Hunting for Anomalous PowerShell Execution
Overview
PowerShell Script Block Logging (Event ID 4104) records the full deobfuscated script text
executed on a Windows endpoint, making it the primary data source for hunting malicious
PowerShell. Combined with Module Logging (4103) and process creation events, analysts can
detect encoded commands, AMSI bypass patterns, download cradles, credential theft tools,
and fileless attack techniques even when the attacker uses obfuscation layers.
Prerequisites
- Windows Event Log exports (.evtx) from Microsoft-Windows-PowerShell/Operational
- Python 3.8+ with python-evtx and lxml libraries
- Script Block Logging enabled via Group Policy
- Understanding of common PowerShell attack techniques
Steps
- Parse EVTX files extracting Event 4104 script block text and metadata
- Reassemble multi-part script blocks using ScriptBlock ID correlation
- Scan script text for AMSI bypass indicators and obfuscation patterns
- Detect encoded command execution and base64 payloads
- Identify download cradles, credential dumping, and lateral movement commands
- Score and prioritize findings by threat severity
Expected Output
{
"total_events": 1247,
"suspicious_events": 23,
"amsi_bypass_attempts": 2,
"encoded_commands": 8,
"download_cradles": 5,
"credential_access": 3
}
