Skill

analyzing-powershell-script-block-logging

From asi

Parses Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files using python-evtx to reconstruct scripts and detect obfuscated commands, Base64 payloads, download cradles, Invoke-Expression abuse, and AMSI bypasses for threat hunting.

Python

Powershell

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When investigating security incidents that require analyzing powershell script block logging

SKILL.md

Similar Skills

analyzing-powershell-script-block-logging

5.9k

Parses PowerShell Script Block Logs from EVTX files to detect obfuscated commands, encoded payloads, download cradles, and AMSI bypasses using python-evtx and entropy analysis.

3 files

cybersecurity-skills

analyzing-powershell-script-block-logging

Parses PowerShell script block logs (Event ID 4104) from EVTX files to detect obfuscated commands, Base64 payloads, download cradles, AMSI bypasses via python-evtx, entropy analysis, and pattern matching.

3 files

cybersecurity-skills-zh

hunting-for-anomalous-powershell-execution

Parses Windows EVTX files for malicious PowerShell via Event 4104/4103 logs, detecting AMSI bypasses, obfuscated commands, encoded payloads, credential dumping, and download cradles. For threat hunting and incident analysis.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Analyzing PowerShell Script Block Logging

When to Use

When investigating security incidents that require analyzing powershell script block logging

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Familiarity with security operations concepts and tools

Access to a test or lab environment for safe execution

Python 3.8+ with required dependencies installed

Appropriate authorization for any testing activities

Instructions

Install dependencies: pip install python-evtx lxml

Collect PowerShell Operational logs: Microsoft-Windows-PowerShell%4Operational.evtx

Parse Event ID 4104 entries using python-evtx to extract ScriptBlockText, ScriptBlockId, and MessageNumber/MessageTotal for multi-part script reconstruction.

Apply detection heuristics:

Base64-encoded commands (-EncodedCommand, FromBase64String)
Download cradles (DownloadString, DownloadFile, Invoke-WebRequest, Net.WebClient)
AMSI bypass patterns (AmsiUtils, amsiInitFailed)
Obfuscation indicators (high entropy, tick-mark insertion, string concatenation)

Generate a report with reconstructed scripts, risk scores, and MITRE ATT&CK mappings.

python scripts/agent.py --evtx-file /path/to/PowerShell-Operational.evtx --output ps_analysis.json

Examples

Detect Encoded Command Execution

import base64 if "-encodedcommand" in script_text.lower(): encoded = script_text.split()[-1] decoded = base64.b64decode(encoded).decode("utf-16-le")

Reconstruct Multi-Block Script

Scripts split across multiple 4104 events share a ScriptBlockId. Concatenate blocks ordered by MessageNumber to recover the full script.