detecting-evasion-techniques-in-endpoint-logs

by mukul975

The detecting-evasion-techniques-in-endpoint-logs skill helps hunt defense evasion in Windows endpoint logs, including log clearing, timestomping, process injection, and security tool disabling. Use it for threat hunting, detection engineering, and incident triage with Sysmon, Windows Security, or EDR telemetry.

Stars0

Favorites0

Comments0

AddedMay 11, 2026

CategoryThreat Hunting

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-evasion-techniques-in-endpoint-logs

Curation Score

This skill scores 84/100 and is a solid directory listing candidate. It gives users a clear TA0005 defense-evasion use case, concrete endpoint-log workflows, and helper scripts/resources that reduce guesswork compared with a generic prompt. Directory users should still expect some adoption friction because the repo does not show an install command in SKILL.md and the previewed content is somewhat fragmented across files.

84/100

Strengths

Clear triggerability for endpoint defense-evasion investigations, with explicit use cases for log tampering, timestomping, process injection, and security tool disabling.
Operational support is stronger than a doc-only skill: it includes workflows, references, and two scripts for analyzing Windows event logs / EVTX-style data.
Good install-decision value from evidence-backed mappings to MITRE ATT&CK, Sigma, Sysmon event IDs, and detection patterns.

Cautions

No install command is present in SKILL.md, so users may need to infer setup and invocation behavior.
The preview suggests the main workflow is spread across several files, which may slow first-time use despite the substantial body content.

Endpoint Security Edr Logs Event Logs Sysmon Windows Security Detection Engineering Sigma Rules

Overview

Overview of detecting-evasion-techniques-in-endpoint-logs skill

What this skill does

The detecting-evasion-techniques-in-endpoint-logs skill helps you hunt for defense evasion in Windows endpoint telemetry, especially MITRE ATT&CK TA0005 activity like log clearing, timestomping, process injection, and disabling security tools. It is most useful for analysts who need a practical detection workflow, not just a list of suspicious commands.

Who should install it

Use the detecting-evasion-techniques-in-endpoint-logs skill if you do threat hunting, detection engineering, or incident triage on Sysmon, Windows Security, or EDR logs. It fits best when you already have endpoint event data and want to turn a vague suspicion into a repeatable hunt.

What makes it different

This skill is grounded in concrete event IDs, query patterns, and hunt templates rather than generic advice. The repo includes workflow guidance, a detection template, and script-based examples, which makes the detecting-evasion-techniques-in-endpoint-logs skill more actionable than a plain prompt for “find malicious activity.”

How to Use detecting-evasion-techniques-in-endpoint-logs skill

Install and confirm scope

Install with npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-evasion-techniques-in-endpoint-logs. After install, confirm the skill activates for endpoint defense-evasion requests, not network evasion or malware reversing. If your case is about proxying, traffic shaping, or payload unpacking, this skill is the wrong fit.

Start with the right inputs

For strong detecting-evasion-techniques-in-endpoint-logs usage, provide:

log source: Sysmon, Windows Security, or EDR
target technique: for example T1070.001, T1055, or T1562.001
time window: last 24 hours vs. 30–90 days
environment constraints: domain, baseline noise, allowlists, known admin tools

Weak input: “find evasion.”
Better input: “Hunt for T1070.001 log clearing in Sysmon and Security logs across the last 14 days on 200 endpoints; prioritize evidence that distinguishes admin maintenance from attacker cleanup.”

Read these files first

For the fastest detecting-evasion-techniques-in-endpoint-logs guide, read:

SKILL.md for scope and triggers
assets/template.md for the hunt output format
references/api-reference.md for event IDs and detection patterns
references/workflows.md for hunt and deployment flow
references/standards.md for ATT&CK and Sigma context

Use a hunt-first workflow

The most reliable detecting-evasion-techniques-in-endpoint-logs usage is: pick one technique, validate log coverage, run a narrow query, then triage. Start with the hunt template, map the technique to the right event source, and only then expand to adjacent telemetry like process trees or registry changes. This keeps false positives manageable and makes the result easier to operationalize.

detecting-evasion-techniques-in-endpoint-logs skill FAQ

Is this mainly for Threat Hunting?

Yes. detecting-evasion-techniques-in-endpoint-logs for Threat Hunting is the clearest use case because the skill is built around hypothesis-driven searches, triage, and rule refinement. It also works for detection engineering when you want to convert hunt findings into a reusable SIEM rule.

Can I use it with a generic prompt instead?

You can, but the skill is better when you want less guesswork. A generic prompt may produce broad advice; this skill gives you technique-specific inputs, event-source hints, and a practical workflow that is easier to reuse across investigations.

What are the boundaries?

It is focused on endpoint telemetry and Windows-centric defense evasion. Do not expect it to solve network-layer evasion, memory forensics, or full malware analysis. If your logs do not include process creation, script execution, or file-time changes, the detection value will be limited.

Is it beginner-friendly?

Yes, if you already know basic endpoint logging terms. Beginners get the most value by starting with one technique, one data source, and one time range instead of trying to hunt all evasion methods at once.

How to Improve detecting-evasion-techniques-in-endpoint-logs

Give the skill sharper hunt context

The biggest quality gain comes from specifying the technique, platform, and expected noise. For example, mention wevtutil cl, Clear-EventLog, Sysmon Event ID 2, or Defender-disable commands when relevant. That helps the detecting-evasion-techniques-in-endpoint-logs skill produce precise detection logic instead of broad hunting language.

Include baseline and exclusion details

If your environment has admin scripts, imaging tools, EDR maintenance tasks, or backup agents, say so up front. False positives often come from legitimate log maintenance or security operations, so the best detecting-evasion-techniques-in-endpoint-logs install outcome is a prompt that includes known-good behavior to exclude.

Iterate from evidence, not assumptions

After the first output, refine by feeding back the actual artifacts: event IDs, command lines, source/target images, or noisy hosts. Ask for a narrower query, a triage checklist, or a higher-signal version of the hunt. That is the fastest way to improve detecting-evasion-techniques-in-endpoint-logs usage without overexpanding scope.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

detecting-s3-data-exfiltration-attempts

by mukul975

detecting-s3-data-exfiltration-attempts helps investigate possible AWS S3 data theft by correlating CloudTrail S3 data events, GuardDuty findings, Amazon Macie alerts, and S3 access patterns. Use this detecting-s3-data-exfiltration-attempts skill for Security Audit, incident response, and suspicious bulk-download analysis.

Security Audit

Favorites 0GitHub 6.2k

analyzing-usb-device-connection-history

by mukul975

analyzing-usb-device-connection-history helps investigate USB device connection history on Windows using registry hives, event logs, and setupapi.dev.log for Digital Forensics, insider threat work, and incident response. It supports timeline reconstruction, device correlation, and removable-media evidence analysis.

Digital Forensics

Favorites 0GitHub 6.2k

analyzing-bootkit-and-rootkit-samples

by mukul975

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

Malware Analysis

Favorites 0GitHub 6.2k

detecting-ransomware-encryption-behavior

by mukul975

detecting-ransomware-encryption-behavior helps defenders spot ransomware-style encryption using entropy analysis, file I/O monitoring, and behavioral heuristics. It is suited for incident response, SOC tuning, and red-team validation when you need to detect mass file changes, rename bursts, and suspicious process activity quickly.

Incident Response

Favorites 0GitHub 0

detecting-privilege-escalation-attempts

by mukul975

detecting-privilege-escalation-attempts helps hunt privilege escalation on Windows and Linux, including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse. Built for threat hunting teams that need a practical workflow, reference queries, and helper scripts.

Threat Hunting

Favorites 0GitHub 0

analyzing-network-traffic-for-incidents

by mukul975

analyzing-network-traffic-for-incidents helps incident responders analyze PCAPs, flow logs, and packet captures to confirm C2, lateral movement, exfiltration, and exploitation attempts. Built for analyzing-network-traffic-for-incidents for Incident Response with Wireshark, Zeek, and NetFlow-style investigation.

Incident Response

Favorites 0GitHub 0

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

detecting-process-hollowing-technique

by mukul975

detecting-process-hollowing-technique helps hunt process hollowing (T1055.012) in Windows telemetry by correlating suspended launches, memory tampering, parent-child anomalies, and API evidence. Built for threat hunters, detection engineers, and responders who need a practical detecting-process-hollowing-technique for Threat Hunting workflow.

Threat Hunting

Favorites 0GitHub 0

detecting-rdp-brute-force-attacks

by mukul975

detecting-rdp-brute-force-attacks helps analyze Windows Security Event Logs for RDP brute force patterns, including repeated 4625 failures, 4624 success after failures, NLA-related logons, and source-IP concentration. Use it for Security Audit, threat hunting, and repeatable EVTX-based investigations.

Security Audit

Favorites 0GitHub 6.2k

analyzing-linux-kernel-rootkits

by mukul975

analyzing-linux-kernel-rootkits helps DFIR and threat-hunting workflows detect Linux kernel rootkits with Volatility3 cross-view checks, rkhunter scans, and /proc vs /sys analysis for hidden modules, hooked syscalls, and tampered kernel structures. It is a practical analyzing-linux-kernel-rootkits guide for forensic triage.

Digital Forensics

Favorites 0GitHub 0

detecting-mimikatz-execution-patterns

by mukul975

detecting-mimikatz-execution-patterns helps analysts detect Mimikatz execution using command-line patterns, LSASS access signals, binary indicators, and memory artifacts. Use this detecting-mimikatz-execution-patterns skill install for Security Audit, hunting, and incident response with templates, references, and workflow guidance.

Security Audit

Favorites 0GitHub 0

exploiting-kerberoasting-with-impacket

by mukul975

exploiting-kerberoasting-with-impacket helps authorized testers plan Kerberoasting with Impacket GetUserSPNs.py, from SPN enumeration to TGS ticket extraction, offline cracking, and detection-aware reporting. Use this exploiting-kerberoasting-with-impacket guide for penetration testing workflows with clear install and usage context.

Penetration Testing

Favorites 0GitHub 6.2k

detecting-shadow-it-cloud-usage

by mukul975

detecting-shadow-it-cloud-usage helps identify unauthorized SaaS and cloud usage from proxy logs, DNS queries, and netflow. It classifies domains, compares them with approved lists, and supports security audit workflows with structured evidence from the detecting-shadow-it-cloud-usage skill guide.

Security Audit

Favorites 0GitHub 6.2k

detecting-service-account-abuse

by mukul975

detecting-service-account-abuse is a threat-hunting skill for finding service account misuse across Windows, AD, SIEM, and EDR telemetry. It focuses on suspicious interactive logons, privilege escalation, lateral movement, and access anomalies, with a hunt template, event IDs, and workflow references for repeatable investigation.

Threat Hunting

Favorites 0GitHub 6.2k

analyzing-browser-forensics-with-hindsight

by mukul975

analyzing-browser-forensics-with-hindsight helps Digital Forensics teams analyze Chromium browser artifacts with Hindsight, including history, downloads, cookies, autofill, bookmarks, saved credentials metadata, cache, and extensions. Use it to reconstruct web activity, review timelines, and investigate Chrome, Edge, Brave, and Opera profiles.

Digital Forensics

Favorites 0GitHub 6.2k

detecting-network-anomalies-with-zeek

by mukul975

The detecting-network-anomalies-with-zeek skill helps deploy Zeek for passive network monitoring, review structured logs, and build custom detections for beaconing, DNS tunneling, and unusual protocol activity. It is suited for threat hunting, incident response, SIEM-ready network metadata, and Security Audit workflows—not inline prevention.

Security Audit

Favorites 0GitHub 6.1k