Research and build a target system profile via SSH — discovers OS, services, users, network baseline, and security stack
Connects to a target system over SSH and constructs a structured baseline profile covering operating system details, running services, user accounts, network configuration, and installed security tooling. The profile serves as the foundation for all subsequent forensic work.
Alternate expressions and non-obvious activations (primary phrases are matched automatically from the skill description):
Before any investigation can proceed, examiners need a documented understanding of what the system looks like in its current state. This skill produces a structured .aiwg/forensics/profiles/<hostname>.md file that records point-in-time system state, making deviations visible during analysis.
When triggered, this skill:
Parse connection string:
user@host, user@host:port, or a named SSH config aliasssh -o ConnectTimeout=10 [email protected] 'echo ok'Collect OS identity:
/etc/os-release for distro and versionuname -runame -mEnumerate running services:
systemctl list-units --type=service --state=running (systemd systems)service --status-all or rc-status on non-systemd systemsEnumerate local user accounts:
/etc/passwd for non-system accounts (UID >= 1000)/etc/sudoers and /etc/sudoers.d/ for privilege grantslastlog or lastCapture network baseline:
ip addr showip route showss -tlnp or netstat -tlnpss -tnp state establishedIdentify security tooling:
Write profile document:
.aiwg/forensics/profiles/<hostname>.mdprofile target [email protected]
Connects as the specified user and writes .aiwg/forensics/profiles/webserver-01.md.
profile target [email protected]:2222
Connects on port 2222, derives hostname from the target's hostname command.
system reconnaissance prod-db-01
Resolves prod-db-01 via ~/.ssh/config.
.aiwg/forensics/profiles/<hostname>.md.aiwg/forensics/profiles/<hostname>-raw.txttarget_profiling:
ssh_timeout: 10
min_uid: 1000
include_security_tools:
- auditd
- apparmor
- selinux
- fail2ban
- crowdstrike
- osquery
- wazuh
- filebeat
output_format: markdown