analyzing-powershell-empire-artifacts
Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns, default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events.
48
52%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-powershell-empire-artifacts/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific skill description that excels at naming concrete detection capabilities and uses domain-appropriate terminology that security professionals would naturally use. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill over other security-related skills.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when analyzing Windows event logs for signs of PowerShell Empire compromise, investigating suspicious PowerShell activity, or performing threat hunting for post-exploitation frameworks.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: detecting Base64 encoded launcher patterns, default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events. | 3 / 3 |
Completeness | The 'what' is thoroughly covered with specific detection capabilities, but there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill. The when is only implied by the nature of the actions described. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a security analyst would use: 'PowerShell Empire', 'Windows event logs', 'Base64 encoded', 'Script Block Logging', 'IOCs', 'stager', 'launcher patterns', 'user agents'. These are highly specific and natural trigger terms for this domain. | 3 / 3 |
Distinctiveness Conflict Risk | Extremely specific niche targeting PowerShell Empire framework detection in Windows event logs. This is unlikely to conflict with other skills due to the highly specialized domain and specific artifact types mentioned. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
22%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a high-level description or requirements document than an actionable skill. It identifies what Empire artifacts look like but provides zero executable guidance on how to detect them — no code, no regex, no queries, no example log entries, and no step-by-step workflow. The detection patterns list is useful but insufficient without implementation details.
Suggestions
Add executable Python code for parsing EVTX files and searching for the listed detection patterns (e.g., using python-evtx library with regex matching).
Provide a concrete step-by-step workflow: load logs → decode Base64 → match patterns → generate report, with validation at each stage.
Include at least one example input (sample Script Block Logging event) and expected output (the JSON report schema with a populated example).
Remove the generic 'When to Use' section and the explanation of what PowerShell Empire is — Claude already knows this. Replace with actionable content.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' section is generic filler that doesn't add value, and the overview explains what PowerShell Empire is (which Claude already knows). However, the detection patterns section is reasonably lean and informative. | 2 / 3 |
Actionability | There is no executable code, no concrete commands, no example queries, and no sample log entries. The skill describes what to detect but never shows how to actually do it — no Python scripts, no PowerShell queries, no regex patterns, no EVTX parsing code. | 1 / 3 |
Workflow Clarity | There is no workflow or sequence of steps. The skill lists detection patterns and describes a desired output format but provides no process for going from raw logs to the JSON report. No validation checkpoints or error handling are mentioned. | 1 / 3 |
Progressive Disclosure | The content is organized into clear sections with headers, which is good. However, there are no references to supporting files, no linked examples, and the output section mentions a JSON report format without providing a schema or example. For a skill with no bundle files, the inline content itself is insufficient. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.