Analyzing PowerShell Script Block Logging

When to Use

• When investigating security incidents that require analyzing powershell script block logging
• When building detection rules or threat hunting queries for this domain
• When SOC analysts need structured procedures for this analysis type
• When validating security monitoring coverage for related attack techniques

Prerequisites

• Familiarity with security operations concepts and tools
• Access to a test or lab environment for safe execution
• Python 3.8+ with required dependencies installed
• Appropriate authorization for any testing activities

Instructions

1. Install dependencies:

   pip install python-evtx lxml

2. Collect PowerShell Operational logs:

   Microsoft-Windows-PowerShell%4Operational.evtx

3. Parse Event ID 4104 entries using python-evtx to extract ScriptBlockText, ScriptBlockId, and MessageNumber/MessageTotal for multi-part script reconstruction.
4. Apply detection heuristics:
   • Base64-encoded commands (

     -EncodedCommand

     ,

     FromBase64String

     )
   • Download cradles (

     DownloadString

     ,

     DownloadFile

     ,

     Invoke-WebRequest

     ,

     Net.WebClient

     )
   • AMSI bypass patterns (

     AmsiUtils

     ,

     amsiInitFailed

     )
   • Obfuscation indicators (high entropy, tick-mark insertion, string concatenation)
5. Generate a report with reconstructed scripts, risk scores, and MITRE ATT&CK mappings.

python scripts/agent.py --evtx-file /path/to/PowerShell-Operational.evtx --output ps_analysis.json

Examples

Detect Encoded Command Execution

import base64
if "-encodedcommand" in script_text.lower():
    encoded = script_text.split()[-1]
    decoded = base64.b64decode(encoded).decode("utf-16-le")

Reconstruct Multi-Block Script

Scripts split across multiple 4104 events share a

ScriptBlockId

. Concatenate blocks ordered by

MessageNumber

to recover the full script.