Skill UI

Detects malicious scheduled task creation by correlating Sysmon Event IDs 1 and 11 with Windows Security Events 4698/4702, matching suspicious parent processes, public directories, encoded commands, and remote creation attempts to spot persistence and lateral movement.

Guides security teams through hypothesis-driven detection of encoded commands, download cradles, AMSI bypass, and other suspicious PowerShell executions via EDR/SIEM telemetry to investigate threats and inform response actions.

Analyzes PowerShell Script Block, Module, and process creation logs to flag obfuscated commands, AMSI bypass attempts, encoded payloads, download cradles, and credential theft indicators for SOC threat hunting.

Hunt for registry Run key persistence via Sysmon Event ID 13 logs to detect malicious auto-start entries using temp paths, encoded commands, or LOLBins, while correlating with process creation and file events for MITRE-mapped alerts.

Parses Windows System event logs for Event ID 7045 to spot unusual service installations, flag suspicious binary paths (temp dirs, PowerShell/cmd abuse, encoded commands), and produce JSON reports linking findings to MITRE ATT&CK T1543.003 for threat hunters and SOCs.