mukul975/analyzing-powershell-script-block-logging
skills/analyzing-powershell-script-block-logging/SKILL.md
Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
$ install --global
skillsauthnpx skillsauth add mukul975/cyber-skills analyzing-powershell-script-block-loggingInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 29, 2026, 9:21 AM39.9s3 files scanned
SKILL.md
- name:
- analyzing-powershell-script-block-logging
- description:
- Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded
- domain:
- cybersecurity
- subdomain:
- security-operations
- version:
- 1.0
- author:
- mahipal
- license:
- Apache-2.0
Analyzing PowerShell Script Block Logging
When to Use
- When investigating security incidents that require analyzing powershell script block logging
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
Instructions
- Install dependencies:
pip install python-evtx lxml - Collect PowerShell Operational logs:
Microsoft-Windows-PowerShell%4Operational.evtx - Parse Event ID 4104 entries using python-evtx to extract ScriptBlockText, ScriptBlockId, and MessageNumber/MessageTotal for multi-part script reconstruction.
- Apply detection heuristics:
- Base64-encoded commands (
-EncodedCommand,FromBase64String) - Download cradles (
DownloadString,DownloadFile,Invoke-WebRequest,Net.WebClient) - AMSI bypass patterns (
AmsiUtils,amsiInitFailed) - Obfuscation indicators (high entropy, tick-mark insertion, string concatenation)
- Base64-encoded commands (
- Generate a report with reconstructed scripts, risk scores, and MITRE ATT&CK mappings.
python scripts/agent.py --evtx-file /path/to/PowerShell-Operational.evtx --output ps_analysis.json
Examples
Detect Encoded Command Execution
import base64
if "-encodedcommand" in script_text.lower():
encoded = script_text.split()[-1]
decoded = base64.b64decode(encoded).decode("utf-16-le")
Reconstruct Multi-Block Script
Scripts split across multiple 4104 events share a ScriptBlockId. Concatenate blocks ordered by MessageNumber to recover the full script.
Related Skills
mukul975/acquiring-disk-image-with-dd-and-dcfldd
content-media
VerifiedTrustedCommunity
Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
13,651SKILL.mdUpdated Apr 16, 2026
mukul975/building-phishing-reporting-button-workflow
tools
VerifiedTrustedCommunity
Implement a phishing report button in email clients with automated triage workflow that analyzes user-reported suspicious emails and provides feedback to reporters.
12,656SKILL.mdUpdated May 31, 2026
mukul975/building-patch-tuesday-response-process
development
VerifiedTrustedCommunity
Establish a structured operational process to triage, test, and deploy Microsoft Patch Tuesday security updates within risk-based remediation SLAs.
12,656SKILL.mdUpdated May 31, 2026
mukul975/building-malware-incident-communication-template
development
VerifiedTrustedCommunity
Build structured communication templates for malware incidents including stakeholder notifications, executive briefings, technical advisories, and regulatory disclosures with severity-based escalation procedures.
12,656SKILL.mdUpdated May 31, 2026