Skip to content

Sh1n0g1/z9

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
detection
 
 
img
 
 
preprocess
 
 
util
 
 
.gitignore
 
 
LICENSE
 
 
README-ja.md
 
 
README.md
 
 
api.md
 
 
requirements.txt
 
 
viewer.html
 
 
z9.py
 
 
z9 PowerShell Log Analyzer Abstract Install How to use Analyze Event Logs (Recommended) Analyze PowerShell File Statically How to prepare the XML file Enable PowerShell Logging Export Eventlog to XML How to Delete the Existing Eventlog Authors

README.md

z9 PowerShell Log Analyzer

Japanese

Z9 Logo

Abstract

This tools detects the artifact of the PowerShell based malware from the eventlog of PowerShell logging.
Online Demo

Install

git clone https://github.com/Sh1n0g1/z9
cd z9
pip install -r requirements.txt

How to use

usage: z9.py [-h] [--output OUTPUT] [-s] [--no-viewer] [--utf8] input

positional arguments:
  input                 Input file path

options:
  -h, --help            show this help message and exit
  --output OUTPUT, -o OUTPUT
                        Output file path
  -s, --static          Enable Static Analysis mode
  --no-viewer           Disable opening the JSON viewer in a web browser
  --utf8                Read scriptfile in utf-8 (deprecated)

Analyze Event Logs (Recommended)

python z9.py <input file> -o <output json>
python z9.py <input file> -o <output json> --no-viewer
Arguments Meaning
input file XML file exported from eventlog
-o output json filename of z9 result
--no-viewer do not open the viewer

Example)

python z9.py util\log\mwpsop.xml -o sample1.json

Analyze PowerShell File Statically

  • This approach will only do the static analysis and may not provide a proper result especially when the sample is obfuscated.
python z9.py <input file> -o <output json> -s
python z9.py <input file> -o <output json> -s --utf8
python z9.py <input file> -o <output json> -s --no-viewer
Arguments Meaning
input file PowerShell file to be analyzed
-o output json filename of z9 result
-s perform static analysis
--utf8 specify when the input file is in UTF-8
--no-viewer do not open the viewer

Example)

python z9.py malware.ps1 -o sample1.json -s

How to prepare the XML file

Enable PowerShell Logging

  1. Right-click and merge this registry file:util/enable_powershell_logging.reg .
  2. Reboot the PC
  3. All powershell execution will be logged in eventlog

Export Eventlog to XML

  1. Execute this batch file:util/collect_psevent.bat .
  2. The XML files will be created under util/log directory.
  3. Both XML file can be parsed by this tool.

How to Delete the Existing Eventlog

Authors

hanataro-miz
si-tm
take32457
Bigdrea6
azaberrypi
Sh1n0g1

About

PowerShell Script Analyzer

Resources

Readme

License

MIT license
Activity

Stars

57 stars

Watchers

2 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 6

Languages