Create ScriptBlockLogging plugin

[DissectBot]

EventID=4104 Provider_Name=”Microsoft-Windows-PowerShell”

Windows created eventlogs when PS scripts are executed. Due to the size limit of one event eventry, Windows splits the content over multiple 4104 events. Scripts are now manually reassembled by copy pasting. All the events for one script have the same “ScriptBlockId”.

Purpose of this plugin should be to be able to easily extract executed PS scripts from the eventlogs based on the ScriptBlockId.