creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-10 21:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
efca3ec611b11d8bb0d94c457be74a082bd90888
Anthropic-Cybersecurity-Skills/skills/analyzing-powershell-script-block-logging/SKILL.md
T
mukul975 efca3ec611 feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills 
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
2026-04-06 11:17:40 +02:00

2.5 KiB
Raw Blame History

name, description, domain, subdomain, tags, version, author, license, nist_csf
name description domain subdomain tags version author license nist_csf
analyzing-powershell-script-block-logging Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts. cybersecurity security-operations
analyzing
powershell
script
block
1.0 mahipal Apache-2.0
DE.CM-01
RS.MA-01
GV.OV-01
DE.AE-02

Analyzing PowerShell Script Block Logging

When to Use

  • When investigating security incidents that require analyzing powershell script block logging
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Familiarity with security operations concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Instructions

  1. Install dependencies: pip install python-evtx lxml
  2. Collect PowerShell Operational logs: Microsoft-Windows-PowerShell%4Operational.evtx
  3. Parse Event ID 4104 entries using python-evtx to extract ScriptBlockText, ScriptBlockId, and MessageNumber/MessageTotal for multi-part script reconstruction.
  4. Apply detection heuristics:
    • Base64-encoded commands (-EncodedCommand, FromBase64String)
    • Download cradles (DownloadString, DownloadFile, Invoke-WebRequest, Net.WebClient)
    • AMSI bypass patterns (AmsiUtils, amsiInitFailed)
    • Obfuscation indicators (high entropy, tick-mark insertion, string concatenation)
  5. Generate a report with reconstructed scripts, risk scores, and MITRE ATT&CK mappings.
python scripts/agent.py --evtx-file /path/to/PowerShell-Operational.evtx --output ps_analysis.json

Examples

Detect Encoded Command Execution

import base64
if "-encodedcommand" in script_text.lower():
    encoded = script_text.split()[-1]
    decoded = base64.b64decode(encoded).decode("utf-16-le")

Reconstruct Multi-Block Script

Scripts split across multiple 4104 events share a ScriptBlockId. Concatenate blocks ordered by MessageNumber to recover the full script.

Reference in New Issue View Git Blame Copy Permalink