ワンクリックでManusで任意のスキルを実行

$pwd:

analyzing-powershell-script-block-logging

Name: Analyzing Powershell Script Block Logging
Author: mukul975

// Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.

Manusで実行

$ git log --oneline --stat

stars:12,624

forks:1,463

updated:2026年4月21日 00:35

ファイルエクスプローラー

4 ファイル

SKILL.md

readonly

name	analyzing-powershell-script-block-logging
description	Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
domain	cybersecurity
subdomain	security-operations
tags	["powershell","script-block-logging","event-id-4104","obfuscation-detection","windows-forensics","endpoint-security"]
version	1.0
author	mahipal
license	Apache-2.0
nist_csf	["DE.CM-01","RS.MA-01","GV.OV-01","DE.AE-02"]

Analyzing PowerShell Script Block Logging

When to Use

When investigating security incidents that require analyzing powershell script block logging
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Familiarity with security operations concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Instructions

Install dependencies: pip install python-evtx lxml
Collect PowerShell Operational logs: Microsoft-Windows-PowerShell%4Operational.evtx
Parse Event ID 4104 entries using python-evtx to extract ScriptBlockText, ScriptBlockId, and MessageNumber/MessageTotal for multi-part script reconstruction.
Apply detection heuristics:
- Base64-encoded commands (-EncodedCommand, FromBase64String)
- Download cradles (DownloadString, DownloadFile, Invoke-WebRequest, Net.WebClient)
- AMSI bypass patterns (AmsiUtils, amsiInitFailed)
- Obfuscation indicators (high entropy, tick-mark insertion, string concatenation)
Generate a report with reconstructed scripts, risk scores, and MITRE ATT&CK mappings.

python scripts/agent.py --evtx-file /path/to/PowerShell-Operational.evtx --output ps_analysis.json

Examples

Detect Encoded Command Execution

import base64
if "-encodedcommand" in script_text.lower():
    encoded = script_text.split()[-1]
    decoded = base64.b64decode(encoded).decode("utf-16-le")

Reconstruct Multi-Block Script

Scripts split across multiple 4104 events share a ScriptBlockId. Concatenate blocks ordered by MessageNumber to recover the full script.

related-skills.json

同じリポジトリ

analyzing-ios-app-security-with-objection.md

from "mukul975/Anthropic-Cybersecurity-Skills"

Runtime iOS app security testing with Objection (Frida): inspect keychain and filesystem data, explore app internals at runtime, and validate/bypass client-side protections during authorized mobile assessments.

2026-05-2512.6k

analyzing-azure-activity-logs-for-threats.md

from "mukul975/Anthropic-Cybersecurity-Skills"

Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.

2026-04-2112.6k

analyzing-memory-forensics-with-lime-and-volatility.md

from "mukul975/Anthropic-Cybersecurity-Skills"

Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility 3 framework. Extracts process lists, network connections, bash history, loaded kernel modules, and injected code from Linux memory images. Use when performing incident response on compromised Linux systems.

2026-04-2112.6k

acquiring-disk-image-with-dd-and-dcfldd.md

from "mukul975/Anthropic-Cybersecurity-Skills"

Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.

2026-04-0612.6k

analyzing-active-directory-acl-abuse.md

from "mukul975/Anthropic-Cybersecurity-Skills"

Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths

2026-04-0612.6k

analyzing-android-malware-with-apktool.md

from "mukul975/Anthropic-Cybersecurity-Skills"

Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.

2026-04-0612.6k

package.json

"author": "mukul975"

"repository": "mukul975/Anthropic-Cybersecurity-Skills"

GitHub リポジトリを開く Creator のリポジトリを見る

$ install --global

$ download --local

Manusで実行

$ useful --forSOC

情報セキュリティアナリストコンピュータ・数学職15-1212L4

name	analyzing-powershell-script-block-logging
description	Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
domain	cybersecurity
subdomain	security-operations
tags	["powershell","script-block-logging","event-id-4104","obfuscation-detection","windows-forensics","endpoint-security"]
version	1.0
author	mahipal
license	Apache-2.0
nist_csf	["DE.CM-01","RS.MA-01","GV.OV-01","DE.AE-02"]

Analyzing PowerShell Script Block Logging

When to Use

When investigating security incidents that require analyzing powershell script block logging
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Familiarity with security operations concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Instructions

Install dependencies: pip install python-evtx lxml
Collect PowerShell Operational logs: Microsoft-Windows-PowerShell%4Operational.evtx
Parse Event ID 4104 entries using python-evtx to extract ScriptBlockText, ScriptBlockId, and MessageNumber/MessageTotal for multi-part script reconstruction.
Apply detection heuristics:
- Base64-encoded commands (-EncodedCommand, FromBase64String)
- Download cradles (DownloadString, DownloadFile, Invoke-WebRequest, Net.WebClient)
- AMSI bypass patterns (AmsiUtils, amsiInitFailed)
- Obfuscation indicators (high entropy, tick-mark insertion, string concatenation)
Generate a report with reconstructed scripts, risk scores, and MITRE ATT&CK mappings.

python scripts/agent.py --evtx-file /path/to/PowerShell-Operational.evtx --output ps_analysis.json

Examples

Detect Encoded Command Execution

import base64
if "-encodedcommand" in script_text.lower():
    encoded = script_text.split()[-1]
    decoded = base64.b64decode(encoded).decode("utf-16-le")

Reconstruct Multi-Block Script

Scripts split across multiple 4104 events share a ScriptBlockId. Concatenate blocks ordered by MessageNumber to recover the full script.

analyzing-powershell-script-block-logging

Analyzing PowerShell Script Block Logging

When to Use

Prerequisites

Instructions

Examples

Detect Encoded Command Execution

Reconstruct Multi-Block Script

このリポジトリの他の Skills

Analyzing PowerShell Script Block Logging

When to Use

Prerequisites

Instructions

Examples

Detect Encoded Command Execution

Reconstruct Multi-Block Script

このリポジトリの他の Skills