drop powershell 4104 csv or script content · detect amsi bypass patterns · deobfuscation · post-bypass correlation · export csv · runs locally
input
drop evtx csv or history txt
or click
4104 script blocks · PSReadLine history · 4688 powershell command lines
drop powershell 4104 csv · psreadline history · sysmon/4688 csv