analyzing-powershell-empire-artifacts
Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns, default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events.
61
52%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-powershell-empire-artifacts/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific skill description that excels at naming concrete detection capabilities and using domain-appropriate trigger terms. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill over other security-related skills. The technical specificity makes it very distinctive and unlikely to conflict with other skills.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when analyzing Windows event logs for signs of PowerShell Empire compromise, investigating suspicious PowerShell activity, or performing threat hunting for post-exploitation frameworks.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: detecting Base64 encoded launcher patterns, default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events. | 3 / 3 |
Completeness | The 'what' is thoroughly covered with specific detection capabilities, but there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill. The when is only implied by the nature of the actions described. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a security analyst would use: 'PowerShell Empire', 'Windows event logs', 'Base64 encoded', 'Script Block Logging', 'IOCs', 'stager', 'launcher patterns', 'user agents'. These are highly specific and natural trigger terms for this domain. | 3 / 3 |
Distinctiveness Conflict Risk | Extremely specific niche targeting PowerShell Empire framework detection in Windows event logs. This is unlikely to conflict with other skills due to the highly specialized domain and specific artifact types mentioned. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
22%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a high-level briefing document than an actionable skill. It identifies the right detection patterns and concepts but completely lacks executable code, concrete examples, parsing commands, or a step-by-step workflow. Claude would not be able to perform the described analysis based solely on this content.
Suggestions
Add executable Python code for parsing EVTX files and searching for the listed detection patterns (e.g., using python-evtx or similar library with regex matching).
Provide a concrete step-by-step workflow: 1) Load EVTX, 2) Filter Event ID 4104, 3) Search for patterns, 4) Decode Base64, 5) Generate report — with validation at each step.
Include an example JSON output schema so the expected report format is unambiguous.
Remove the generic 'When to Use' section and replace it with a concrete example showing a sample suspicious log entry and the expected detection output.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' section is largely filler that doesn't add actionable value (e.g., 'When investigating security incidents that require analyzing powershell empire artifacts' is circular). The overview also restates information that appears again in 'Key Detection Patterns'. However, it's not egregiously verbose. | 2 / 3 |
Actionability | There is no executable code, no concrete commands, no example queries, and no sample log entries. The skill describes what to detect but never shows how to actually do it — no Python scripts, no PowerShell queries, no regex patterns, no EVTX parsing examples. | 1 / 3 |
Workflow Clarity | There is no workflow or sequence of steps. The skill lists detection patterns and describes a desired output but provides no process for getting from input (event logs) to output (JSON report). No validation checkpoints or error handling are mentioned. | 1 / 3 |
Progressive Disclosure | The content is organized into clear sections with headers, which is good. However, there are no references to external files for deeper content (e.g., example EVTX files, detection rule libraries, or detailed module signature lists), and the 'Output' section describes a JSON report without showing its schema or linking to an example. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.