Z9 – PowerShell Script Analyzer
Abstract
This tools detects the artifact of the PowerShell based malware from the eventlog of PowerShell logging.
Online Demo
Install
git clone https://github.com/Sh1n0g1/z9
How to use
usage: z9.py [-h] [--output OUTPUT] [-s] [--no-viewer] [--utf8] input
positional arguments:
input Input file path
options:
-h, --help show this help message and exit
--output OUTPUT, -o OUTPUT
Output file path
-s, --static Enable Static Analysis mode
--no-viewer Disable opening the JSON viewer in a web browser
--utf8 Read scriptfile in utf-8 (deprecated)
Analyze Event Logs (Recommended)
python z9.py <input file> -o <output json>
python z9.py <input file> -o <output json> --no-viewer
| Arguments | Meaning |
|---|---|
input file | XML file exported from eventlog |
-o output json | filename of z9 result |
--no-viewer | do not open the viewer |
Example)
python z9.py util\log\mwpsop.xml -o sample1.json
Analyze PowerShell File Statically
- This approach will only do the static analysis and may not provide a proper result especially when the sample is obfuscated.
python z9.py <input file> -o <output json> -s
python z9.py <input file> -o <output json> -s --utf8
python z9.py <input file> -o <output json> -s --no-viewer
| Arguments | Meaning |
|---|---|
input file | PowerShell file to be analyzed |
-o output json | filename of z9 result |
-s | perform static analysis |
--utf8 | specify when the input file is in UTF-8 |
--no-viewer | do not open the viewer |
Example)
python z9.py malware.ps1 -o sample1.json -s
How to prepare the XML file
Enable PowerShell Logging
- Right-click and merge this registry file:
util/enable_powershell_logging.reg. - Reboot the PC
- All powershell execution will be logged in eventlog
Export Eventlog to XML
- Execute this batch file:
util/collect_psevent.bat. - The XML files will be created under
util/logdirectory. - Both XML file can be parsed by this tool.
How to Delete the Existing Eventlog
- Execute this batch file:
util/collect_psevent.batwith “Run as Admin”
Authors
hanataro-miz
si-tm
take32457
Bigdrea6
azaberrypi
Sh1n0g1
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
