Skills
.Work. You
Rest

defensive-edr-evasion

Community

Detect EDR evasion and triage SOC alerts

Data & Analytics#detection#kql#yara#amsi#edr-evasion#ppid-spoofing#etw
Authorriparino
Version1.0.0
Installs0

System Documentation

What problem does it solve?

EDR evasion detection and threat-hunting guidance to identify and respond to anti-forensic techniques used by attackers, including PPID spoofing, AMSI bypass, and process-injection artifacts.

Core Features & Use Cases

  • EDR evasion indicators: PPID spoofing, AMSI patches, direct syscall patterns, reflective DLL artifacts, ETW patch detection.
  • SOC triage guidance: detection rules and KQL queries for MDE process injection and AMSI events.
  • Use Case: When investigating suspicious PowerShell or CreateRemoteThread activities, apply this skill to surface relevant signals and triage steps.

Quick Start

Run the SOC triage workflow to identify AMSI patches and PPID spoofing signals in PowerShell and process-injection events.

Dependency Matrix

Required Modules

None required

Components

Standard package

💻 Claude Code Installation

Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.

Please help me install this Skill:
Name: defensive-edr-evasion
Download link: https://github.com/riparino/Claude-Cyber/archive/main.zip#defensive-edr-evasion

Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
View Source Repository

Agent Skills Search Helper

Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.