Windows

analyzing-usb-device-connection-history helps investigate USB device connection history on Windows using registry hives, event logs, and setupapi.dev.log for Digital Forensics, insider threat work, and incident response. It supports timeline reconstruction, device correlation, and removable-media evidence analysis.

configuring-host-based-intrusion-detection guide for setting up HIDS with Wazuh, OSSEC, or AIDE to monitor file integrity, system changes, and compliance-focused endpoint security for Security Audit workflows.

Use the windows-vm skill to create, manage, and SSH into a headless Windows 11 VM in Docker with KVM acceleration. It fits desktop automation, Windows app setup, and repeatable agent workflows when you need a real Windows environment without manual RDP.

extracting-windows-event-logs-artifacts helps you extract, parse, and analyze Windows Event Logs (EVTX) for digital forensics, incident response, and threat hunting. It supports structured review of logons, process creation, service installs, scheduled tasks, privilege changes, and log clearing with Chainsaw, Hayabusa, and EvtxECmd.

The detecting-wmi-persistence skill helps threat hunters and DFIR analysts detect WMI event subscription persistence in Windows telemetry using Sysmon Event IDs 19, 20, and 21. Use it to identify malicious EventFilter, EventConsumer, and FilterToConsumerBinding activity, validate findings, and separate attacker persistence from benign admin automation.

detecting-process-hollowing-technique helps hunt process hollowing (T1055.012) in Windows telemetry by correlating suspended launches, memory tampering, parent-child anomalies, and API evidence. Built for threat hunters, detection engineers, and responders who need a practical detecting-process-hollowing-technique for Threat Hunting workflow.

analyzing-memory-dumps-with-volatility is a Volatility 3 skill for memory forensics, malware triage, hidden processes, injection, network activity, and credentials in RAM dumps on Windows, Linux, or macOS. Use it when you need a repeatable analyzing-memory-dumps-with-volatility guide for incident response and malware analysis.

detecting-lateral-movement-in-network helps detect post-compromise lateral movement in enterprise networks using Windows event logs, Zeek telemetry, SMB, RDP, and SIEM correlation. It is useful for threat hunting, incident response, and detecting-lateral-movement-in-network for Security Audit reviews with practical detection workflows.

deploying-osquery-for-endpoint-monitoring guide for deploying and configuring osquery for endpoint visibility, fleet-wide monitoring, and SQL-driven threat hunting. Use it to plan installation, read the workflow and API references, and operationalize scheduled queries, log collection, and centralized review across Windows, macOS, and Linux endpoints.

deploying-edr-agent-with-crowdstrike helps plan, install, and verify CrowdStrike Falcon sensor rollout across Windows, macOS, and Linux endpoints. Use this deploying-edr-agent-with-crowdstrike skill for install guidance, policy setup, telemetry-to-SIEM integration, and Incident Response readiness.

configuring-windows-defender-advanced-settings skill for Microsoft Defender for Endpoint hardening. Covers ASR rules, controlled folder access, network protection, exploit protection, deployment planning, and audit-first rollout guidance for security engineers, IT admins, and Security Audit workflows.

analyzing-windows-registry-for-artifacts helps analysts extract evidence from Windows Registry hives to identify user activity, installed software, autoruns, USB history, and compromise indicators for incident response or Security Audit workflows.

analyzing-windows-prefetch-with-python parses Windows Prefetch (.pf) files with windowsprefetch to reconstruct execution history, flag renamed or masquerading binaries, and support incident triage and malware analysis.

The analyzing-windows-event-logs-in-splunk skill helps SOC analysts investigate Windows Security, System, and Sysmon logs in Splunk for authentication attacks, privilege escalation, persistence, and lateral movement. Use it for incident triage, detection engineering, and timeline analysis with mapped SPL patterns and event ID guidance.

The analyzing-windows-amcache-artifacts skill parses Windows Amcache.hve data to recover evidence of program execution, installed software, device activity, and driver loading for DFIR and security audit workflows. It uses AmcacheParser and regipy-based guidance to support artifact extraction, SHA-1 correlation, and timeline review.

analyzing-powershell-empire-artifacts skill helps Security Audit teams detect PowerShell Empire artifacts in Windows logs using Script Block Logging, Base64 launcher patterns, stager IOCs, module signatures, and detection references for triage and rule writing.

analyzing-powershell-script-block-logging skill for parsing Windows PowerShell Script Block Logging Event ID 4104 from EVTX files, reconstructing split script blocks, and flagging obfuscated commands, encoded payloads, Invoke-Expression abuse, download cradles, and AMSI bypass attempts for Security Audit work.

The winui-app skill helps you bootstrap, build, and troubleshoot WinUI 3 desktop apps with C# and the Windows App SDK. Use it for environment readiness, new app setup, shell and navigation choices, XAML controls, theming, accessibility, deployment, and launch-fix workflows for Frontend Development.

The screenshot skill helps capture a full screen, app window, or pixel region when you need an OS-level image instead of a browser-only capture. Use it for screenshot usage in Workflow Automation, with save-location rules, macOS permission handling, and clear install guidance for reliable desktop captures.