الاثنين، 7 مارس 2016

Block-Parser For Parsing Windows PowerShell Script Block Logging Events

Script Codding


Matthewdunwoody/Block-parser: For Parsing Windows PowerShell Script Block Logging Events


Definition:

A tool for parsing Windows PowerShell script block logging events. All the PowerShell code are invoked by Script block logging records. It also provides valuable forensic and auditing data. If the scripts are large then it will give hundreds of event log entries. The script block logging events that have been parsed by the script to the output are easily readable and executable code. 


Technique which is used:

Step 1: Firstly, the PowerShell scripting engine executed all the script block logging records code.

Step 2: Each and Every executed block are recorded in an event log entry having unique script block ID.

Step 3: The script block split into multiple event logs if the size of script block exceeds the maximum size of an event log message.

Step 4: Based on the script block IDs, full contents of script blocks are parses and outputs.

Step 5: Whatever are the script block logging events all are recorded in Event ID(EID) 4104 within the Microsoft-Windows-PowerShell%4Operational.evtx event log.


Example of usage:

Parse all multi-part script blocks from a log to separate files:
python block-parser.py -o C:\path C:\data\Microsoft-Windows-PowerShell%4Operational.evtx

Parse ALL script blocks to a single output file:
python block-parser.py -a -f C:\path\file.txt C:\data\Microsoft-Windows-PowerShell%4Operational.evtx

Parse metadata for ALL script blocks:
python block-parser.py -a -m C:\path\metadata.csv C:\data\Microsoft-Windows-PowerShell%4Operational.evtx

Parse a specified script block with metadata:
python block-parser.py -o C:\path -s 00000000-0000-0000-0000-000000000000 -m C:\path\metadata.csv C:\data\Microsoft-Windows-PowerShell%4Operational.evtx


Each command supports:

--output or --file, --scriptid or --all, --metadata


Limitations of this tool:

Some entries for a multi-part script block may be lost if the PowerShell operational log rolls. If it occurs then "-partial" will be appended to the file name or script block ID in output files, and the "First Message Number" in the metadata for the corresponding script block ID will be greater than one.

ليست هناك تعليقات:

إرسال تعليق