PowerShell Script Block Analysis

v20260317

analyzing-powershell-script-block-logging

Parses PowerShell Event ID 4104 logs from EVTX files to rebuild script blocks, run entropy and pattern checks, and flag obfuscated commands, encoded payloads, download cradles, and AMSI bypass attempts for security response workflows.

PowerShell Security LogAnalysis Forensics Evtx Detection Automation

Get Skill

347 downloads

Overview

Instructions

Install dependencies: pip install python-evtx lxml
Collect PowerShell Operational logs: Microsoft-Windows-PowerShell%4Operational.evtx
Parse Event ID 4104 entries using python-evtx to extract ScriptBlockText, ScriptBlockId, and MessageNumber/MessageTotal for multi-part script reconstruction.
Apply detection heuristics:
- Base64-encoded commands (-EncodedCommand, FromBase64String)
- Download cradles (DownloadString, DownloadFile, Invoke-WebRequest, Net.WebClient)
- AMSI bypass patterns (AmsiUtils, amsiInitFailed)
- Obfuscation indicators (high entropy, tick-mark insertion, string concatenation)
Generate a report with reconstructed scripts, risk scores, and MITRE ATT&CK mappings.

python scripts/agent.py --evtx-file /path/to/PowerShell-Operational.evtx --output ps_analysis.json

Examples

Detect Encoded Command Execution

import base64
if "-encodedcommand" in script_text.lower():
    encoded = script_text.split()[-1]
    decoded = base64.b64decode(encoded).decode("utf-16-le")

Reconstruct Multi-Block Script

Scripts split across multiple 4104 events share a ScriptBlockId. Concatenate blocks ordered by MessageNumber to recover the full script.

Info

Category Development

Name analyzing-powershell-script-block-logging

Version v20260317

Size 9.2KB

Source mukul975/Anthropic-Cybersecurity-Skills

Updated At 2026-03-18