Skill

analyzing-powershell-script-block-logging

Parses PowerShell Script Block Logs from EVTX files to detect obfuscated commands, encoded payloads, download cradles, and AMSI bypasses using python-evtx and entropy analysis.

Python

Powershell

Bash

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When investigating security incidents that require analyzing powershell script block logging

Supporting Assets

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 21, 2026

Actions

View Source View Plugin View on GitHub View README

Analyzing PowerShell Script Block Logging

When to Use

When investigating security incidents that require analyzing powershell script block logging
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Familiarity with security operations concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Instructions

Install dependencies: pip install python-evtx lxml
Collect PowerShell Operational logs: Microsoft-Windows-PowerShell%4Operational.evtx
Parse Event ID 4104 entries using python-evtx to extract ScriptBlockText, ScriptBlockId, and MessageNumber/MessageTotal for multi-part script reconstruction.
Apply detection heuristics:
- Base64-encoded commands (-EncodedCommand, FromBase64String)
- Download cradles (DownloadString, DownloadFile, Invoke-WebRequest, Net.WebClient)
- AMSI bypass patterns (AmsiUtils, amsiInitFailed)
- Obfuscation indicators (high entropy, tick-mark insertion, string concatenation)
Generate a report with reconstructed scripts, risk scores, and MITRE ATT&CK mappings.

python scripts/agent.py --evtx-file /path/to/PowerShell-Operational.evtx --output ps_analysis.json

Examples

Detect Encoded Command Execution

import base64
if "-encodedcommand" in script_text.lower():
    encoded = script_text.split()[-1]
    decoded = base64.b64decode(encoded).decode("utf-16-le")

Reconstruct Multi-Block Script

Scripts split across multiple 4104 events share a ScriptBlockId. Concatenate blocks ordered by MessageNumber to recover the full script.