// Digital forensics and incident response - Windows event log analysis, PCAP forensics, filesystem artifact analysis, AD attack detection, and timeline correlation. Use when investigating security incidents, analyzing Sherlocks, or performing threat hunting on provided evidence files.
API security testing - GraphQL, REST API, WebSocket, and Web-LLM attack techniques.
Stitches confirmed single-asset findings into multi-hop attack paths across the organization. Builds a graph where nodes are assets and edges are confirmed exploit hops citing the findings that enable them.
Authentication security testing - auth bypass, JWT attacks, OAuth flaws, password attacks, 2FA bypass, CAPTCHA bypass, and bot detection evasion.
Cloud and container security testing - AWS, Azure, GCP, Docker, and Kubernetes misconfigurations and exploitation.
Pentest coordination — orchestrates executor and validator agents with context-controlled spawning. Entry point for all engagements.
Cryptanalysis techniques — lattice attacks, padding oracles, weak-RNG exploitation, signature forgery, secret-sharing recovery.
| name | dfir |
| description | Digital forensics and incident response - Windows event log analysis, PCAP forensics, filesystem artifact analysis, AD attack detection, and timeline correlation. Use when investigating security incidents, analyzing Sherlocks, or performing threat hunting on provided evidence files. |
Investigate security incidents by analyzing event logs, network captures, and filesystem artifacts. Detect and reconstruct AD attack chains.
| Domain | Key Capabilities |
|---|---|
| Windows Event Logs | EVTX parsing, Event ID correlation, logon tracking, privilege enumeration |
| Network Forensics | PCAP analysis, NTLM extraction, LLMNR/NBT-NS poisoning detection, relay identification |
| Filesystem Forensics | MFT parsing, Prefetch analysis, VSS artifact recovery, Linux persistence, timeline reconstruction |
| AD Attack Detection | Kerberoasting, AS-REP roasting, NTDS dump, NTLM relay, credential theft |
| Memory Forensics | Volatility3 analysis: process trees, file extraction, SID resolution, command lines |
| Hash Analysis | NTLMv2 hash construction from pcap, offline cracking validation |
python-evtx, pcap with tshark, MFT with analyzeMFTpip install python-evtx windowsprefetch analyzeMFT
brew install wireshark p7zip hashcat
| Tool | Purpose |
|---|---|
python-evtx | Parse Windows .evtx files |
tshark | CLI pcap analysis (NTLM, LLMNR, SMB filters) |
analyzeMFT | Parse NTFS Master File Table |
windowsprefetch | Parse Windows prefetch files (Windows host only) |
hashcat | Hash cracking (NTLMv2 mode 5600, Kerberos mode 13100/18200) |
volatility3 | Memory dump analysis (pstree, filescan, dumpfiles, getsid, cmdline) |
7z | Extract AES-encrypted evidence ZIPs |
| Event ID | Log | Indicates |
|---|---|---|
| 4624 | Security | Successful logon (check Type + IP mismatch) |
| 4768 | Security | TGT request (PreAuthType=0 → AS-REP roast) |
| 4769 | Security | TGS request (EncType=0x17 → Kerberoast) |
| 4799 | Security | Group membership enumerated (VSS/ntdsutil) |
| 5140 | Security | Network share accessed |
| 7036 | System | Service state change (VSS start → NTDS dump) |
| 325/326/327 | Application | ESENT database create/detach/close |
| 330 | Application | ESENT database file info |
| 3006/3008 | DNS Client Events | DNS query sent/response received (malicious domain lookups) |
| 106/200 | Task Scheduler | Scheduled task created/executed (persistence via schtasks) |
$shell), include language-specific string delimiters and terminators (e.g., 'value'; not just value). Check placeholder hints for format clues.fnstenv/pop decoder stub, convert signed integers to raw bytes and test a Shikata-style rolling XOR decode before treating the shellcode as corrupt.BOUNDSHEET records for hidden or very hidden worksheets and specifically check for Excel 4.0 macro sheets; changing the hidden-state byte or parsing the sheet directly can expose staged strings and flag fragments that never appear in normal workbook views.[array]::Reverse($charArr) followed by FromBase64String("$charArr"), the -join line is often a red herring — string interpolation of a char array uses $OFS=' ' and FromBase64String tolerates whitespace. Reverse the original base64 string (not the joined-with-spaces version) and decode to get stage 2.$partN in the malware that is defined but never referenced (often base64'd), and (b) a field of the captured C2 POST body. Decrypt the body with the static AES key from the leaked stage-2 source (PowerShell Encrypt-String puts IV‖ciphertext then base64-wraps); inspect every JSON field for further base64.python-evtx (XML namespace: http://schemas.microsoft.com/win/2004/08/events/event)tshark for pcap (not scapy for large files) — filter with -Y display filtersdissect.util.compression.lzxpress_huffman7z not unzip