Practical Process Analysis - Automating Process Log Analysis with PowerShell

Windows event log analysis is an important and often time-consuming part of endpoint forensics. Deep diving into user logins, process analysis, and PowerShell/WMI activity can take significant time, even with current tools. Additionally, while utilities exist to automatically parse out various Windows Logs, most of them do not include any native analytical functionality outside of the ability to manually filter on certain strings or event IDs. Window's native scripting solution, PowerShell, combined with Microsoft's Log Parser utility allowed for several scripts to be created with a focus on Process Creation and analysis. These scripts can detect processes spawning from unusual locations, processes that exist outside of a baseline 'Allow List', or processes that might otherwise appear to be normal, but are actually anomalous. These scripts complement other current tools such as Kape or Kansa, allowing for automated analysis of the data gathered.