log-evasion

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). Explicitly malicious: the document is a detailed, actionable red-team/anti-forensics playbook that instructs how to disable/patch ETW/AMSI/EDR, stop or hijack EventLog/auditd, edit EVTX/wtmp/journal entries, hide processes/connections (LD_PRELOAD, raw syscalls, in-memory exec), block/modify syslog forwarding, and otherwise enable persistence, credential theft, remote access and cover-up of intrusions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). 该技能包含明确的特权滥用与系统篡改指令（如 kill -9 auditd、auditctl -e 0、net stop eventlog、修改 .evtx、patch ntdll/卸载 sysmon 驱动、编辑 /var/log 等），这些操作需要提权并会改变机器状态，因此应被标记。