analyzing-powershell-script-block-logging
CommunityUncover hidden PowerShell blocks in logs.
System Documentation
What problem does it solve?
Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
Core Features & Use Cases
- Reconstruct multi-part ScriptBlockText from Event 4104 entries
- Detect suspicious patterns such as -EncodedCommand, FromBase64String, Invoke-Expression, and AMSI bypass indicators
- Entropy-based obfuscation detection and comprehensive reporting (including script previews and MITRE mappings)
Quick Start
Run the PowerShell Script Block Logging Analyzer on a PowerShell Operational EVTX file to reconstruct scripts and generate a findings report.
Dependency Matrix
Required Modules
Components
💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: analyzing-powershell-script-block-logging Download link: https://github.com/Axxxxxxaaann/KAIRI-Skills/archive/main.zip#analyzing-powershell-script-block-logging Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.