Detects suspicious Windows service installations by parsing event ID 7045 from System.evtx logs, analyzing binary paths and PowerShell patterns for persistence (MITRE T1543.003). Useful for threat hunting.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
攻击者常通过安装恶意 Windows 服务实现持久化和权限提升(MITRE ATT&CK T1543.003——创建或修改系统进程:Windows 服务)。系统事件日志中的事件 ID 7045 记录每一次新服务安装。本技能通过解析 .evtx 日志文件提取服务安装事件,标记可疑二进制路径(临时目录、PowerShell、cmd.exe、编码命令),并与已知攻击模式进行关联。
Parses Windows System event logs for Event ID 7045 to detect suspicious service installations, analyzes binary paths for persistence indicators (MITRE T1543.003), and generates risk reports.
Detects suspicious Windows service installations (MITRE ATT&CK T1543.003) by parsing System event logs for Event ID 7045, analyzing binary paths, and identifying persistence indicators. Useful for threat hunting and incident response.
Hunts attacker persistence mechanisms in Windows endpoints covering registry Run keys, services, startup folders, and WMI event subscriptions. For threat hunting and incident response.
Share bugs, ideas, or general feedback.
攻击者常通过安装恶意 Windows 服务实现持久化和权限提升(MITRE ATT&CK T1543.003——创建或修改系统进程:Windows 服务)。系统事件日志中的事件 ID 7045 记录每一次新服务安装。本技能通过解析 .evtx 日志文件提取服务安装事件,标记可疑二进制路径(临时目录、PowerShell、cmd.exe、编码命令),并与已知攻击模式进行关联。
python-evtx、lxml