analyzing-powershell-script-block-logging
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/analyzing-powershell-script-block-loggingDecodes obfuscated PowerShell scripts to reveal hidden attack techniques.
- Detects Base64 payloads and AMSI bypass attempts in EVTX logs.
- Relies on python-evtx and entropy analysis for accurate parsing.
- Reconstructs multi-block scripts to identify living-off-the-land tactics.
- Outputs structured findings for SOC analysts and threat hunting teams.
SKILL.md
.github/skills/analyzing-powershell-script-block-loggingView on GitHub ↗
---
name: analyzing-powershell-script-block-logging
description: >-
Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated
commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and
reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded
commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
domain: cybersecurity
subdomain: security-operations
tags: [analyzing, powershell, script, block]
version: "1.0"
author: mahipal
license: Apache-2.0
---
# Analyzing PowerShell Script Block Logging
## When to Use
- When investigating security incidents that require analyzing powershell script block logging
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
## Instructions
1. Install dependencies: `pip install python-evtx lxml`
2. Collect PowerShell Operational logs: `Microsoft-Windows-PowerShell%4Operational.evtx`
3. Parse Event ID 4104 entries using python-evtx to extract ScriptBlockText, ScriptBlockId, and MessageNumber/MessageTotal for multi-part script reconstruction.
4. Apply detection heuristics:
- Base64-encoded commands (`-EncodedCommand`, `FromBase64String`)
- Download cradles (`DownloadString`, `DownloadFile`, `Invoke-WebRequest`, `Net.WebClient`)
- AMSI bypass patterns (`AmsiUtils`, `amsiInitFailed`)
- Obfuscation indicators (high entropy, tick-mark insertion, string concatenation)
5. Generate a report with reconstructed scripts, risk scores, and MITRE ATT&CK mappings.
```bash
python scripts/agent.py --evtx-file /path/to/PowerShell-Operational.evtx --output ps_analysis.json
```
## Examples
### Detect Encoded Command Execution
```python
import base64
if "-encodedcommand" in script_text.lower():
encoded = script_text.split()[-1]
decoded = base64.b64decode(encoded).decode("utf-16-le")
```
### Reconstruct Multi-Block Script
Scripts split across multiple 4104 events share a `ScriptBlockId`. Concatenate blocks ordered by `MessageNumber` to recover the full script.
More from mukul975/Anthropic-Cybersecurity-Skills
- acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
- analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
- analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
- analyzing-api-gateway-access-logs>
- analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
- analyzing-azure-activity-logs-for-threats>
- analyzing-bootkit-and-rootkit-samples>
- analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
- analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
- analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.