Monday, 7 March 2016

Block-Parser For Parsing Windows PowerShell Script Block Logging Events

Script Codding

Matthewdunwoody/Block-parser: For Parsing Windows PowerShell Script Block Logging Events


A tool for parsing Windows PowerShell script block logging events. All the PowerShell code are invoked by Script block logging records. It also provides valuable forensic and auditing data. If the scripts are large then it will give hundreds of event log entries. The script block logging events that have been parsed by the script to the output are easily readable and executable code. 

Technique which is used:

Step 1: Firstly, the PowerShell scripting engine executed all the script block logging records code.

Step 2: Each and Every executed block are recorded in an event log entry having unique script block ID.

Step 3: The script block split into multiple event logs if the size of script block exceeds the maximum size of an event log message.

Step 4: Based on the script block IDs, full contents of script blocks are parses and outputs.

Step 5: Whatever are the script block logging events all are recorded in Event ID(EID) 4104 within the Microsoft-Windows-PowerShell%4Operational.evtx event log.

Example of usage:

Parse all multi-part script blocks from a log to separate files:
python -o C:\path C:\data\Microsoft-Windows-PowerShell%4Operational.evtx

Parse ALL script blocks to a single output file:
python -a -f C:\path\file.txt C:\data\Microsoft-Windows-PowerShell%4Operational.evtx

Parse metadata for ALL script blocks:
python -a -m C:\path\metadata.csv C:\data\Microsoft-Windows-PowerShell%4Operational.evtx

Parse a specified script block with metadata:
python -o C:\path -s 00000000-0000-0000-0000-000000000000 -m C:\path\metadata.csv C:\data\Microsoft-Windows-PowerShell%4Operational.evtx

Each command supports:

--output or --file, --scriptid or --all, --metadata

Limitations of this tool:

Some entries for a multi-part script block may be lost if the PowerShell operational log rolls. If it occurs then "-partial" will be appended to the file name or script block ID in output files, and the "First Message Number" in the metadata for the corresponding script block ID will be greater than one.


Post a Comment

Toggle Footer