skills.homes logoskills.homescapability registry
home/categories/debugging/mukul975-anthropic-cybersecurity-skills-skills-hunting-for-anomalous-powershell-execution-skill-md
cd ..
debuggingtools

hunting-for-anomalous-powershell-execution

Hunt for malicious PowerShell activity by analyzing Script Block Logging (Event 4104), Module Logging (Event 4103), and process creation events. The analyst parses Windows Event Log EVTX files to detect obfuscated commands, AMSI bypass attempts, encoded payloads, credential dumping keywords, and suspicious download cradles. Activates for requests involving PowerShell threat hunting, script block analysis, encoded command detection, or AMSI bypass identification.

View Sourcedebugging
mukul975
maintainer
mukul975
Updated 4/6/2026
Stars
4240
Forks
464
quick start

Installation and usage

Hunt for malicious PowerShell activity by analyzing Script Block Logging (Event 4104), Module Logging (Event 4103), and process creation events. The analyst parses Windows Event Log EVTX files to detect obfuscated commands, AMSI bypass attempts, encoded payloads, credential dumping keywords, and suspicious download cradles. Activates for requests involving PowerShell threat hunting, script block analysis, encoded command detection, or AMSI bypass identification.

Installation
$ install --globalskills.sh
Usage

Once installed, you can use this skill by running the following command in your terminal:

skills use hunting-for-anomalous-powershell-execution