powershell▌

Critical patterns and pitfalls for Windows PowerShell.

Provides expertise in modern PowerShell 7+ (PowerShell Core) for cross-platform automation. Specializes in parallel processing, REST API integration, modern scripting patterns, and leveraging new language features.

Hunt for malicious PowerShell activity by analyzing Script Block Logging (Event 4104), Module Logging (Event 4103), and process creation events. The analyst parses Windows Event Log EVTX files to detect obfuscated commands, AMSI bypass attempts, encoded payloads, credential dumping keywords, and suspicious download cradles. Activates for requests involving PowerShell threat hunting, script block analysis, encoded command detection, or AMSI bypass identification.

Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.

Detect suspicious PowerShell execution patterns including encoded commands, download cradles, AMSI bypass attempts, and constrained language mode evasion.

Systematically deobfuscate multi-layer PowerShell malware using AST analysis, dynamic tracing, and tools like PSDecode and PowerDecode to reveal hidden payloads and C2 infrastructure.

Essential syntax rules and pitfalls for Windows PowerShell scripting. \n \n Parentheses required around all cmdlet calls when using logical operators ( -or , -and ); missing them causes parsing errors \n Unicode and emoji characters prohibited in scripts; use ASCII-only alternatives like [OK] , [!] , [WARN] for status indicators \n Null checks mandatory before property access; always validate objects exist before calling methods or accessing properties \n JSON operations require explicit -Depth