analyzing-powershell-script-block-logging
Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
72
66%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-powershell-script-block-logging/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a highly specific and technically detailed description that excels at naming concrete actions and domain-specific trigger terms relevant to digital forensics and incident response. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill. The description is well-written in third person and avoids vague language.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to analyze EVTX files, investigate PowerShell execution logs, detect obfuscated scripts, or perform forensic analysis of Windows event logs.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: parsing PowerShell Script Block Logs (Event ID 4104), extracting and reconstructing multi-block scripts, applying entropy analysis and pattern matching, detecting Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts. | 3 / 3 |
Completeness | The 'what' is thoroughly covered with specific capabilities and techniques, but there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill. The when is only implied by the nature of the actions described. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural keywords a security analyst would use: 'PowerShell', 'Script Block Logs', 'Event ID 4104', 'EVTX', 'obfuscated commands', 'encoded payloads', 'living-off-the-land', 'Base64', 'Invoke-Expression', 'AMSI bypass', 'download cradles'. These are highly specific and natural terms in the threat hunting/DFIR domain. | 3 / 3 |
Distinctiveness Conflict Risk | Extremely distinct niche: Windows PowerShell Script Block Log analysis from EVTX files with specific Event ID 4104. The combination of EVTX parsing, PowerShell forensics, and specific detection techniques (AMSI bypass, download cradles) makes it very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable overview of PowerShell Script Block Log analysis but falls short on actionability—key operations like EVTX parsing with python-evtx and multi-block reconstruction lack complete, executable code. The 'When to Use' and 'Prerequisites' sections add unnecessary tokens that Claude doesn't need, and the workflow lacks validation checkpoints for what is a multi-step forensic analysis process.
Suggestions
Add a complete, executable python-evtx parsing example that opens an EVTX file, filters for Event ID 4104, extracts ScriptBlockText/ScriptBlockId, and reconstructs multi-block scripts—not just a conceptual description.
Remove or drastically shorten the 'When to Use' and 'Prerequisites' sections, which explain things Claude already knows and waste token budget.
Add explicit validation checkpoints: verify EVTX file can be opened, confirm event count after filtering, validate that all MessageNumber values are present before reconstruction.
Provide a concrete example of the expected output format (e.g., a sample JSON schema for ps_analysis.json) so Claude knows exactly what to produce.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' section is somewhat generic and padded (e.g., 'When SOC analysts need structured procedures for this analysis type' adds little). Prerequisites like 'Familiarity with security operations concepts' are unnecessary for Claude. However, the core instructions are reasonably tight. | 2 / 3 |
Actionability | There are some concrete elements (pip install command, code snippet for Base64 decoding, CLI invocation), but the detection heuristics in step 4 are described rather than implemented with executable code. The multi-block reconstruction example is described conceptually without actual executable code showing the python-evtx parsing loop. | 2 / 3 |
Workflow Clarity | Steps are listed in a logical sequence (install → collect → parse → detect → report), but there are no validation checkpoints. For a workflow involving parsing potentially malformed EVTX files and applying detection heuristics, there should be explicit validation steps (e.g., verify event count, validate reconstruction completeness, handle parsing errors). | 2 / 3 |
Progressive Disclosure | The content is reasonably structured with sections, but everything is inline in a single file. The reference to `scripts/agent.py` implies external tooling exists but there's no navigation to it or to any reference material for detection patterns, MITRE mappings, or advanced usage. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.