The Dissect module tying all other Dissect modules together. It provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets).
Windows created eventlogs when PS scripts are executed. Due to the size limit of one event eventry, Windows splits the content over multiple 4104 events. Scripts are now manually reassembled by copy pasting. All the events for one script have the same “ScriptBlockId”.
Purpose of this plugin should be to be able to easily extract executed PS scripts from the eventlogs based on the ScriptBlockId.
EventID=4104 Provider_Name=”Microsoft-Windows-PowerShell”
Windows created eventlogs when PS scripts are executed. Due to the size limit of one event eventry, Windows splits the content over multiple 4104 events. Scripts are now manually reassembled by copy pasting. All the events for one script have the same “ScriptBlockId”.
Purpose of this plugin should be to be able to easily extract executed PS scripts from the eventlogs based on the ScriptBlockId.