analyst security skill risk: medium
Anomalous PowerShell Execution Hunting Guide
Provides steps to parse EVTX files for Event 4104 script blocks, reassemble them, detect AMSI bypasses, encoded commands, download cradles and credential access, then output JSON s…
- Policy sensitive
- Human review
SKILL 4 files · 2 folders
SKILL.md
---
name: hunting-for-anomalous-powershell-execution
description: "Hunt for malicious PowerShell activity by analyzing Script Block Logging (Event 4104), Module Logging (Event"
---
# Hunting for Anomalous PowerShell Execution
## Overview
PowerShell Script Block Logging (Event ID 4104) records the full deobfuscated script text
executed on a Windows endpoint, making it the primary data source for hunting malicious
PowerShell. Combined with Module Logging (4103) and process creation events, analysts can
detect encoded commands, AMSI bypass patterns, download cradles, credential theft tools,
and fileless attack techniques even when the attacker uses obfuscation layers.
## When to Use
- When investigating security incidents that require hunting for anomalous powershell execution
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Windows Event Log exports (.evtx) from Microsoft-Windows-PowerShell/Operational
- Python 3.8+ with python-evtx and lxml libraries
- Script Block Logging enabled via Group Policy
- Understanding of common PowerShell attack techniques
## Steps
1. Parse EVTX files extracting Event 4104 script block text and metadata
2. Reassemble multi-part script blocks using ScriptBlock ID correlation
3. Scan script text for AMSI bypass indicators and obfuscation patterns
4. Detect encoded command execution and base64 payloads
5. Identify download cradles, credential dumping, and lateral movement commands
6. Score and prioritize findings by threat severity
## Expected Output
```json
{
"total_events": 1247,
"suspicious_events": 23,
"amsi_bypass_attempts": 2,
"encoded_commands": 8,
"download_cradles": 5,
"credential_access": 3
}
```
REQUIRED CONTEXT
- Windows Event Log exports (.evtx) from Microsoft-Windows-PowerShell/Operational
- Script Block Logging enabled
TOOLS REQUIRED
- python-evtx
- lxml
ROLES & RULES
- Parse EVTX files extracting Event 4104 script block text and metadata
- Reassemble multi-part script blocks using ScriptBlock ID correlation
- Scan script text for AMSI bypass indicators and obfuscation patterns
- Detect encoded command execution and base64 payloads
- Identify download cradles, credential dumping, and lateral movement commands
- Score and prioritize findings by threat severity
EXPECTED OUTPUT
- Format
- json
- Schema
- json_schema · total_events, suspicious_events, amsi_bypass_attempts, encoded_commands, download_cradles, credential_access
- Constraints
- include counts for total_events, suspicious_events, amsi_bypass_attempts, encoded_commands, download_cradles, credential_access
EXAMPLES
Includes one sample JSON output structure showing analysis result counts.
CAVEATS
- Dependencies
- Windows Event Log exports (.evtx) from Microsoft-Windows-PowerShell/Operational
- Python 3.8+ with python-evtx and lxml libraries
- Script Block Logging enabled via Group Policy
- Understanding of common PowerShell attack techniques
- Missing context
- Target audience or required analyst skill level
- Exact output format beyond the example JSON
- Detailed commands, queries, or code for executing the steps
- Ambiguities
- Description field is truncated mid-sentence: 'Module Logging (Event'
QUALITY
- OVERALL
- 0.68
- CLARITY
- 0.75
- SPECIFICITY
- 0.60
- REUSABILITY
- 0.70
- COMPLETENESS
- 0.65
IMPROVEMENT SUGGESTIONS
- Complete the truncated description sentence in the YAML header.
- Expand each numbered step with concrete commands, regex patterns, or code snippets.
- Add a section specifying input/output file formats and error handling.
USAGE
Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.
MORE FOR ANALYST
- CTI Analyst for Cybersecurity Project Revisionsanalystsecurity
- Malware Sandbox Evasion Techniques Analyzeranalystsecurity
- NetFlow Pandas Traffic Baselininganalystsecurity
- Data Staging Exfiltration Threat Hunteranalystsecurity
- NetFlow Security Anomaly Analyzeranalystsecurity
- PowerShell EVTX Script Block Analyzeranalystsecurity
- Domain Fronting C2 Traffic Detectoranalystsecurity
- DNS-Based Persistence Hunting Proceduresanalystsecurity
- Heap Spray Exploitation Memory Dump Analyzeranalystsecurity
- PowerShell Empire Event Log Analyzeranalystsecurity
- Zeek Conn.log Beaconing Pattern Detectoranalystsecurity
- API Gateway Access Log Attack Analyzeranalystsecurity
- Android APK Malware Static Analysisanalystsecurity
- Kubernetes Audit Log Security Analyzeranalystsecurity
- Cloud Storage Access Anomaly Detectoranalystsecurity
- Office 365 Audit Log Compromise Analyzeranalystsecurity
- Academic Research Brainstorm and Improvement Analyzeranalystresearch
- ML Missing Values Treatment Pipelineanalystanalysis
- Quantitative Sports Betting Edge Evaluatoranalystanalysis
- B2B Manufacturing Homepage Tech-SEO Diagnosticanalystanalysis
- OSINT US Surveillance Source Investigatoranalystresearch
- Curated Compendium of Cuckold BNWO Websitesanalystresearch
- US Indices Market News and Sentiment Reporteranalystfinance
- Technical Academic Paper Revieweranalystanalysis
- UX Landing Page Conversion Analyzeranalystanalysis