creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-10 21:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
Anthropic-Cybersecurity-Skills/skills/detecting-suspicious-powershell-execution/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

2.5 KiB
Raw Permalink Blame History

API Reference: Suspicious PowerShell Execution Detection

Windows PowerShell Event Logs

Event IDs

Event ID Log Description
4104 PowerShell/Operational Script block logging
4103 PowerShell/Operational Module logging
800 PowerShell Pipeline execution details
400 PowerShell Engine lifecycle (start)
403 PowerShell Engine lifecycle (stop)

Script Block Logging Query

Get-WinEvent -FilterHashtable @{
    LogName = 'Microsoft-Windows-PowerShell/Operational'
    Id = 4104
} -MaxEvents 100

Event 4104 Properties

Index Field Description
0 MessageNumber Block sequence number
1 MessageTotal Total blocks in script
2 ScriptBlockText Actual script content
3 ScriptBlockId Unique script ID
4 Path Script file path

Suspicious PowerShell Patterns

Execution Policy Bypass

powershell -ExecutionPolicy Bypass -File script.ps1
powershell -ep bypass -nop -w hidden -enc <base64>

Common Obfuscation Techniques

Technique Example
Concatenation "Inv"+"oke-Ex"+"pression"
Variable substitution ${Invoke-Expression}
Encoded commands -enc SQBuAHYAbwBrAGUALQA...
Char array [char[]]@(73,69,88) -join ''

Sigma Detection Rules

Suspicious PowerShell Command Line

title: Suspicious PowerShell Invocation
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - '-enc'
            - '-EncodedCommand'
            - 'FromBase64String'
            - 'DownloadString'
            - 'Invoke-Expression'
    condition: selection
level: high

AMSI (Antimalware Scan Interface)

AMSI Scan Functions

HRESULT AmsiScanBuffer(
    HAMSICONTEXT amsiContext,
    PVOID buffer,
    ULONG length,
    LPCWSTR contentName,
    HAMSISESSION amsiSession,
    AMSI_RESULT *result
);

AMSI Results

Value Meaning
0 Clean
1 Not Detected
16384 Blocked by admin
32768 Detected (malware)

Microsoft Defender ATP API

Advanced Hunting Query

POST https://api.security.microsoft.com/api/advancedqueries/run
Authorization: Bearer {token}

{
  "Query": "DeviceProcessEvents | where FileName == 'powershell.exe' | where ProcessCommandLine has_any('encodedcommand','downloadstring','invoke-expression') | project Timestamp, DeviceName, ProcessCommandLine | take 100"
}
Reference in New Issue View Git Blame Copy Permalink