mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-12 06:04:56 +03:00
mukul975
4.1 KiB
4.1 KiB
Hunting for Anomalous PowerShell Execution — API Reference
Windows Event Log IDs
| Event ID | Log Source | Description |
|---|---|---|
| 4104 | Microsoft-Windows-PowerShell/Operational | Script Block Logging — full deobfuscated script text |
| 4103 | Microsoft-Windows-PowerShell/Operational | Module Logging — pipeline execution details |
| 4688 | Security | Process Creation with command line auditing |
| 800 | Windows PowerShell | Pipeline execution (classic log) |
Event 4104 XML Fields
| Field | Path | Description |
|---|---|---|
| ScriptBlockText | EventData/Data[@Name='ScriptBlockText'] | Full script block content |
| ScriptBlockId | EventData/Data[@Name='ScriptBlockId'] | GUID linking multi-part blocks |
| MessageNumber | EventData/Data[@Name='MessageNumber'] | Part number for split blocks |
| MessageTotal | EventData/Data[@Name='MessageTotal'] | Total parts in split block |
| Path | EventData/Data[@Name='Path'] | Script file path (if applicable) |
AMSI Bypass Indicators
| Indicator | Context |
|---|---|
System.Management.Automation.AmsiUtils |
Reflection access to AMSI internals |
amsiInitFailed |
Setting AMSI init flag to bypass scanning |
AmsiScanBuffer |
Patching the scan buffer function |
amsi.dll |
Direct DLL manipulation |
VirtualProtect |
Memory protection change for AMSI patching |
Marshal::Copy |
Overwriting AMSI function bytes in memory |
Suspicious PowerShell Keywords
| Keyword | Category |
|---|---|
Invoke-Mimikatz |
Credential Dumping |
Invoke-Kerberoast |
Credential Access |
Invoke-ShellCode |
Code Injection |
Invoke-ReflectivePEInjection |
Process Injection |
PowerView |
Active Directory Enumeration |
SharpHound / BloodHound |
AD Attack Path Mapping |
Rubeus |
Kerberos Ticket Manipulation |
Out-Minidump |
LSASS Memory Dumping |
Download Cradle Patterns
| Pattern | Example |
|---|---|
Net.WebClient |
(New-Object Net.WebClient).DownloadString(...) |
Invoke-WebRequest |
IWR -Uri http://... -OutFile ... |
DownloadString |
$wc.DownloadString('http://...') |
Start-BitsTransfer |
Start-BitsTransfer -Source http://... |
Invoke-RestMethod |
IRM http://... | IEX |
Obfuscation Indicators
| Pattern | Description |
|---|---|
-EncodedCommand / -enc |
Base64-encoded PowerShell command |
IEX / Invoke-Expression |
Dynamic execution of string content |
[Convert]::FromBase64String |
Base64 decoding in script |
-join [char[]] |
Character array concatenation obfuscation |
.Replace() chaining |
String substitution for keyword evasion |
python-evtx Library Usage
import Evtx.Evtx as evtx
from lxml import etree
with evtx.Evtx("PowerShell-Operational.evtx") as log:
for record in log.records():
xml = record.xml()
root = etree.fromstring(xml.encode("utf-8"))
# Extract EventID, EventData fields
CLI Usage
# Hunt for suspicious PowerShell in EVTX file
python agent.py --evtx /path/to/PowerShell-Operational.evtx
# Limit events parsed
python agent.py --evtx logs.evtx --max-events 5000
# Save report to JSON
python agent.py --evtx logs.evtx --output hunt_report.json
Group Policy Settings for Script Block Logging
Computer Configuration > Administrative Templates > Windows Components
> Windows PowerShell > Turn on PowerShell Script Block Logging
-> Enabled
-> Log script block invocation start / stop events: Checked