hunt-lateral-movement
Hunt for lateral movement using PsExec, WMI, or similar techniques. Use when proactively searching for attackers moving through your network using admin tools. Searches for service installations, remote process execution, and suspicious network correlations.
90
88%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines its niche in threat hunting for lateral movement. It provides specific techniques (PsExec, WMI), concrete search targets (service installations, remote process execution, network correlations), and an explicit 'Use when' clause with natural trigger language. The description is concise, uses third person voice, and would be easily distinguishable from other security-related skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Hunt for lateral movement using PsExec, WMI, or similar techniques', 'Searches for service installations, remote process execution, and suspicious network correlations.' These are concrete, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers both what ('Hunt for lateral movement using PsExec, WMI...searches for service installations, remote process execution, and suspicious network correlations') and when ('Use when proactively searching for attackers moving through your network using admin tools'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'lateral movement', 'PsExec', 'WMI', 'admin tools', 'service installations', 'remote process execution', 'network correlations'. These are terms a security analyst would naturally use when looking for this capability. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused specifically on lateral movement detection using named tools (PsExec, WMI). The combination of threat hunting, lateral movement, and specific admin tool abuse creates a clear, non-overlapping domain unlikely to conflict with other security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, actionable hunt skill with concrete UDM queries, clear MCP tool invocations, and a well-sequenced multi-step workflow with appropriate escalation paths. Its main weakness is that it's somewhat long for a single SKILL.md file—the query library and key indicators table add bulk that could be externalized. The placeholder documentation table is a nice touch for customization clarity.
Suggestions
Consider moving the detailed UDM query library to a separate reference file (e.g., LATERAL_MOVEMENT_QUERIES.md) and keeping only 1-2 example queries inline to improve progressive disclosure.
Remove the Key Indicators table at the end since it largely duplicates information already conveyed by the queries themselves, improving conciseness.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient and avoids explaining basic concepts, but includes some redundancy (e.g., the Key Indicators table at the end largely repeats what's already clear from the queries, and the placeholder table could be more compact). Overall reasonably lean but could be tightened. | 2 / 3 |
Actionability | Provides fully concrete UDM queries that are copy-paste ready, specific MCP tool calls with parameters, and clear instructions for each step. The placeholder table explicitly documents what needs customization, and the queries are executable rather than pseudocode. | 3 / 3 |
Workflow Clarity | The 8-step workflow is clearly sequenced with logical progression from research → query development → execution → correlation → analysis → enrichment → documentation. It includes validation through network correlation (Step 4), enrichment feedback loops (Step 6), explicit escalation paths for confirmed findings, and requires documenting negative results. | 3 / 3 |
Progressive Disclosure | The content is well-structured with clear headers and tables, but it's a fairly long monolithic document (~130 lines of content). The references to other skills/commands (e.g., `/enrich-ioc`, `/find-relevant-case`, `case_event_timeline_and_process_analysis`) are well-signaled, but the inline query library could potentially be split into a separate reference file for better organization. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
086cbf6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.