threat-actor-profiling
Threat Actor Profiling Skill
Generate structured, actionable threat actor profiles following a deliverable-first methodology grounded in the 5W1H framework and the Diamond Model of Intrusion Analysis.
When to Use
- User asks to profile or research a threat actor / APT group
- User needs to produce an intelligence deliverable about an adversary
- User wants to structure existing threat data into a TA profile
- User is responding to an RFI or incident involving a known threat actor
- User wants to assess capability, intent, or victimology of a group
Core Workflow
Follow these six steps in order. Each step builds toward a complete profile.
Step 1: Define Scope and Purpose
Before collecting any data, clarify:
More from tsale/awesome-dfir-skills
malware-analysis
Professional malware analysis workflow for PE executables and suspicious files. Triggers on file uploads with requests like "analyze this malware", "analyze this sample", "what does this executable do", "check this file for malware", or any request to examine suspicious files. Performs static analysis, threat intelligence triage, behavioral inference, and produces analyst-grade reports with reasoned conclusions.
34analysing-attack
Analyse Mitre ATT&CK tactics, techniques and sub-techniques. Use when performing analysis of threat detections, threat models, security risks or cyber threat intelligence
5osquery-query-helper
Help users write, validate, and troubleshoot osquery SQL queries using provided osquery table schemas as the authoritative source.
5