creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-10 13:14:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
Anthropic-Cybersecurity-Skills/skills/hunting-for-anomalous-powershell-execution/SKILL.md
T
mukul975 cb8d79e068 Map all 754 skills to MITRE ATT&CK v19.1 
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
  techniques), verified against MITRE ATT&CK v19.1 via the official
  mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
  threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
  Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
  Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
  family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
  stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
2026-06-01 12:13:29 +02:00

2.5 KiB
Raw Permalink Blame History

name, description, domain, subdomain, tags, version, author, license, nist_csf, mitre_attack
name description domain subdomain tags version author license nist_csf mitre_attack
hunting-for-anomalous-powershell-execution Hunt for malicious PowerShell activity by analyzing Script Block Logging (Event 4104), Module Logging (Event 4103), and process creation events. The analyst parses Windows Event Log EVTX files to detect obfuscated commands, AMSI bypass attempts, encoded payloads, credential dumping keywords, and suspicious download cradles. Activates for requests involving PowerShell threat hunting, script block analysis, encoded command detection, or AMSI bypass identification. cybersecurity threat-hunting
powershell
script-block-logging
event-4104
amsi
threat-hunting
evtx
obfuscation
1.0 mahipal Apache-2.0
DE.CM-01
DE.AE-02
DE.AE-07
ID.RA-05
T1046
T1057
T1082
T1083
T1003

Hunting for Anomalous PowerShell Execution

Overview

PowerShell Script Block Logging (Event ID 4104) records the full deobfuscated script text executed on a Windows endpoint, making it the primary data source for hunting malicious PowerShell. Combined with Module Logging (4103) and process creation events, analysts can detect encoded commands, AMSI bypass patterns, download cradles, credential theft tools, and fileless attack techniques even when the attacker uses obfuscation layers.

When to Use

  • When investigating security incidents that require hunting for anomalous powershell execution
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Windows Event Log exports (.evtx) from Microsoft-Windows-PowerShell/Operational
  • Python 3.8+ with python-evtx and lxml libraries
  • Script Block Logging enabled via Group Policy
  • Understanding of common PowerShell attack techniques

Steps

  1. Parse EVTX files extracting Event 4104 script block text and metadata
  2. Reassemble multi-part script blocks using ScriptBlock ID correlation
  3. Scan script text for AMSI bypass indicators and obfuscation patterns
  4. Detect encoded command execution and base64 payloads
  5. Identify download cradles, credential dumping, and lateral movement commands
  6. Score and prioritize findings by threat severity

Expected Output

{
  "total_events": 1247,
  "suspicious_events": 23,
  "amsi_bypass_attempts": 2,
  "encoded_commands": 8,
  "download_cradles": 5,
  "credential_access": 3
}
Reference in New Issue View Git Blame Copy Permalink