creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-15 15:34:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d63b578a2f98cf26496aad4e997c7f57a388bccd
Anthropic-Cybersecurity-Skills/skills/analyzing-powershell-script-block-logging/SKILL.md
T
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete 
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
2026-03-19 13:26:49 +01:00

47 lines
1.9 KiB
Markdown
Raw Blame History

---
name: analyzing-powershell-script-block-logging
description: >-
Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated
commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and
reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded
commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
domain: cybersecurity
subdomain: security-operations
tags: [analyzing, powershell, script, block]
version: "1.0"
author: mahipal
license: Apache-2.0
---
# Analyzing PowerShell Script Block Logging
## Instructions
1. Install dependencies: `pip install python-evtx lxml`
2. Collect PowerShell Operational logs: `Microsoft-Windows-PowerShell%4Operational.evtx`
3. Parse Event ID 4104 entries using python-evtx to extract ScriptBlockText, ScriptBlockId, and MessageNumber/MessageTotal for multi-part script reconstruction.
4. Apply detection heuristics:
- Base64-encoded commands (`-EncodedCommand`, `FromBase64String`)
- Download cradles (`DownloadString`, `DownloadFile`, `Invoke-WebRequest`, `Net.WebClient`)
- AMSI bypass patterns (`AmsiUtils`, `amsiInitFailed`)
- Obfuscation indicators (high entropy, tick-mark insertion, string concatenation)
5. Generate a report with reconstructed scripts, risk scores, and MITRE ATT&CK mappings.
```bash
python scripts/agent.py --evtx-file /path/to/PowerShell-Operational.evtx --output ps_analysis.json
```
## Examples
### Detect Encoded Command Execution
```python
import base64
if "-encodedcommand" in script_text.lower():
encoded = script_text.split()[-1]
decoded = base64.b64decode(encoded).decode("utf-16-le")
```
### Reconstruct Multi-Block Script
Scripts split across multiple 4104 events share a `ScriptBlockId`. Concatenate blocks ordered by `MessageNumber` to recover the full script.
Reference in New Issue View Git Blame Copy Permalink