jmagly/forensics-ioc
plugins/forensics/skills/forensics-ioc/SKILL.md
Extract and enrich indicators of compromise
$ install --global
skillsauthnpx skillsauth add jmagly/aiwg forensics-iocInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 3, 2026, 6:00 AM207.9s1 file scanned
SKILL.md
- namespace:
- aiwg
- name:
- forensics-ioc
- platforms:
- [all]
- description:
- Extract and enrich indicators of compromise
- argumentHint:
- <findings-path> [--enrich] [--stix] [--output path] [--format markdown|json|stix]
- category:
- forensics-ioc
/forensics-ioc
Extract indicators of compromise (IOCs) from forensic findings, enrich them with threat intelligence lookups, and map them to STIX 2.1 observables. Produces a structured IOC register suitable for detection rule generation, MISP import, or threat intelligence sharing.
Usage
/forensics-ioc <findings-path> [options]
Arguments
| Argument | Required | Description |
|----------|----------|-------------|
| findings-path | Yes | Path to findings directory or specific finding file |
| --enrich | No | Perform threat intelligence enrichment lookups |
| --stix | No | Generate STIX 2.1 bundle alongside IOC register |
| --output | No | Output path (default: .aiwg/forensics/ioc/ioc-register.md) |
| --format | No | Output format: markdown (default), json, stix, misp |
| --types | No | IOC types to extract: ip, domain, hash, url, email, all (default: all) |
| --confidence | No | Minimum confidence threshold for inclusion: low, medium, high (default: low) |
| --no-private | No | Exclude RFC-1918 and loopback addresses |
Behavior
When invoked, this command:
-
Scan Findings for Observables
- Read all finding documents in the specified path
- Parse timeline artifacts, triage summaries, and analysis outputs
- Extract raw observable strings matching IOC patterns
-
IOC Extraction by Type
| Type | Sources | Pattern | |------|---------|---------| | IPv4/IPv6 | Network analysis, auth logs, connections | Address notation | | Domain/FQDN | DNS queries, connection targets, configs | Domain pattern | | File hash (MD5/SHA1/SHA256) | Acquisition checksums, malware artifacts | Hex string | | URL | Web logs, process command lines, configs | HTTP/HTTPS URL | | Email address | Auth logs, user accounts | Email pattern | | File path | Persistence findings, process analysis | Suspicious paths | | Process name | Triage process list, persistence | Masquerading names | | User agent | Web logs | Browser/tool strings |
-
Deduplication and Normalization
- Remove duplicate IOCs of the same type and value
- Normalize IP addresses (strip ports, consolidate subnets)
- Lowercase domain names
- Uppercase file hashes
- Apply
--no-privatefiltering if specified
-
Confidence Scoring
- Score each IOC based on context and repetition
- HIGH: IOC observed in multiple independent sources or directly linked to attack
- MEDIUM: IOC appears in findings with indirect correlation
- LOW: IOC extracted from context; may require validation
- Mark false-positive candidates (CDN IPs, common system paths)
-
Threat Intelligence Enrichment (when
--enrichspecified)- Query VirusTotal, AbuseIPDB, or configured TI feeds for IP/domain/hash IOCs
- Record reputation score, malware family, and associated threat actor
- Note prior sightings and first/last seen dates
- Attach TI source attribution
-
STIX 2.1 Mapping (when
--stixspecified)- Map each IOC to appropriate STIX Observable object type
- Create STIX Indicator objects with detection patterns
- Bundle into STIX 2.1 JSON bundle
- Link observables to Threat Actor and Malware objects where applicable
-
Detection Rule Suggestions
- Generate Sigma rule stubs for network IOCs
- Generate firewall rule suggestions for IP/CIDR blocks
- Generate YARA rule stubs for file hashes
- Note which IOCs are suitable for automated blocking vs. monitoring
-
IOC Register Output
- Write structured IOC register with all extracted indicators
- Include context, confidence, enrichment data, and MITRE mapping
- Export STIX bundle if requested
- Update investigation state with IOC count
Examples
Example 1: Extract IOCs from findings directory
/forensics-ioc .aiwg/forensics/findings/
Example 2: Extract and enrich with threat intel
/forensics-ioc .aiwg/forensics/findings/ --enrich
Example 3: STIX 2.1 output
/forensics-ioc .aiwg/forensics/ --stix --format stix
Example 4: High confidence only, exclude private IPs
/forensics-ioc .aiwg/forensics/ --confidence high --no-private
Example 5: MISP import format
/forensics-ioc .aiwg/forensics/ --enrich --format misp
Output
Artifacts are saved to .aiwg/forensics/ioc/:
.aiwg/forensics/ioc/
├── ioc-register.md # Human-readable IOC register
├── ioc-register.json # Machine-readable IOC list
├── stix-bundle.json # STIX 2.1 bundle (if --stix)
├── detection-rules/
│ ├── network-ioc.sigma # Sigma rule stubs
│ └── file-ioc.yara # YARA rule stubs
└── enrichment-cache.json # TI lookup results cache
Sample IOC Register
IOC Register: INV-2026-02-27-web01
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Extraction complete: 12 IOCs (4 enriched)
--- Network IOCs ---
| Type | Value | Confidence | Context | TI Result |
|---------|----------------------|------------|--------------------------------|------------------------|
| IPv4 | 185.220.101.42 | HIGH | SSH brute force source; C2 | Known Tor exit node |
| Domain | update-check.net | HIGH | DNS query from /tmp/.update | Malware C2 (VirusTotal)|
| IPv4 | 10.0.0.15 | MEDIUM | Lateral movement destination | Internal host |
--- File IOCs ---
| Type | Value | Confidence | Context |
|----------|-------------------------|------------|-------------------------------|
| SHA256 | a1b2c3d4e5f6... | HIGH | /tmp/.update - C2 implant |
| Path | /tmp/.update | HIGH | Malicious cron-executed binary|
| Path | /dev/shm/.x | MEDIUM | Hidden file in tmpfs |
--- Account IOCs ---
| Type | Value | Confidence | Context |
|------|---------|------------|------------------------------------------|
| User | deploy | HIGH | Compromised account (brute forced) |
Total: 7 network, 3 file, 2 account IOCs
STIX bundle: .aiwg/forensics/ioc/stix-bundle.json
References
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/agents/ioc-analyst.md - IOC Analyst
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/templates/ioc-register.md - Register template
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-report.md - Include IOCs in report
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-timeline.md - Timeline correlation
Related Skills
jmagly/radar-status
data-ai
VerifiedTrustedCommunity
Report which research-corpus radar sidecars are overdue for refresh. Computes staleness (days since last refresh vs the cadence window) for every radar, sorted most-overdue-first. Runs via `aiwg corpus radar-status`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-report
data-ai
VerifiedTrustedCommunity
Aggregate research-corpus radar sidecars into a corpus or per-cluster freshness report — totals, overdue count, per-cluster / per-GRADE / per-trajectory breakdowns, an overdue table, and per-radar rationale snippets. Runs via `aiwg corpus radar-report`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-init
testing
VerifiedTrustedCommunity
Scaffold radar/freshness sidecars for research-corpus REFs. Pulls title/authors from the citation sidecar and GRADE from the analysis doc, defaults the refresh cadence from GRADE and the cluster from a corpus-local map, and stamps documentation/radar/REF-XXX-radar.md. Runs via `aiwg corpus radar-init`.
140SKILL.mdUpdated May 28, 2026
jmagly/profile-temporal
data-ai
VerifiedTrustedCommunity
Compute an entity's publication trajectory — per-year paper counts, topic drift, hot-streak detection (≥3 consecutive A-grade years), and career phase. Runs via `aiwg corpus profile-temporal`.
140SKILL.mdUpdated May 28, 2026