Skill

hunting-for-anomalous-powershell-execution

From asi

Parses Windows EVTX files for malicious PowerShell via Event 4104/4103 logs, detecting AMSI bypasses, obfuscated commands, encoded payloads, credential dumping, and download cradles. For threat hunting and incident analysis.

Powershell

Python

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

PowerShell Script Block Logging (Event ID 4104) records the full deobfuscated script text

SKILL.md

Similar Skills

hunting-for-anomalous-powershell-execution

5.9k

Hunts malicious PowerShell in EVTX files via Script Block (Event 4104) and Module Logging (Event 4103), detecting AMSI bypasses, obfuscation, encoded payloads, credential dumps, and download cradles.

3 files

cybersecurity-skills

hunting-for-anomalous-powershell-execution

Hunts malicious PowerShell activity in Windows EVTX logs (events 4104/4103) by parsing script blocks, detecting obfuscation, AMSI bypasses, encoded payloads, credential dumps, and download cradles.

3 files

cybersecurity-skills-zh

analyzing-powershell-script-block-logging

Parses Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files using python-evtx to reconstruct scripts and detect obfuscated commands, Base64 payloads, download cradles, Invoke-Expression abuse, and AMSI bypasses for threat hunting.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Hunting for Anomalous PowerShell Execution

Overview

PowerShell Script Block Logging (Event ID 4104) records the full deobfuscated script text executed on a Windows endpoint, making it the primary data source for hunting malicious PowerShell. Combined with Module Logging (4103) and process creation events, analysts can detect encoded commands, AMSI bypass patterns, download cradles, credential theft tools, and fileless attack techniques even when the attacker uses obfuscation layers.

When to Use

When investigating security incidents that require hunting for anomalous powershell execution

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Windows Event Log exports (.evtx) from Microsoft-Windows-PowerShell/Operational

Python 3.8+ with python-evtx and lxml libraries

Script Block Logging enabled via Group Policy

Understanding of common PowerShell attack techniques

Steps

Parse EVTX files extracting Event 4104 script block text and metadata

Reassemble multi-part script blocks using ScriptBlock ID correlation

Scan script text for AMSI bypass indicators and obfuscation patterns

Detect encoded command execution and base64 payloads

Identify download cradles, credential dumping, and lateral movement commands

Score and prioritize findings by threat severity

Expected Output

{ "total_events": 1247, "suspicious_events": 23, "amsi_bypass_attempts": 2, "encoded_commands": 8, "download_cradles": 5, "credential_access": 3 }