dissect.target icon indicating copy to clipboard operation
dissect.target copied to clipboard
verified publisher icon fox-it

Implement Powershell Log parsing

Open YahavArm opened this issue 6 months ago • 5 comments

implement powershell logging parsing to extract possible indicators for malicious behavior resolves #1200 #593

YahavArm avatar Jun 24 '25 16:06 YahavArm

there are also other events which can indicate malicious activity such as 4100 and event 400 in the Windows PowerShell log

YahavArm avatar Jun 24 '25 16:06 YahavArm

this MR was changed to draft as i need to implement tests, and currently having trouble with creating test data

YahavArm avatar Jun 25 '25 18:06 YahavArm

Maybe it'd be nice to convert the existing powershell_history plugin to a powershell namespace plugin, move powershell_history to powershell.history and move this code to powershell.scriptblocks?

We do a similar thing with defender.evtx.

This is essentially a project-wise style choice, of which i am not aware how much complexity it will add to this plugin and to powershell history

YahavArm avatar Jun 26 '25 20:06 YahavArm

This is essentially a project-wise style choice, of which i am not aware how much complexity it will add to this plugin and to powershell history

Not much complexity I think, just better to consolidate that. This plugin isn't that much code either so it fits well together.

Schamper avatar Jun 26 '25 21:06 Schamper

i combined the powershell plugins into the powershell namespace plugin and rewrote the event iteration the prevent the entire event log from existing in memory. tests still need to be written

YahavArm avatar Jun 27 '25 21:06 YahavArm