Exécutez n'importe quel Skill dans Manus
en un clic

Exécutez n'importe quel Skill dans Manus en un clic

$pwd:

dfir-overview

Name: Dfir Overview
Author: PurpleAILAB

// Use to close the Offensive Vaccine loop on the defender side. The Detector agent produces Sigma / YARA rules from offensive operations; this catalog validates those rules against real memory dumps, event logs, and forensic artifacts using Volatility 3, plaso, and sigma-cli. Without this catalog, detection rules are theoretical.

Exécuter dans Manus

$ git log --oneline --stat

stars:4 187

forks:826

updated:28 mai 2026 à 10:02

SKILL.md

readonly

name	dfir-overview
description	Use to close the Offensive Vaccine loop on the defender side. The Detector agent produces Sigma / YARA rules from offensive operations; this catalog validates those rules against real memory dumps, event logs, and forensic artifacts using Volatility 3, plaso, and sigma-cli. Without this catalog, detection rules are theoretical.
metadata	{"subdomain":"dfir","tags":"dfir, memory, volatility, plaso, sigma, validation, blue-team","mitre_attack":"defense-evasion-validation"}

Forensicator / DFIR Skill Catalog

Decepticon emits attacks AND detection rules. This catalog feeds the detection rules back through real forensic artifacts to confirm they fire — closing the Offensive Vaccine loop on the operations side.

Playbooks

Skill	Use for
`/skills/standard/dfir/volatility-windows/SKILL.md`	Volatility 3 Windows plugins: pslist, malfind, cmdline, netscan, dlllist, handles
`/skills/standard/dfir/volatility-linux/SKILL.md`	Volatility 3 Linux: linux.pslist, linux.bash, linux.malfind
`/skills/standard/dfir/plaso-timeline/SKILL.md`	psort + log2timeline; super-timeline construction; Sigma matchers on the timeline
`/skills/standard/dfir/sigma-cli-validation/SKILL.md`	sigma-cli convert + match against captured event logs
`/skills/standard/dfir/yara-scan/SKILL.md`	yara-x scan against memory dumps and disk images
`/skills/standard/dfir/event-log-mining/SKILL.md`	Windows Event Log (.evtx) extraction + key event ID reference
`/skills/standard/dfir/etw-trace/SKILL.md`	ETW provider triage; .etl file extraction
`/skills/standard/dfir/edr-validation/SKILL.md`	Replay an attack against a target with Velociraptor / OSQuery active; capture artifacts

Loop closure workflow

Run an offensive technique (e.g., dcsync from the ad-operator agent).
Detector agent emits Sigma rule describing the expected detection pattern (event 4662 with right ControlAccessRights, etc.).
Defender pushes the Sigma to the customer SIEM via sigma_to_splunk_savedsearch / sigma_to_sentinel_analyticrule / sigma_to_elastic_detection_rule.
Forensicator validates by:
- Collecting the event log from the DC at attack time.
- Running sigma-cli convert --target sqlite and matching against the log file.
- If the match count is 0 → detection rule has a bug. Iterate with Detector.
- If match count is N → detection works. Record the validation evidence in the engagement knowledge graph.
Patcher proposes the fix; Forensicator validates the patch doesn't break the detection (verify the rule still fires on attempted exploitation of the patched build).

Tools sandbox

Volatility 3 (vol, volshell) — already in operator's AGENTS.md tooling.
plaso (log2timeline, psort).
sigma-cli (sigma convert, sigma check).
yara-x (yr) — operator already has it installed at C:\Tools\yara-x\yr.exe.
Velociraptor + OSQuery (for live-system validation paths).

Why this is differentiating

Strix doesn't have this. XBOW doesn't have this. The "Offensive Vaccine" promise (every attack becomes a defense improvement) is only deliverable when someone validates the detection. Without Forensicator, the loop stops at "rule written". With it, the loop completes at "rule verified to fire on this attack class against this client's stack".

related-skills.json

même dépôt

mobile-overview.md

from "PurpleAILAB/Decepticon"

Use when the engagement target is an Android (APK / AAB) or iOS (IPA) application. Covers static analysis (jadx, apktool, class-dump), dynamic instrumentation via Frida and Objection, SSL-pinning bypass, root/jailbreak detection bypass, deep-link / URL-scheme abuse, exported-component attacks, IPC redirection, WebView vulnerabilities, and biometric / Face ID / Touch ID bypass.

2026-05-284.2k

ics-overview.md

from "PurpleAILAB/Decepticon"

Use when the target is an industrial control system or operational technology network running Modbus, BACnet, S7Comm/S7Comm Plus, DNP3, OPC-UA, or any PLC/HMI/SCADA stack. Engagements MUST set RoE flag industrial_safety_critical=true; this catalog gates every write-scope operation behind explicit operator confirmation regardless of HITL middleware.

2026-05-284.2k

iot-overview.md

from "PurpleAILAB/Decepticon"

Use when the engagement target is IoT, embedded Linux, RTOS, or any device reachable via UART/JTAG/SWD or by extracting its firmware. Covers firmware acquisition, binwalk extraction, filesystem mounting, default-credential hunting, bootloader attacks, wireless protocol sidebands (BLE, Zigbee, Z-Wave, LoRaWAN, sub-GHz).

2026-05-284.2k

osint-overview.md

from "PurpleAILAB/Decepticon"

Use when the engagement requires passive reconnaissance only — no packets to the target's authoritative infrastructure. Splits off from the Recon agent so bug-bounty and pre-engagement work can run with outbound-only network policy. Maltego, Shodan, Censys, Hunter.io, breach-data lookups, GitHub code search, Wayback Machine archives, certificate transparency, BGP/ASN mapping.

2026-05-284.2k

phish-overview.md

from "PurpleAILAB/Decepticon"

Use ONLY when the engagement's ConOps explicitly declares phishing_engagement=true. Covers GoPhish campaign management, Evilginx2 reverse-proxy MFA bypass, Modlishka live credential capture, and the deconfliction handshake with SOC / incident response.

2026-05-284.2k

supply-chain-overview.md

from "PurpleAILAB/Decepticon"

Use when the engagement scope includes supply-chain attack simulation — typosquatted package publication, dependency confusion, GitHub Actions secret mining, internal mirror poisoning, OAuth-app impersonation, or vendor portal credential abuse.

2026-05-284.2k

package.json

"author": "PurpleAILAB"

"repository": "PurpleAILAB/Decepticon"

Ouvrir le dépôt GitHub Voir les dépôts du créateur

$ install --global

$ download --local

Exécuter dans Manus

$ useful --forSOC

Analystes en sécurité de l'informationProfessions informatiques et mathématiques15-1212L4

name	dfir-overview
description	Use to close the Offensive Vaccine loop on the defender side. The Detector agent produces Sigma / YARA rules from offensive operations; this catalog validates those rules against real memory dumps, event logs, and forensic artifacts using Volatility 3, plaso, and sigma-cli. Without this catalog, detection rules are theoretical.
metadata	{"subdomain":"dfir","tags":"dfir, memory, volatility, plaso, sigma, validation, blue-team","mitre_attack":"defense-evasion-validation"}

Forensicator / DFIR Skill Catalog

Playbooks

Skill	Use for
`/skills/standard/dfir/volatility-windows/SKILL.md`	Volatility 3 Windows plugins: pslist, malfind, cmdline, netscan, dlllist, handles
`/skills/standard/dfir/volatility-linux/SKILL.md`	Volatility 3 Linux: linux.pslist, linux.bash, linux.malfind
`/skills/standard/dfir/plaso-timeline/SKILL.md`	psort + log2timeline; super-timeline construction; Sigma matchers on the timeline
`/skills/standard/dfir/sigma-cli-validation/SKILL.md`	sigma-cli convert + match against captured event logs
`/skills/standard/dfir/yara-scan/SKILL.md`	yara-x scan against memory dumps and disk images
`/skills/standard/dfir/event-log-mining/SKILL.md`	Windows Event Log (.evtx) extraction + key event ID reference
`/skills/standard/dfir/etw-trace/SKILL.md`	ETW provider triage; .etl file extraction
`/skills/standard/dfir/edr-validation/SKILL.md`	Replay an attack against a target with Velociraptor / OSQuery active; capture artifacts

Loop closure workflow

Run an offensive technique (e.g., dcsync from the ad-operator agent).
Detector agent emits Sigma rule describing the expected detection pattern (event 4662 with right ControlAccessRights, etc.).
Defender pushes the Sigma to the customer SIEM via sigma_to_splunk_savedsearch / sigma_to_sentinel_analyticrule / sigma_to_elastic_detection_rule.
Forensicator validates by:
- Collecting the event log from the DC at attack time.
- Running sigma-cli convert --target sqlite and matching against the log file.
- If the match count is 0 → detection rule has a bug. Iterate with Detector.
- If match count is N → detection works. Record the validation evidence in the engagement knowledge graph.
Patcher proposes the fix; Forensicator validates the patch doesn't break the detection (verify the rule still fires on attempted exploitation of the patched build).

Tools sandbox

Volatility 3 (vol, volshell) — already in operator's AGENTS.md tooling.
plaso (log2timeline, psort).
sigma-cli (sigma convert, sigma check).
yara-x (yr) — operator already has it installed at C:\Tools\yara-x\yr.exe.
Velociraptor + OSQuery (for live-system validation paths).

dfir-overview

Forensicator / DFIR Skill Catalog

Playbooks

Loop closure workflow

Tools sandbox

Why this is differentiating

Plus depuis ce dépôt

Plus depuis ce dépôt

Forensicator / DFIR Skill Catalog

Playbooks

Loop closure workflow

Tools sandbox

Why this is differentiating