// Use to close the Offensive Vaccine loop on the defender side. The Detector agent produces Sigma / YARA rules from offensive operations; this catalog validates those rules against real memory dumps, event logs, and forensic artifacts using Volatility 3, plaso, and sigma-cli. Without this catalog, detection rules are theoretical.
| name | dfir-overview |
| description | Use to close the Offensive Vaccine loop on the defender side. The Detector agent produces Sigma / YARA rules from offensive operations; this catalog validates those rules against real memory dumps, event logs, and forensic artifacts using Volatility 3, plaso, and sigma-cli. Without this catalog, detection rules are theoretical. |
| metadata | {"subdomain":"dfir","tags":"dfir, memory, volatility, plaso, sigma, validation, blue-team","mitre_attack":"defense-evasion-validation"} |
Decepticon emits attacks AND detection rules. This catalog feeds the detection rules back through real forensic artifacts to confirm they fire — closing the Offensive Vaccine loop on the operations side.
| Skill | Use for |
|---|---|
/skills/standard/dfir/volatility-windows/SKILL.md | Volatility 3 Windows plugins: pslist, malfind, cmdline, netscan, dlllist, handles |
/skills/standard/dfir/volatility-linux/SKILL.md | Volatility 3 Linux: linux.pslist, linux.bash, linux.malfind |
/skills/standard/dfir/plaso-timeline/SKILL.md | psort + log2timeline; super-timeline construction; Sigma matchers on the timeline |
/skills/standard/dfir/sigma-cli-validation/SKILL.md | sigma-cli convert + match against captured event logs |
/skills/standard/dfir/yara-scan/SKILL.md | yara-x scan against memory dumps and disk images |
/skills/standard/dfir/event-log-mining/SKILL.md | Windows Event Log (.evtx) extraction + key event ID reference |
/skills/standard/dfir/etw-trace/SKILL.md | ETW provider triage; .etl file extraction |
/skills/standard/dfir/edr-validation/SKILL.md | Replay an attack against a target with Velociraptor / OSQuery active; capture artifacts |
dcsync from the ad-operator agent).ControlAccessRights, etc.).sigma_to_splunk_savedsearch / sigma_to_sentinel_analyticrule /
sigma_to_elastic_detection_rule.sigma-cli convert --target sqlite and matching against
the log file.vol, volshell) — already in operator's AGENTS.md tooling.log2timeline, psort).sigma convert, sigma check).yr) — operator already has it installed at C:\Tools\yara-x\yr.exe.Strix doesn't have this. XBOW doesn't have this. The "Offensive Vaccine" promise (every attack becomes a defense improvement) is only deliverable when someone validates the detection. Without Forensicator, the loop stops at "rule written". With it, the loop completes at "rule verified to fire on this attack class against this client's stack".
Use when the engagement target is an Android (APK / AAB) or iOS (IPA) application. Covers static analysis (jadx, apktool, class-dump), dynamic instrumentation via Frida and Objection, SSL-pinning bypass, root/jailbreak detection bypass, deep-link / URL-scheme abuse, exported-component attacks, IPC redirection, WebView vulnerabilities, and biometric / Face ID / Touch ID bypass.
Use when the target is an industrial control system or operational technology network running Modbus, BACnet, S7Comm/S7Comm Plus, DNP3, OPC-UA, or any PLC/HMI/SCADA stack. Engagements MUST set RoE flag industrial_safety_critical=true; this catalog gates every write-scope operation behind explicit operator confirmation regardless of HITL middleware.
Use when the engagement target is IoT, embedded Linux, RTOS, or any device reachable via UART/JTAG/SWD or by extracting its firmware. Covers firmware acquisition, binwalk extraction, filesystem mounting, default-credential hunting, bootloader attacks, wireless protocol sidebands (BLE, Zigbee, Z-Wave, LoRaWAN, sub-GHz).
Use when the engagement requires passive reconnaissance only — no packets to the target's authoritative infrastructure. Splits off from the Recon agent so bug-bounty and pre-engagement work can run with outbound-only network policy. Maltego, Shodan, Censys, Hunter.io, breach-data lookups, GitHub code search, Wayback Machine archives, certificate transparency, BGP/ASN mapping.
Use ONLY when the engagement's ConOps explicitly declares phishing_engagement=true. Covers GoPhish campaign management, Evilginx2 reverse-proxy MFA bypass, Modlishka live credential capture, and the deconfliction handshake with SOC / incident response.
Use when the engagement scope includes supply-chain attack simulation — typosquatted package publication, dependency confusion, GitHub Actions secret mining, internal mirror poisoning, OAuth-app impersonation, or vendor portal credential abuse.