Stats
Actions
Tags
Detects suspicious Windows service installations by parsing event ID 7045 from System.evtx logs, analyzing binary paths and PowerShell patterns for persistence (MITRE T1543.003). Useful for threat hunting.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:hunting-for-unusual-service-installationsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
攻击者常通过安装恶意 Windows 服务实现持久化和权限提升(MITRE ATT&CK T1543.003——创建或修改系统进程:Windows 服务)。系统事件日志中的事件 ID 7045 记录每一次新服务安装。本技能通过解析 .evtx 日志文件提取服务安装事件,标记可疑二进制路径(临时目录、PowerShell、cmd.exe、编码命令),并与已知攻击模式进行关联。
攻击者常通过安装恶意 Windows 服务实现持久化和权限提升(MITRE ATT&CK T1543.003——创建或修改系统进程:Windows 服务)。系统事件日志中的事件 ID 7045 记录每一次新服务安装。本技能通过解析 .evtx 日志文件提取服务安装事件,标记可疑二进制路径(临时目录、PowerShell、cmd.exe、编码命令),并与已知攻击模式进行关联。
python-evtx、lxmlnpx claudepluginhub killvxk/cybersecurity-skills-zhDetects suspicious Windows service installations by parsing Event ID 7045 from System event logs, analyzing binary paths for persistence indicators (MITRE ATT&CK T1543.003).
Parses Windows System event logs for Event ID 7045 to detect suspicious service installations, analyzes binary paths for persistence indicators (MITRE T1543.003), and generates risk reports.
Detects suspicious Windows service installations (MITRE ATT&CK T1543.003) by parsing System event logs for Event ID 7045, analyzing binary paths, and identifying persistence indicators. Useful for threat hunting and incident response.