mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 12:45:17 +03:00
efca3ec611
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions) based on subdomain and content analysis. Restores 11 skills corrupted during prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields. All 754 skills now carry structured mappings for all 5 security frameworks: - MITRE ATT&CK (in tags) - MITRE ATLAS v5.5 (atlas_techniques) - MITRE D3FEND v1.3 (d3fend_techniques) - NIST AI RMF 1.0 (nist_ai_rmf) - NIST CSF 2.0 (nist_csf)
2.4 KiB
2.4 KiB
name, description, domain, subdomain, tags, version, author, license, nist_csf
| name | description | domain | subdomain | tags | version | author | license | nist_csf | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| hunting-for-anomalous-powershell-execution | Hunt for malicious PowerShell activity by analyzing Script Block Logging (Event 4104), Module Logging (Event 4103), and process creation events. The analyst parses Windows Event Log EVTX files to detect obfuscated commands, AMSI bypass attempts, encoded payloads, credential dumping keywords, and suspicious download cradles. Activates for requests involving PowerShell threat hunting, script block analysis, encoded command detection, or AMSI bypass identification. | cybersecurity | threat-hunting |
|
1.0 | mahipal | Apache-2.0 |
|
Hunting for Anomalous PowerShell Execution
Overview
PowerShell Script Block Logging (Event ID 4104) records the full deobfuscated script text executed on a Windows endpoint, making it the primary data source for hunting malicious PowerShell. Combined with Module Logging (4103) and process creation events, analysts can detect encoded commands, AMSI bypass patterns, download cradles, credential theft tools, and fileless attack techniques even when the attacker uses obfuscation layers.
When to Use
- When investigating security incidents that require hunting for anomalous powershell execution
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Windows Event Log exports (.evtx) from Microsoft-Windows-PowerShell/Operational
- Python 3.8+ with python-evtx and lxml libraries
- Script Block Logging enabled via Group Policy
- Understanding of common PowerShell attack techniques
Steps
- Parse EVTX files extracting Event 4104 script block text and metadata
- Reassemble multi-part script blocks using ScriptBlock ID correlation
- Scan script text for AMSI bypass indicators and obfuscation patterns
- Detect encoded command execution and base64 payloads
- Identify download cradles, credential dumping, and lateral movement commands
- Score and prioritize findings by threat severity
Expected Output
{
"total_events": 1247,
"suspicious_events": 23,
"amsi_bypass_attempts": 2,
"encoded_commands": 8,
"download_cradles": 5,
"credential_access": 3
}