This tools detects the artifact of the PowerShell based malware from the eventlog of PowerShell logging.
Online Demo
git clone https://github.com/Sh1n0g1/z9
cd z9
pip install -r requirements.txt
usage: z9.py [-h] [--output OUTPUT] [-s] [--no-viewer] [--utf8] input
positional arguments:
input Input file path
options:
-h, --help show this help message and exit
--output OUTPUT, -o OUTPUT
Output file path
-s, --static Enable Static Analysis mode
--no-viewer Disable opening the JSON viewer in a web browser
--utf8 Read scriptfile in utf-8 (deprecated)
python z9.py <input file> -o <output json>
python z9.py <input file> -o <output json> --no-viewer
| Arguments | Meaning |
|---|---|
input file |
XML file exported from eventlog |
-o output json |
filename of z9 result |
--no-viewer |
do not open the viewer |
Example)
python z9.py util\log\mwpsop.xml -o sample1.json
- This approach will only do the static analysis and may not provide a proper result especially when the sample is obfuscated.
python z9.py <input file> -o <output json> -s
python z9.py <input file> -o <output json> -s --utf8
python z9.py <input file> -o <output json> -s --no-viewer
| Arguments | Meaning |
|---|---|
input file |
PowerShell file to be analyzed |
-o output json |
filename of z9 result |
-s |
perform static analysis |
--utf8 |
specify when the input file is in UTF-8 |
--no-viewer |
do not open the viewer |
Example)
python z9.py malware.ps1 -o sample1.json -s
- Right-click and merge this registry file:
util/enable_powershell_logging.reg. - Reboot the PC
- All powershell execution will be logged in eventlog
- Execute this batch file:
util/collect_psevent.bat. - The XML files will be created under
util/logdirectory. - Both XML file can be parsed by this tool.
- Execute this batch file:
util/collect_psevent.batwith "Run as Admin"