Extracting PowerShell Scriptblock data Easily via block-parser
Microsoft-Windows-PowerShell%4Operational.evtx can be used to uncover malicious script usage during DFIR investigations. The Scriptblock text located within EID 4104 (Execute a Remote Command) often has code that may aid you to piece together threat actions. The full Scriptblock for malicious payloads are often distributed over multiple events. I have come across incidents where the malicious payload was reconstructed using Scriptblock data. However, this becomes very cumbersome to do using Event Viewer.
A better way to approach this is to use Matthew Dunwoody’s block parser https://github.com/matthewdunwoody/block-parser
block-parser was written for Python2.
Example usage:
python2 block-parser.py -a -f output PSTests.evtx
This will dump all Scriptblocks it can find from the EVTX file to a file named output.
