From security-incident-responder
Guides NIST SP 800-61 incident response: classify breaches, preserve evidence, analyze logs with Bash tools, contain threats, investigate IOCs, eradicate malware, recover systems.
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin security-incident-responderThis skill is limited to using the following tools:
Guide the full NIST SP 800-61 incident response lifecycle: detection, containment, eradication, recovery, and post-incident analysis. Classify incidents by type (ransomware, data breach, DDoS, credential compromise, insider threat) and severity, then coordinate evidence preservation, threat containment, and root-cause investigation.
Creates and executes incident response procedures for security breaches, data leaks, and cyber attacks. Use for handling incidents, response playbooks, or forensic analysis.
Provides digital forensics fundamentals for collecting, preserving, and analyzing evidence from compromised systems to reconstruct attacks and scope breaches.
Executes ransomware incident response: detection via ID Ransomware/NoMoreRansom, containment, forensics, decryption assessment, recovery, hardening, negotiation, backups, notifications.
Share bugs, ideas, or general feedback.
Guide the full NIST SP 800-61 incident response lifecycle: detection, containment, eradication, recovery, and post-incident analysis. Classify incidents by type (ransomware, data breach, DDoS, credential compromise, insider threat) and severity, then coordinate evidence preservation, threat containment, and root-cause investigation.
${CLAUDE_SKILL_DIR}/logs/ (auth logs, web server logs, database access logs)${CLAUDE_SKILL_DIR}/incidents/volatility -f memdump.raw imageinfo), create disk images, export running process lists (ps auxf), and snapshot network connection state (ss -tulnp).${CLAUDE_SKILL_DIR}/incidents/evidence/.${CLAUDE_SKILL_DIR}/incidents/incident-YYYYMMDD-HHMM.md containing executive summary, detailed timeline, root cause analysis, IOC list, and lessons learned.See ${CLAUDE_SKILL_DIR}/references/implementation.md for the seven-phase implementation workflow.
${CLAUDE_SKILL_DIR}/incidents/incident-YYYYMMDD-HHMM.md with timeline, root cause, IOCs, and impact assessment| Error | Cause | Solution |
|---|---|---|
Critical logs missing from ${CLAUDE_SKILL_DIR}/logs/ | Log rotation, deletion, or attacker tampering | Work with available data; note gaps; improve logging retention for future incidents |
| System state modified before evidence collection | First responder made changes before forensic capture | Document contamination; collect remaining evidence; prioritize network and SIEM logs |
| Attacker still has active access during investigation | Ongoing compromise detected | Prioritize containment over investigation; implement emergency network isolation |
| Permission denied accessing system memory | Insufficient forensic tool privileges | Escalate to obtain root/admin access; fall back to available log and network data |
| Backups encrypted or corrupted by ransomware | Attacker targeted backup infrastructure | Identify offline/air-gapped backups; assess rebuild-from-scratch feasibility |
${CLAUDE_SKILL_DIR}/logs/ to triage the incident, scope affected accounts, and propose containment steps."/var/www/html/uploads/cmd.php. Trace the initial access vector, identify persistence mechanisms, and produce an IOC list."${CLAUDE_SKILL_DIR}/references/errors.md -- full error handling reference${CLAUDE_SKILL_DIR}/references/examples.md -- additional usage examples