The Agent Skills Directory

[SAFE]: The skill correctly implements threat hunting logic for MITRE ATT&CK technique T1543.003 (Windows Service) by parsing System event logs for Event ID 7045. It identifies suspicious patterns such as temp directory paths, encoded PowerShell commands, and LOLBins.
[SAFE]: No network communication, exfiltration, or credential harvesting patterns were detected. The script processes .evtx files locally and outputs analysis results to the console.
[SAFE]: The Python script uses standard libraries (python-evtx, lxml) for its intended purpose. No evidence of obfuscation, dynamic code execution (eval/exec), or command injection was found.
[SAFE]: There are no signs of prompt injection or malicious instructions in the metadata or documentation. The skill's stated purpose matches its technical implementation.

hunting-for-unusual-service-installations