jmagly/forensics-hunt
plugins/forensics/skills/forensics-hunt/SKILL.md
Threat hunt using Sigma rules against log sources
$ install --global
skillsauthnpx skillsauth add jmagly/aiwg forensics-huntInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 9, 2026, 8:58 AM2.1s1 file scanned
SKILL.md
- namespace:
- aiwg
- name:
- forensics-hunt
- platforms:
- [all]
- description:
- Threat hunt using Sigma rules against log sources
- argumentHint:
- [--rules rule-id,...|all] [--target host] [--logs-path path] [--output path]
- category:
- forensics-hunting
/forensics-hunt
Perform structured threat hunting by executing Sigma detection rules against collected log sources. Supports targeted rule selection or full rule set execution. Outputs matched detections with evidence context and MITRE ATT&CK annotations.
Usage
/forensics-hunt [options]
Arguments
| Argument | Required | Description |
|----------|----------|-------------|
| --rules | No | Rule IDs to run, comma-separated, or all (default: all) |
| --target | No | Target hostname to scope the hunt |
| --logs-path | No | Path to collected logs directory (default: .aiwg/forensics/acquisition/logs/) |
| --output | No | Output path (default: .aiwg/forensics/analysis/hunt-findings.md) |
| --severity | No | Minimum rule severity to execute: low, medium, high, critical (default: medium) |
| --since | No | Only evaluate log entries after this timestamp |
| --format | No | Output format: markdown (default), json, sigma-results |
| --list-rules | No | List available rules without executing |
Behavior
When invoked, this command:
-
Discover Log Sources
- Locate collected logs at specified or default path
- Identify log types: auth, syslog, journal, audit, application
- Map log formats to compatible Sigma field mappings
- Validate log file integrity against acquisition checksums
-
Load Sigma Rules
- Load rules from
@$AIWG_ROOT/agentic/code/frameworks/forensics-complete/sigma/ - Filter by
--rulesselection or severity threshold - Resolve rule dependencies and required fields
- Report rules skipped due to missing log sources
- Load rules from
-
Execute Detections
- Run each applicable rule against relevant log sources
- Apply field mappings to normalize log formats
- Filter by
--sincetimestamp if provided - Track match counts and false positive indicators
-
Detection Categories
| Category | Example Rules | |----------|--------------| | Authentication |
ssh-brute-force-success,password-spray,invalid-user-spikes| | Privilege Escalation |sudo-to-root,suid-execution,new-root-session| | Persistence |cron-modification,new-systemd-unit,authorized-key-added| | Lateral Movement |internal-ssh-from-new-host,ssh-agent-forwarding| | Defense Evasion |log-deletion,audit-tampering,history-cleared| | Exfiltration |large-outbound-transfer,curl-to-external,dns-exfil| | C2 |reverse-shell-indicators,beaconing-intervals,tunnel-traffic| -
Result Enrichment
- Extract matching log lines as evidence
- Provide context window (5 lines before/after match)
- Link detections to MITRE ATT&CK technique IDs
- Score detection confidence (HIGH/MEDIUM/LOW) based on rule quality
-
Hunt Summary
- Count detections by severity and category
- Identify accounts, IPs, and processes involved
- Generate prioritized finding list
- Recommend follow-up investigation steps
Examples
Example 1: Full rule set, all logs
/forensics-hunt
Example 2: Specific rules against a target
/forensics-hunt --rules ssh-brute-force-success,sudo-to-root --target web01
Example 3: High and critical severity only
/forensics-hunt --severity high
Example 4: Hunt recent log entries
/forensics-hunt --since 2026-02-26T18:00:00Z --severity medium
Example 5: List available rules
/forensics-hunt --list-rules
Example 6: JSON output for SIEM import
/forensics-hunt --severity high --format json
Output
Artifacts are saved to .aiwg/forensics/analysis/:
.aiwg/forensics/analysis/
├── hunt-findings.md # Human-readable detection results
├── hunt-findings.json # Machine-readable results
└── rule-execution-log.yaml # Which rules ran, match counts, errors
Sample Output
Threat Hunt: web01-2026-02-27
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Log sources: auth.log, syslog, journal, audit.log (140.6 MB)
Rules loaded: 47 applicable (of 63 total, 16 skipped: missing sources)
Executing rules...
[HIGH ] ssh-brute-force-success MATCH (1 event)
[HIGH ] sudo-to-root MATCH (2 events)
[CRITICAL] cron-modification MATCH (1 event)
[HIGH ] reverse-shell-indicators MATCH (1 event)
[MEDIUM] invalid-user-spikes MATCH (847 events)
[MEDIUM] curl-to-external MATCH (3 events)
[LOW ] failed-su-attempts no match
[LOW ] password-spray no match
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Detection Summary:
CRITICAL: 1 HIGH: 3 MEDIUM: 2 LOW: 0
Total detections: 6 rules matched across 855 events
--- ssh-brute-force-success (HIGH, T1110.001) ---
Match: 2026-02-26 22:29:01 Accepted publickey for deploy from 185.220.101.42 port 51823
Context: Following 847 failed attempts (22:14:33-22:29:00) from same IP
Confidence: HIGH
--- cron-modification (CRITICAL, T1053.003) ---
Match: 2026-02-26 22:33:45 crontab: deploy modified crontab for root
Context: 4 minutes after successful SSH login from attacker IP
Confidence: HIGH
Hunt complete.
Output: .aiwg/forensics/analysis/hunt-findings.md
Available Rules List (--list-rules)
ID Severity Category Description
────────────────────────────────────────────────────────────────────
ssh-brute-force-success HIGH Authentication Successful login after brute force
password-spray MEDIUM Authentication Many failed logins across accounts
sudo-to-root HIGH Privilege Esc. User obtained root via sudo
new-root-session HIGH Privilege Esc. Root shell opened (non-login)
cron-modification CRITICAL Persistence Crontab file modified
new-systemd-unit HIGH Persistence New systemd unit installed
authorized-key-added HIGH Persistence New SSH authorized key added
log-deletion HIGH Defense Evasion Log file deleted or truncated
reverse-shell-indicators HIGH C2 Bash/nc/python reverse shell pattern
beaconing-intervals MEDIUM C2 Regular outbound connection pattern
large-outbound-transfer HIGH Exfiltration Unusually large outbound data transfer
References
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/agents/log-analyst.md - Log Analyst
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/sigma/ - Sigma rule library
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-ioc.md - IOC extraction from findings
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-timeline.md - Timeline correlation
Related Skills
jmagly/radar-status
data-ai
VerifiedTrustedCommunity
Report which research-corpus radar sidecars are overdue for refresh. Computes staleness (days since last refresh vs the cadence window) for every radar, sorted most-overdue-first. Runs via `aiwg corpus radar-status`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-report
data-ai
VerifiedTrustedCommunity
Aggregate research-corpus radar sidecars into a corpus or per-cluster freshness report — totals, overdue count, per-cluster / per-GRADE / per-trajectory breakdowns, an overdue table, and per-radar rationale snippets. Runs via `aiwg corpus radar-report`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-init
testing
VerifiedTrustedCommunity
Scaffold radar/freshness sidecars for research-corpus REFs. Pulls title/authors from the citation sidecar and GRADE from the analysis doc, defaults the refresh cadence from GRADE and the cluster from a corpus-local map, and stamps documentation/radar/REF-XXX-radar.md. Runs via `aiwg corpus radar-init`.
140SKILL.mdUpdated May 28, 2026
jmagly/profile-temporal
data-ai
VerifiedTrustedCommunity
Compute an entity's publication trajectory — per-year paper counts, topic drift, hot-streak detection (≥3 consecutive A-grade years), and career phase. Runs via `aiwg corpus profile-temporal`.
140SKILL.mdUpdated May 28, 2026