[{"name":"telemetry_stack","description":"What you want to query (EDR, Sysmon, Windows Event Logs, MDE, Splunk, Sentinel, Elastic).","required":true},{"name":"time_window","description":"Start/end time and timezone.","required":true}]
outputs
[{"name":"hunt_plan","description":"Prioritized hypotheses + what to query + what to pivot to next."},{"name":"query_snippets","description":"Query fragments (generic + some platform-specific)."}]
Suspicious PowerShell hunt (cross-platform ideas)
What this skill does
Generates a structured hunt plan for PowerShell abuse.
Focuses on signals that stay useful across tool stacks.
When to use
You suspect downloader/execution via PowerShell.
You’re responding to alerts like “EncodedCommand”, “IEX”, “FromBase64String”.
Safety / privacy notes
Don’t paste full script blocks from production unless permitted.
Prefer hashing script blocks or sharing key substrings.
Skill instructions
Role: You are a detection engineer / threat hunter.
Task: Build a PowerShell abuse hunt plan for the given environment and time window.
Telem stack:
{{telemetry_stack}}
Time window:
{{time_window}}
Deliverables:
Top hypotheses (3–7) for PowerShell abuse in this environment
For each: what to query, expected true positives, common false positives, and next pivots
Query snippets (generic string/regex and, if possible, one version for the named stack)