates with team servers using configurable HTTP/HTTPS/DNS profiles that can mimic legitimate traffic. However, default configurations and behavioral patterns remain detectable through TLS certificate analysis (default serial 8BB00EE), JA3/JA3S fingerprinting, beacon interval jitter analysis, and HTTP malleable profile pattern matching. This skill covers building detection capabilities using Zeek network logs, Suricata IDS rules, and Python-based PCAP analysis to identify beacon callbacks in network traffic.

+
+## When to Use
+
+- When investigating security incidents that require hunting for cobalt strike beacons
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Zeek 6.0+ with JA3 and HASSH packages installed
@@ -15,6 +15,14 @@ license: Apache-2.0

 Before exfiltrating data, adversaries typically stage collected files in a central location (MITRE ATT&CK T1074). This involves creating archives with tools like 7-Zip, RAR, or tar, consolidating files from multiple directories, and using temporary or hidden staging directories. This skill detects staging behavior by analyzing process creation logs for archiver activity, monitoring file system events in common staging paths, and identifying anomalous file consolidation patterns.

+
+## When to Use
+
+- When investigating security incidents that require hunting for data staging before exfiltration
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - EDR or Sysmon telemetry with process creation and file system events
@@ -15,6 +15,14 @@ license: Apache-2.0

 Attackers establish DNS-based persistence by hijacking DNS records, creating unauthorized subdomains, abusing wildcard DNS entries, or modifying NS delegations to redirect traffic through attacker-controlled infrastructure. These techniques survive credential rotations, endpoint reimaging, and traditional remediation because DNS changes persist independently of compromised hosts. Detection requires passive DNS historical analysis, zone file auditing, and monitoring for unauthorized record modifications. This skill covers hunting methodologies using SecurityTrails passive DNS API, DNS audit logs from Route53/Azure DNS/Cloudflare, and zone transfer analysis.

+
+## When to Use
+
+- When investigating security incidents that require hunting for dns based persistence
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - SecurityTrails API key (free tier provides 50 queries/month)
@@ -22,6 +22,14 @@ license: Apache-2.0

 Domain fronting (MITRE ATT&CK T1090.004) is a technique where attackers use different domain names in the TLS SNI field and the HTTP Host header to disguise C2 traffic behind legitimate CDN-hosted domains. This skill detects domain fronting by parsing proxy/web gateway logs for SNI-Host header mismatches, analyzing TLS certificates for CDN provider identification, flagging connections where the SNI points to a high-reputation domain but the Host header targets an attacker-controlled domain, and correlating with known CDN provider IP ranges.

+
+## When to Use
+
+- When investigating security incidents that require hunting for domain fronting c2 traffic
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Web proxy or secure web gateway logs with SNI and Host header fields
@@ -14,6 +14,14 @@ license: Apache-2.0

 Windows Management Instrumentation (WMI) is commonly abused for lateral movement via `wmic process call create` or Win32_Process.Create() to execute commands on remote hosts. Detection focuses on identifying WmiPrvSE.exe spawning child processes (cmd.exe, powershell.exe) in Windows Security Event ID 4688 and Sysmon Event ID 1 logs, along with WMI-Activity/Operational events (5857, 5860, 5861) for event subscription persistence.

+
+## When to Use
+
+- When investigating security incidents that require hunting for lateral movement via wmi
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Windows Security Event Logs with Process Creation auditing enabled (Event 4688 with command line)
@@ -15,6 +15,14 @@ license: Apache-2.0

 Process injection (MITRE ATT&CK T1055) allows adversaries to execute code in the address space of another process, enabling defense evasion and privilege escalation. This skill detects injection techniques via Sysmon Event ID 8 (CreateRemoteThread), Event ID 10 (ProcessAccess with suspicious access rights), and analysis of source-target process relationships to distinguish legitimate from malicious injection.

+
+## When to Use
+
+- When investigating security incidents that require hunting for process injection techniques
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Sysmon installed with Event IDs 8 and 10 enabled
@@ -14,6 +14,14 @@ license: Apache-2.0

 Registry Run keys (T1547.001) are one of the most commonly used persistence mechanisms by adversaries. When a program is added to a Run key in the Windows registry, it executes automatically when a user logs in. Attackers abuse keys under `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`, `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`, and their RunOnce counterparts to maintain persistence. Sysmon Event ID 13 (RegistryEvent - Value Set) captures registry value modifications including the target object path, the process that made the change, and the new value. Detection involves monitoring these events for suspicious executables in temp directories, encoded PowerShell commands, LOLBin paths, and processes that do not normally create Run key entries. Chaining Event 13 with Event 1 (Process Creation) and Event 11 (FileCreate) strengthens detection by confirming payload creation and execution.

+
+## When to Use
+
+- When investigating security incidents that require hunting for registry run key persistence
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Windows systems with Sysmon installed and configured to log Event ID 13
@@ -15,6 +15,14 @@ license: Apache-2.0

 Attackers use Windows startup folders for persistence (MITRE ATT&CK T1547.001 — Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder). Files placed in `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup` or `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup` execute automatically at user logon. This skill scans startup directories for suspicious files, monitors for real-time changes using Python watchdog, and analyzes file metadata to detect persistence implants.

+
+## When to Use
+
+- When investigating security incidents that require hunting for startup folder persistence
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.9+ with `watchdog`, `pefile` (optional for PE analysis)
@@ -14,6 +14,14 @@ license: Apache-2.0

 MITRE ATT&CK T1098 (Account Manipulation) covers adversary actions to maintain or expand access to compromised accounts, including adding credentials, modifying group memberships, SID history injection, and creating shadow admin accounts. This skill covers detecting these techniques through Windows Security Event Log analysis (Event IDs 4738, 4728, 4732, 4756, 4670, 5136), correlating group membership changes with privilege escalation indicators, and identifying anomalous account modification patterns.

+
+## When to Use
+
+- When investigating security incidents that require hunting for t1098 account manipulation
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Windows Security Event Logs (EVTX format) or SIEM access
@@ -15,6 +15,14 @@ license: Apache-2.0

 Attackers frequently install malicious Windows services for persistence and privilege escalation (MITRE ATT&CK T1543.003 — Create or Modify System Process: Windows Service). Event ID 7045 in the System event log records every new service installation. This skill parses .evtx log files to extract service installation events, flags suspicious binary paths (temp directories, PowerShell, cmd.exe, encoded commands), and correlates with known attack patterns.

+
+## When to Use
+
+- When investigating security incidents that require hunting for unusual service installations
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites

 - Python 3.9+ with `python-evtx`, `lxml`
@@ -13,6 +13,14 @@ license: Apache-2.0
 ## Overview
 Security awareness training is the human layer of phishing defense. An effective anti-phishing training program combines regular simulations, interactive learning modules, metric tracking, and positive reinforcement to build a security-conscious culture. This skill covers designing, deploying, and measuring a comprehensive phishing awareness program using platforms like KnowBe4, Proofpoint Security Awareness, and open-source alternatives.

+
+## When to Use
+
+- When deploying or configuring implementing anti phishing training program capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites
 - Management buy-in and budget approval
 - Security awareness training platform (KnowBe4, Proofpoint SAT, Cofense)
@@ -13,6 +13,14 @@ license: Apache-2.0
 ## Overview
 XM Cyber is a continuous exposure management platform that uses attack graph analysis to identify how adversaries can chain together exposures -- vulnerabilities, misconfigurations, identity risks, and credential weaknesses -- to reach critical business assets. According to XM Cyber's 2024 research analyzing over 40 million exposures across 11.5 million entities, organizations typically have around 15,000 exploitable exposures, but traditional CVEs account for less than 1% of total exposures. The platform identifies that only 2% of exposures reside on "choke points" of converging attack paths, enabling security teams to focus on fixes that eliminate the most risk with the least effort.

+
+## When to Use
+
+- When deploying or configuring implementing attack path analysis with xm cyber capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites
 - XM Cyber platform license and tenant access
 - Network connectivity to monitored environments (on-premises, cloud, hybrid)
@@ -15,6 +15,14 @@ license: Apache-2.0

 IAM permission boundaries are an advanced AWS feature that sets the maximum permissions an identity-based policy can grant to an IAM entity (user or role). They enable centralized security teams to safely delegate IAM role and policy creation to application developers without risking privilege escalation. The effective permissions of an entity are the intersection of its identity-based policies and its permission boundary -- even if an identity policy grants `AdministratorAccess`, the permission boundary restricts it to only the allowed actions.

+
+## When to Use
+
+- When deploying or configuring implementing aws iam permission boundaries capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - AWS account with IAM administrative access
@@ -15,6 +15,14 @@ license: Apache-2.0

 Microsoft Entra Privileged Identity Management (PIM) provides time-based and approval-based role activation to mitigate risks from excessive, unnecessary, or misused access to critical resources. PIM replaces permanent (standing) privilege assignments with eligible assignments that require users to explicitly activate their role before use, with configurable duration, MFA enforcement, approval workflows, and justification requirements. This is a core component of Zero Trust identity governance in Microsoft environments.

+
+## When to Use
+
+- When deploying or configuring implementing azure ad privileged identity management capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - Microsoft Entra ID P2 or Microsoft Entra ID Governance license
@@ -15,6 +15,14 @@ license: Apache-2.0

 Resource Public Key Infrastructure (RPKI) provides cryptographic validation of BGP route origins to prevent route hijacking and accidental route leaks. RPKI enables network operators to create Route Origin Authorizations (ROAs) that declare which Autonomous Systems (ASes) are authorized to originate specific IP prefixes. BGP routers validate received route announcements against RPKI data through Route Origin Validation (ROV), rejecting routes with invalid origins. This skill covers creating ROAs through Regional Internet Registries (RIRs), deploying RPKI validator software, configuring ROV on Cisco IOS-XE and Juniper Junos routers, and implementing BGP filtering policies based on RPKI validation state.

+
+## When to Use
+
+- When deploying or configuring implementing bgp security with rpki capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - IP address space allocated from an RIR (ARIN, RIPE, APNIC, AFRINIC, LACNIC)
@@ -14,6 +14,14 @@ license: Apache-2.0

 Calico provides Kubernetes-native and extended network policy enforcement through its CNI plugin. This skill covers creating and auditing Calico NetworkPolicy and GlobalNetworkPolicy resources to implement pod-to-pod traffic control, namespace isolation, egress restrictions, and DNS-based policy rules using calicoctl and the Kubernetes API.

+
+## When to Use
+
+- When deploying or configuring implementing container network policies with calico capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - Kubernetes cluster with Calico CNI installed
@@ -13,6 +13,14 @@ license: Apache-2.0
 ## Overview
 Breach and Attack Simulation (BAS) is an automated, continuous approach to validating security control effectiveness by safely executing real-world attack techniques against production security infrastructure. Unlike traditional penetration testing (point-in-time), BAS platforms continuously simulate threats mapped to MITRE ATT&CK, testing endpoint protection, network security, email gateways, SIEM detection, and incident response capabilities. Leading platforms include SafeBreach, AttackIQ, Picus Security (2024 Gartner Customers' Choice), Cymulate, Pentera, and SCYTHE. BAS 2.0 solutions safely emulate real attacker behavior across the entire IT environment without requiring pre-deployed agents on every endpoint.

+
+## When to Use
+
+- When deploying or configuring implementing continuous security validation with bas capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites
 - BAS platform license (SafeBreach, AttackIQ, Picus, Cymulate, or Pentera)
 - Deployed security controls to validate (EDR, NGFW, email gateway, SIEM, WAF)
@@ -15,6 +15,14 @@ license: Apache-2.0

 Cloudflare provides multi-layer DDoS protection across its global network of over 300 data centers with 477+ Tbps of capacity. The platform protects against L3/4 volumetric attacks (SYN floods, UDP amplification, DNS reflection), protocol attacks (Ping of Death, Smurf), and L7 application-layer attacks (HTTP floods, Slowloris, cache-busting). Cloudflare's autonomous detection systems identify and mitigate attacks within approximately 3 seconds using traffic profiling, machine learning, and adaptive rulesets. This skill covers configuring Cloudflare's DDoS protection stack including managed rulesets, WAF rules, rate limiting, Bot Management, and origin server hardening.

+
+## When to Use
+
+- When deploying or configuring implementing ddos mitigation with cloudflare capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - Cloudflare account (Pro plan minimum for WAF, Enterprise for Advanced DDoS)
@@ -15,6 +15,14 @@ license: Apache-2.0

 Canary Tokens are lightweight tripwire mechanisms that alert when an attacker accesses a resource. This skill uses the Thinkst Canary REST API to programmatically create tokens (web bugs, DNS tokens, MS Word documents, AWS API keys), deploy them to strategic locations, monitor for triggered alerts, and generate deception coverage reports.

+
+## When to Use
+
+- When deploying or configuring implementing deception based detection with canarytoken capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - Thinkst Canary Console or canarytokens.org account
@@ -18,6 +18,14 @@ license: Apache-2.0

 The Diamond Model of Intrusion Analysis provides a structured framework for analyzing cyber intrusions by examining four core features: Adversary, Capability, Infrastructure, and Victim. This skill covers implementing the Diamond Model programmatically to classify and correlate intrusion events, build activity threads linking related events, create activity-attack graphs, and generate pivot-ready intelligence from intrusion data.

+
+## When to Use
+
+- When deploying or configuring implementing diamond model analysis capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - Python 3.9+ with `networkx`, `stix2`, `graphviz` libraries
@@ -13,6 +13,14 @@ license: Apache-2.0
 ## Overview
 SPF, DKIM, and DMARC form the three pillars of email authentication. Together they prevent domain spoofing, validate message integrity, and define policies for handling unauthenticated mail. Proper implementation drastically reduces phishing attacks that impersonate your organization's domain.

+
+## When to Use
+
+- When deploying or configuring implementing dmarc dkim spf email security capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites
 - DNS management access for your domain
 - Access to email server/MTA configuration (Postfix, Exchange, Google Workspace, Microsoft 365)
@@ -13,6 +13,14 @@ license: Apache-2.0
 ## Overview
 Email sandboxing detonates suspicious attachments and URLs in isolated environments to detect zero-day malware and evasive phishing payloads. Proofpoint Targeted Attack Protection (TAP) is an industry-leading solution that uses multi-stage sandboxing, URL rewriting, and predictive analysis. This skill covers configuring Proofpoint TAP, integrating with email flow, analyzing sandbox reports, and tuning detection policies.

+
+## When to Use
+
+- When deploying or configuring implementing email sandboxing with proofpoint capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites
 - Proofpoint Email Protection license with TAP add-on
 - Admin access to Proofpoint admin console
@@ -14,6 +14,14 @@ license: Apache-2.0

 Wazuh is an open-source SIEM and XDR platform for endpoint monitoring, threat detection, and compliance. This skill covers managing agents via the Wazuh REST API, creating custom decoders and rules in XML for organization-specific detections, querying alerts, and testing rule logic using the logtest endpoint.

+
+## When to Use
+
+- When deploying or configuring implementing endpoint detection with wazuh capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - Wazuh Manager 4.x deployed with API enabled
@@ -15,6 +15,14 @@ license: Apache-2.0

 AIDE (Advanced Intrusion Detection Environment) is a host-based intrusion detection system that monitors file and directory integrity using cryptographic checksums. This skill covers generating AIDE configuration files, initializing baseline databases, running integrity checks, parsing change reports, and setting up automated cron-based monitoring with alerting.

+
+## When to Use
+
+- When deploying or configuring implementing file integrity monitoring with aide capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - AIDE installed on target Linux system (apt install aide / yum install aide)
@@ -15,6 +15,14 @@ license: Apache-2.0

 AFL++ (American Fuzzy Lop Plus Plus) is a community-maintained fork of AFL that provides state-of-the-art coverage-guided fuzz testing for discovering vulnerabilities in compiled applications. AFL++ uses genetic algorithms to mutate inputs, tracking code coverage to find new execution paths that trigger crashes, hangs, and undefined behavior. In CI/CD environments, AFL++ can be integrated to continuously test parsers, protocol handlers, file format processors, and any code that handles untrusted input. AFL++ supports persistent mode for high-speed fuzzing (up to 100,000+ executions per second), custom mutators, QEMU mode for binary-only fuzzing, and CmpLog/RedQueen for automatic dictionary extraction.

+
+## When to Use
+
+- When deploying or configuring implementing fuzz testing in cicd with aflplusplus capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - Linux-based CI runners (AFL++ does not support Windows natively)
@@ -14,6 +14,14 @@ license: Apache-2.0
 ## Overview
 The General Data Protection Regulation (EU) 2016/679 (GDPR) is the EU's comprehensive data protection law governing the collection, processing, storage, and transfer of personal data. This skill covers implementing the technical and organizational measures required by GDPR, including data protection by design and by default, Data Protection Impact Assessments (DPIAs), data subject rights management, breach notification procedures, and cross-border data transfer mechanisms.

+
+## When to Use
+
+- When deploying or configuring implementing gdpr data protection controls capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites
 - Understanding of EU data protection law and its territorial scope
 - Knowledge of personal data processing activities within the organization
@@ -15,6 +15,14 @@ license: Apache-2.0

 GitHub Advanced Security (GHAS) integrates CodeQL-powered static application security testing directly into the GitHub development workflow. CodeQL treats code as data, enabling semantic analysis that identifies security vulnerabilities such as SQL injection, cross-site scripting, buffer overflows, and authentication flaws with significantly fewer false positives than traditional pattern-matching scanners. GHAS encompasses code scanning, secret scanning, dependency review, and Dependabot alerts to provide a comprehensive security posture for repositories.

+
+## When to Use
+
+- When deploying or configuring implementing github advanced security for code scanning capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - GitHub Enterprise Cloud or GitHub Enterprise Server 3.0+ with GHAS license
@@ -13,6 +13,14 @@ license: Apache-2.0
 ## Overview
 Google Workspace provides advanced phishing and malware protection through the Admin Console under Apps > Google Workspace > Gmail > Safety. Key features include Enhanced Pre-Delivery Scanning that examines messages more thoroughly before they reach inboxes, attachment and link protection that scans for malware and checks against known malicious sites, and spoofing detection for domain and employee name impersonation. Google's Advanced Protection Program (APP) provides the strongest account security for high-privilege users.

+
+## When to Use
+
+- When deploying or configuring implementing google workspace phishing protection capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites
 - Google Workspace Business Standard or higher license
 - Gmail Settings administrator privilege
@@ -15,6 +15,14 @@ license: Apache-2.0

 Single Sign-On (SSO) for Google Workspace allows organizations to authenticate users through their existing identity provider (IdP) such as Okta, Azure AD (Microsoft Entra ID), or ADFS, rather than managing separate Google passwords. This is implemented using SAML 2.0 protocol where Google Workspace acts as the Service Provider (SP) and the organization's IdP handles authentication. SSO centralizes credential management, enforces MFA policies at the IdP, and enables immediate access revocation when users leave the organization.

+
+## When to Use
+
+- When deploying or configuring implementing google workspace sso configuration capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
 ## Prerequisites

 - Google Workspace Business, Enterprise, or Education edition
@@ -2,8 +2,8 @@
 name: implementing-identity-verification-for-zero-trust
 description: Implement continuous identity verification for zero trust using phishing-resistant MFA (FIDO2/WebAuthn), risk-based conditional access, and identity governance aligned with the CISA Zero Trust Maturity Model.
 domain: cybersecurity
-subdomain: security-operations
-tags: [cybersecurity]
+subdomain: zero-trust-architecture
+tags: [zero-trust, identity, authentication, mfa, identity-verification]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -11,19 +11,12 @@ license: Apache-2.0

 # Implementing Identity Verification for Zero Trust

---
-domain: cybersecurity
-subdomain: zero-trust-architecture
-author: mahipal
-tags: [zero-trust, identity, authentication, mfa, identity-verification]
-difficulty: advanced
-estimated_time: 4-6 hours
-prerequisites:
-  - Understanding of zero trust principles (NIST SP 800-207)
-  - Familiarity with identity providers (Azure AD, Okta, Ping Identity)
-  - Knowledge of authentication protocols (SAML 2.0, OIDC, FIDO2)
-  - Understanding of MFA and passwordless authentication
---
+## Prerequisites
+
+- Understanding of zero trust principles (NIST SP 800-207)
+- Familiarity with identity providers (Azure AD, Okta, Ping Identity)
+- Knowledge of authentication protocols (SAML 2.0, OIDC, FIDO2)
+- Understanding of MFA and passwordless authentication

 ## Overview

--- a/Show More
+++ b/Show More