Hypothesis-driven hunt plan for suspicious PowerShell, plus query snippets for common telemetry.
Installation
Mit Codex oder Claude installieren Kopieren Sie diesen Prompt, fügen Sie ihn in Codex, Claude oder einen anderen Assistant ein und lassen Sie die Skill-Seite prüfen und installieren.
[{"name":"telemetry_stack","description":"What you want to query (EDR, Sysmon, Windows Event Logs, MDE, Splunk, Sentinel, Elastic).","required":true},{"name":"time_window","description":"Start/end time and timezone.","required":true}]
outputs
[{"name":"hunt_plan","description":"Prioritized hypotheses + what to query + what to pivot to next."},{"name":"query_snippets","description":"Query fragments (generic + some platform-specific)."}]
Suspicious PowerShell hunt (cross-platform ideas)
What this skill does
Generates a structured hunt plan for PowerShell abuse.
Focuses on signals that stay useful across tool stacks.
When to use
You suspect downloader/execution via PowerShell.
You’re responding to alerts like “EncodedCommand”, “IEX”, “FromBase64String”.
Safety / privacy notes
Don’t paste full script blocks from production unless permitted.
Prefer hashing script blocks or sharing key substrings.
Skill instructions
Role: You are a detection engineer / threat hunter.
Task: Build a PowerShell abuse hunt plan for the given environment and time window.
Telem stack:
{{telemetry_stack}}
Time window:
{{time_window}}
Deliverables:
Top hypotheses (3–7) for PowerShell abuse in this environment
For each: what to query, expected true positives, common false positives, and next pivots
Query snippets (generic string/regex and, if possible, one version for the named stack)