Stats
Actions
Tags
Detects suspicious PowerShell execution patterns like encoded commands, download cradles, AMSI bypass attempts, and constrained language mode evasions. Useful for threat hunting in EDR/SIEM environments with Sysmon.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:detecting-suspicious-powershell-executionThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- 主动狩猎环境中可疑 PowerShell 执行指标时
| 概念 | 描述 |
|---|---|
| T1059.001 | PowerShell |
| T1059.003 | Windows 命令行(Windows Command Shell) |
| T1562.001 | 禁用或修改工具(Disable or Modify Tools) |
| 工具 | 用途 |
|---|---|
| CrowdStrike Falcon | EDR 遥测和威胁检测 |
| Microsoft Defender for Endpoint | 使用 KQL 进行高级狩猎 |
| Splunk Enterprise | 使用 SPL 查询进行 SIEM 日志分析 |
| Elastic Security | 检测规则和调查时间线 |
| Sysmon | 详细的 Windows 事件监控 |
| Velociraptor | 终端工件收集和狩猎 |
| Sigma Rules | 跨平台检测规则格式 |
Hunt ID: TH-DETECT-[DATE]-[SEQ]
Technique: T1059.001
Host: [主机名]
User: [账户上下文]
Evidence: [日志条目、进程树、网络数据]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [遏制、调查、监控]
npx claudepluginhub killvxk/cybersecurity-skills-zhDetects suspicious PowerShell execution patterns including encoded commands, download cradles, AMSI bypass attempts, and constrained language mode evasion. For threat hunting and incident response.
Detects suspicious PowerShell execution patterns including encoded commands, download cradles, AMSI bypass attempts, and constrained language mode evasion for threat hunting and incident response.
Detect suspicious PowerShell execution patterns including encoded commands, download cradles, AMSI bypass attempts, and constrained language mode evasion.