CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-powershell-empire-artifacts

Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns, default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events.

57

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

50%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A clean, well-organized overview that names the right IOCs, but it stops short of giving executable guidance and fails to link the substantive bundle files (the detection script and SIEM query reference), leaving the workflow implicit.

Suggestions

Reference the bundle files explicitly, e.g. "## Detection — run scripts/agent.py against EVTX exports" and "## SIEM queries — see references/api-reference.md," so Claude reaches the executable content.

Replace the conceptual Overview sentence about what PowerShell Empire is with a concrete first step (e.g. acquire EVTX / enable Event ID 4104 logging) to improve both conciseness and actionability.

Add an explicit ordered workflow with a verification checkpoint, e.g. scan logs → decode Base64 → confirm staging URI/module match → emit JSON report, to lift workflow clarity from 2 to 3.

DimensionReasoningScore

Conciseness

The body is mostly efficient and well-sectioned, but the Overview explains a concept Claude already knows ("PowerShell Empire is a post-exploitation framework consisting of listeners, stagers, and agents"), which is unnecessary context that keeps it below the lean/efficient anchor.

2 / 3

Actionability

It gives concrete IOC strings (launcher flags, stager patterns, module names) but no executable code or commands in the body, and it never directs Claude to the provided scripts/agent.py that performs the actual detection, so guidance is incomplete.

2 / 3

Workflow Clarity

Sections imply a loose sequence (Prerequisites → Key Detection Patterns → Output) but there is no explicit ordered workflow or validation/verification checkpoint for the analysis process, matching the "sequence present but checkpoints missing" anchor.

2 / 3

Progressive Disclosure

The body is a well-organized, lean set of sections, but the bundle files references/api-reference.md and scripts/agent.py exist and are never signaled or linked from SKILL.md, so Claude cannot navigate to the detailed reference and executable script.

2 / 3

Total

8

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A specific, well-scoped description with strong trigger terms and distinctiveness, weakened only by the absence of an explicit "Use when…" clause that would tell Claude precisely when to invoke it.

Suggestions

Add an explicit "Use when…" clause, e.g. "Use when investigating PowerShell Empire C2 in Windows event logs or when threat hunting for Empire launchers, stagers, or module signatures," to lift completeness from 2 to 3.

Include common user phrasings such as "Empire C2" or "PowerShell staging activity" to broaden natural trigger coverage.

DimensionReasoningScore

Specificity

The description lists multiple concrete actions in third person — "identifying Base64 encoded launcher patterns, default user agents, staging URL structures, stager IOCs, and known Empire module signatures" — matching the anchor for listing several specific concrete actions rather than a single vague phrase.

3 / 3

Completeness

It clearly answers "what" (detect Empire artifacts via the listed signatures) but provides no explicit "Use when…" trigger guidance, so per the rubric guideline a missing trigger clause caps completeness at 2 rather than 3.

2 / 3

Trigger Term Quality

It uses natural domain terms a SOC analyst would actually say when needing this skill — "PowerShell Empire," "Windows event logs," "Base64," "stager," and "Script Block Logging" — giving good coverage rather than only technical jargon.

3 / 3

Distinctiveness Conflict Risk

Naming a specific framework (PowerShell Empire) and its artifact classes carves out a clear niche unlikely to trigger the wrong skill, matching the distinct-trigger anchor.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.