dfir AI Agent Skills

Browse 18 skills related to dfir

analysing-attack

252
tsaletsale

Analyse Mitre ATT&CK tactics, techniques and sub-techniques. Use when performing analysis of threat detections, threat models, security risks or cyber threat intelligence

131 days ago

forensics-osquery

64
AgentSecOpsAgentSecOps

SQL-powered forensic investigation and system interrogation using osquery to query operating systems as relational databases. Enables rapid evidence collection, threat hunting, and incident response across Linux, macOS, and Windows endpoints. Use when: (1) Investigating security incidents and collecting forensic artifacts, (2) Threat hunting across endpoints for suspicious activity, (3) Analyzing running processes, network connections, and persistence mechanisms, (4) Collecting system state during incident response, (5) Querying file hashes, user activity, and system configuration for compromise indicators, (6) Building detection queries for continuous monitoring with osqueryd.

forensicsosqueryincident-response+5
132 days ago

ir-velociraptor

64
AgentSecOpsAgentSecOps

Endpoint visibility, digital forensics, and incident response using Velociraptor Query Language (VQL) for evidence collection and threat hunting at scale. Use when: (1) Conducting forensic investigations across multiple endpoints, (2) Hunting for indicators of compromise or suspicious activities, (3) Collecting endpoint telemetry and artifacts for incident analysis, (4) Performing live response and evidence preservation, (5) Monitoring endpoints for security events, (6) Creating custom forensic artifacts for specific threat scenarios.

forensicsincident-responseendpoint-detection+5
132 days ago

drone-inspection-specialist

43
Erichowens Some Claude Skills Drone Inspection SpecialistErichowens Some Claude Skills Drone Inspection Specialist

Advanced CV for infrastructure inspection including forest fire detection, wildfire precondition assessment, roof inspection, hail damage analysis, thermal imaging, and 3D Gaussian Splatting reconstruction. Expert in multi-modal detection, insurance risk modeling, and reinsurance data pipelines. Activate on "fire detection", "wildfire risk", "roof inspection", "hail damage", "thermal analysis", "Gaussian Splatting", "3DGS", "insurance inspection", "defensible space", "property assessment", "catastrophe modeling", "NDVI", "fuel load". NOT for general drone flight control, SLAM, path planning, or sensor fusion (use drone-cv-expert), GPU shader development (use metal-shader-expert), or generic object detection without inspection context (use clip-aware-embeddings).

inspectionfire-detectionthermal+2
131 days ago

velociraptor

6
refractionPOINTrefractionPOINT

Velociraptor DFIR integration for LimaCharlie. List available VQL artifacts, view artifact definitions, launch forensic collections on endpoints. Find raw collection data in Artifacts (type:velociraptor, source:SID). Query processed JSON events from the 'velociraptor' sensor (tag:ext:ext-velociraptor). Build D&R rules for velociraptor_collection events. Use for: forensic triage, incident response, threat hunting, VQL artifact collection.

131 days ago

eradicating-malware-from-infected-systems

2
mukul975mukul975

Systematically remove malware, backdoors, and attacker persistence mechanisms from infected systems while ensuring complete eradication and preventing re-infection.

incident-responseeradicationmalware-removal+2
131 days ago

analyzing-windows-shellbag-artifacts

2
mukul975mukul975

Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags Explorer.

shellbagswindows-registrysbecmd+7
131 days ago

containing-active-security-breach

2
mukul975mukul975

Rapidly contain an active security breach by isolating compromised systems, blocking attacker communications, and preserving evidence while minimizing business disruption.

incident-responsecontainmentbreach-response+2
131 days ago

performing-active-directory-compromise-investigation

2
mukul975mukul975

Investigate Active Directory compromise by analyzing authentication logs, replication metadata, Group Policy changes, and Kerberos ticket anomalies to identify attacker persistence and lateral movement paths.

active-directorycompromise-investigationidentity-forensics+5
131 days ago

collecting-volatile-evidence-from-compromised-host

2
mukul975mukul975

Collect volatile forensic evidence from a compromised system following order of volatility, preserving memory, network connections, processes, and system state before they are lost.

incident-responsedfirforensics+3
131 days ago

building-incident-timeline-with-timesketch

2
mukul975mukul975

Build collaborative forensic incident timelines using Timesketch to ingest, normalize, and analyze multi-source event data for attack chain reconstruction and investigation documentation.

timesketchtimeline-analysisforensic-timeline+4
131 days ago

performing-insider-threat-investigation

2
mukul975mukul975

Investigates insider threat incidents involving employees, contractors, or trusted partners who misuse authorized access to steal data, sabotage systems, or violate security policies. Combines digital forensics, user behavior analytics, and HR/legal coordination to build an evidence-based case. Activates for requests involving insider threat investigation, employee data theft, privilege misuse, user behavior anomaly, or internal threat detection.

insider-threatuser-behavior-analyticsdata-exfiltration+2
131 days ago

performing-memory-forensics-with-volatility3-plugins

2
mukul975mukul975

Analyze memory dumps using Volatility3 plugins to detect injected code, rootkits, credential theft, and malware artifacts in Windows, Linux, and macOS memory images.

memory-forensicsvolatility3malware-analysis+4
131 days ago

implementing-velociraptor-for-ir-collection

2
mukul975mukul975

Deploy and configure Velociraptor for scalable endpoint forensic artifact collection during incident response using VQL queries, hunts, and pre-built artifact packs across Windows, Linux, and macOS environments.

velociraptordfirendpoint-collection+5
131 days ago

performing-windows-artifact-analysis-with-eric-zimmerman-tools

2
mukul975mukul975

Perform comprehensive Windows forensic artifact analysis using Eric Zimmerman's open-source EZ Tools suite including KAPE, MFTECmd, PECmd, LECmd, JLECmd, and Timeline Explorer for parsing registry hives, prefetch files, event logs, and file system metadata.

eric-zimmermanez-toolskape+9
131 days ago

performing-ransomware-incident-response

2
mukul975mukul975

Execute a structured ransomware incident response including containment, decryption assessment, recovery from backups, and eradication of ransomware persistence mechanisms.

incident-responseransomwaredfir+3
131 days ago

conducting-memory-forensics-with-volatility

2
mukul975mukul975

Performs memory forensics analysis using Volatility 3 to extract evidence of malware execution, process injection, network connections, and credential theft from RAM dumps captured during incident response. Covers memory acquisition, process analysis, DLL inspection, and malware detection. Activates for requests involving memory forensics, RAM analysis, Volatility framework, memory dump investigation, volatile evidence analysis, or live memory acquisition.

memory-forensicsvolatilityRAM-analysis+2
131 days ago

analyzing-mft-for-deleted-file-recovery

2
mukul975mukul975

Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.

mftntfsdeleted-files+7
131 days ago
ClawiskillClawiskill
Network
Building with
?

Join Clawiskill today. The decentralized skill network for AI Agents.

Registry
70K+
Agent Joins
120K+
Explore Network