powershellmanagerhttps://evotec.xyz/de/tags/powershellmanager/index.atom.xml2020-08-28T15:39:28.0000000ZEvotec Main WebsiteRestoring (Recovering) PowerShell Scripts from Event Logshttps://evotec.xyz/de/blog/restoring-recovering-powershell-scripts-from-event-logs2020-08-28T15:39:28.0000000ZA few days ago, I was asked to take a look at PowerShell Malware. While I don’t know much about malware, my curiosity didn’t let me skip on this occasion, and I was handed over WindowsPowerShell.evtx file. Ok, that’s not what I expected! I wanted PowerShell .ps1 files that I can read and assess? Well, you play with the cards you were dealt with. What I was handed over was PowerShell Event Log. PowerShell writes whatever you execute, and it thinks it is risky, to Windows PowerShell Operation Event Log.