← ClaudeAtlas

pentest-detectionlisted

Detection engineering — Sigma, Splunk SPL, Elastic KQL, Microsoft Sentinel KQL, YARA, Suricata rule writing advisory. Triggers on detection engineering, Sigma rule, Splunk SPL, Elastic KQL, Sentinel KQL, YARA, Suricata, Snort, SIEM rule, EDR rule, hunting query.
fatihkan/badi · ★ 5 · AI & Automation · score 76
Install: claude install-skill fatihkan/badi
# pentest-detection Defensive detection-rule writing. Converts pentest findings into detection rules — to catch future attacks. ## Triggers - "write a Sigma rule" - "Splunk SPL query" - "KQL hunting query" - "Sentinel rule" - "YARA signature" - "Suricata rule" - "detection coverage analysis" ## Sigma (Vendor-Agnostic) ```yaml title: Suspicious PowerShell Encoded Command Execution id: 12345678-1234-1234-1234-1234567890ab status: experimental description: Detects PowerShell with -EncodedCommand flag, common in payloads references: - https://attack.mitre.org/techniques/T1059/001/ author: Security Team date: 2026/05/15 tags: - attack.execution - attack.t1059.001 logsource: product: windows service: powershell category: process_creation detection: selection: EventID: 4104 ScriptBlockText|contains: - '-EncodedCommand' - '-enc ' - '-e ' filter: User|startswith: 'NT AUTHORITY\SYSTEM' condition: selection and not filter falsepositives: - Legitimate admin scripts level: high ``` ## Splunk SPL ```spl index=windows EventCode=4104 | where match(ScriptBlockText, "-EncodedCommand|-enc\s|-e\s") | stats count by Computer, User, ScriptBlockText | where count > 1 | sort -count ``` ## Elastic KQL ``` event.code:"4104" AND powershell.file.script_block_text:(*-EncodedCommand* OR *-enc * OR *-e *) AND NOT user.name:"SYSTEM" ``` ## Microsoft Sentinel KQL ```kql SecurityEvent | where EventID == 4104 | where EventData has_any ("-EncodedComma