Skill UI

Parses PowerShell Script Block Logs (Event ID 4104) from EVTX files to reconstruct obfuscated payloads, decode Base64 commands, and flag download/AMSI bypass patterns for SOC and threat hunting use.

Hunts suspicious PowerShell executions by spotting encoded commands, macro-triggered download cradles, AMSI bypass attempts, and constrained language evasion across EDR and SIEM telemetry, tying results back to MITRE T1059 in proactive detection or incident-response workflows.

Analyzes PowerShell EVTX logs to flag obfuscated script block execution, encoded commands, AMSI bypass attempts, download cradles, credential dumping keywords, and other anomalous behaviors, helping SOC analysts and threat hunters prioritize findings.