GitHub Repo

Data Source: Powershell Script Block Logging 4104

Date: 2026-05-13

ID: 5cfd0c72-d989-47a0-92f9-6edc6f8d3564

Author: Patrick Bareiss, Splunk

Description

Logs detailed content of PowerShell script blocks as they are executed, including the full command text and context for the execution.

Details

Property Value
Source XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sourcetype XmlWinEventLog
Separator EventID
Name ▲▼ Technique ▲▼ Type ▲▼
Windows PowerShell Add Module to Global Assembly Cache IIS Components TTP
Windows PowerShell Invoke-Sqlcmd Execution PowerShell, Windows Command Shell Hunting
PowerShell 4104 Hunting PowerShell Hunting
Windows PowerShell WMI Win32 ScheduledJob PowerShell TTP
PowerShell Invoke WmiExec Usage Windows Management Instrumentation TTP
Windows Level RMM PowerShell Script Installer Remote Access Tools Anomaly
Detect Empire with PowerShell Script Block Logging PowerShell TTP
Powershell Load Module in Meterpreter PowerShell TTP
GetWmiObject Ds Group with PowerShell Script Block Domain Groups TTP
Windows PowerView Kerberos Service Ticket Request Kerberoasting TTP
Powershell Processing Stream Of Data PowerShell TTP
Windows Exfiltration Over C2 Via Invoke RestMethod Exfiltration Over C2 Channel TTP
Recon Using WMI Class PowerShell, Gather Victim Host Information Anomaly
Windows Domain Account Discovery Via Get-NetComputer Domain Account Anomaly
Powershell Using memory As Backing Store PowerShell TTP
Powershell Execute COM Object PowerShell, Component Object Model Hijacking TTP
Elevated Group Discovery with PowerView Domain Groups Hunting
Mailsniper Invoke functions Local Email Collection TTP
Windows Azure PowerShell Module Installation Via PowerShell Script Cloud Services, Cloud Groups, Valid Accounts, Account Manipulation, Cloud Account Anomaly
GetWmiObject DS User with PowerShell Script Block Domain Account TTP
Powershell Enable SMB1Protocol Feature Indicator Removal from Tools TTP
Kerberos Pre-Authentication Flag Disabled with PowerShell AS-REP Roasting TTP
Disabled Kerberos Pre-Authentication Discovery With PowerView AS-REP Roasting TTP
Get ADDefaultDomainPasswordPolicy with Powershell Script Block Password Policy Discovery Hunting
Windows PowerShell Export Certificate Private Keys, Steal or Forge Authentication Certificates Anomaly
GetCurrent User with PowerShell Script Block System Owner/User Discovery Hunting
Windows PowerShell ScheduleTask Scheduled Task, PowerShell Anomaly
Windows Account Discovery With NetUser PreauthNotRequire Account Discovery Hunting
Windows PowerView SPN Discovery Kerberoasting TTP
Powershell Get LocalGroup Discovery with Script Block Logging Local Groups Hunting
Windows Account Discovery for Sam Account Name Account Discovery Anomaly
AdsiSearcher Account Discovery Domain Account TTP
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser AS-REP Roasting TTP
Windows Cobalt Strike PowerShell Loader PowerShell, Stage Capabilities TTP
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script Web Protocols, Valid Accounts, Exploitation for Credential Access, Domain Trust Discovery TTP
Get DomainPolicy with Powershell Script Block Password Policy Discovery TTP
Get-DomainTrust with PowerShell Script Block Domain Trust Discovery TTP
Windows Get-AdComputer Unconstrained Delegation Discovery Remote System Discovery TTP
Get ADUser with PowerShell Script Block Domain Account Hunting
Windows LAPS Password Gathering Via PowerShell Script OS Credential Dumping, Unsecured Credentials Anomaly
Windows PowerView AD Access Control List Enumeration Permission Groups Discovery, Domain Accounts TTP
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Windows File Share Discovery With Powerview Network Share Discovery TTP
Windows Linked Policies In ADSI Discovery Domain Account Anomaly
Windows PowerSploit GPP Discovery Group Policy Preferences TTP
Get-ForestTrust with PowerShell Script Block PowerShell, Domain Trust Discovery TTP
Detect Copy of ShadowCopy with Script Block Logging Security Account Manager TTP
Windows Exfiltration Over C2 Via Powershell UploadString Exfiltration Over C2 Channel TTP
Windows PowerShell Script Block With Malicious String PowerShell TTP
Windows Find Domain Organizational Units with GetDomainOU Domain Account TTP
Windows Find Interesting ACL with FindInterestingDomainAcl Domain Account TTP
Remote System Discovery with Adsisearcher Remote System Discovery TTP
Windows Powershell Import Applocker Policy PowerShell, Disable or Modify Tools TTP
Windows Powershell Cryptography Namespace PowerShell Anomaly
Delete ShadowCopy With PowerShell Inhibit System Recovery TTP
PowerShell WebRequest Using Memory Stream Fileless Storage, PowerShell, Ingress Tool Transfer TTP
Windows Get Local Admin with FindLocalAdminAccess Domain Account TTP
Powershell Fileless Process Injection via GetProcAddress Process Injection, PowerShell TTP
Domain Group Discovery with Adsisearcher Domain Groups TTP
User Discovery With Env Vars PowerShell Script Block System Owner/User Discovery Hunting
PowerShell Enable PowerShell Remoting PowerShell Anomaly
Windows Enable PowerShell Web Access PowerShell TTP
WMI Recon Running Process Or Services Gather Victim Host Information Anomaly
Windows PowerShell Export PfxCertificate Private Keys, Steal or Forge Authentication Certificates Anomaly
Windows Archive Collected Data via Powershell Archive Collected Data Anomaly
Windows PowerView Constrained Delegation Discovery Remote System Discovery TTP
GetDomainGroup with PowerShell Script Block Domain Groups TTP
Windows PowerShell Invoke-RestMethod IP Information Collection System Network Configuration Discovery, PowerShell, System Information Discovery Anomaly
Unloading AMSI via Reflection PowerShell, Disable or Modify Tools TTP
Get DomainUser with PowerShell Script Block Domain Account TTP
Detect Certify With PowerShell Script Block Logging PowerShell, Steal or Forge Authentication Certificates TTP
Powershell Windows Defender Exclusion Commands Disable or Modify Tools TTP
GetNetTcpconnection with PowerShell Script Block System Network Connections Discovery Hunting
Get ADUserResultantPasswordPolicy with Powershell Script Block Password Policy Discovery TTP
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping, PowerShell TTP
Windows Gather Victim Host Information Camera Hardware Anomaly
GetAdGroup with PowerShell Script Block Domain Groups Hunting
GetDomainController with PowerShell Script Block Remote System Discovery TTP
PowerShell Invoke CIMMethod CIMSession Windows Management Instrumentation Anomaly
Windows Screen Capture Via Powershell Screen Capture TTP
Windows PowerShell IIS Components WebGlobalModule Usage IIS Components Anomaly
Interactive Session on Remote Endpoint with PowerShell Windows Remote Management TTP
Get WMIObject Group Discovery with Script Block Logging Local Groups Hunting
PowerShell Script Block With URL Chain PowerShell, Ingress Tool Transfer TTP
Windows Default Cobalt Strike PowerShell Beacon PowerShell, Malicious File TTP
Windows PowerShell Get CIMInstance Remote Computer PowerShell Anomaly
GetLocalUser with PowerShell Script Block PowerShell, Local Account Hunting
Powershell Remove Windows Defender Directory Disable or Modify Tools TTP
ServicePrincipalNames Discovery with PowerShell Kerberoasting TTP
Windows Root Domain linked policies Discovery Domain Account Anomaly
Allow Inbound Traffic In Firewall Rule Remote Desktop Protocol TTP
Windows PowerShell Disable HTTP Logging IIS Components, Disable or Modify Windows Event Log TTP
Windows ClipBoard Data via Get-ClipBoard Clipboard Data Anomaly
GetAdComputer with PowerShell Script Block Remote System Discovery Hunting
Remote Process Instantiation via DCOM and PowerShell Script Block Distributed Component Object Model TTP
Exchange PowerShell Module Usage PowerShell TTP
PowerShell PInvoke Process Injection API Chain Dynamic-link Library Injection, Thread Execution Hijacking, Asynchronous Procedure Call, Process Hollowing, Process Doppelgänging, PowerShell, Reflective Code Loading TTP
PowerShell Environment Variable Execution PowerShell Anomaly
GetWmiObject Ds Computer with PowerShell Script Block Remote System Discovery TTP
Powershell COM Hijacking InprocServer32 Modification PowerShell, Component Object Model Hijacking TTP
Windows ESX Admins Group Creation via PowerShell Local Account, Domain Account TTP
Windows Powershell Logoff User via Quser PowerShell, Account Access Removal Anomaly
Windows Powershell History File Deletion Windows Command Shell, Clear Command History Anomaly
Remote Process Instantiation via WinRM and PowerShell Script Block Windows Remote Management TTP
Windows Software Discovery Via PowerShell Query Registry, PowerShell, Software Discovery Anomaly
Windows Account Discovery for None Disable User Account Local Account Hunting
GetDomainComputer with PowerShell Script Block Remote System Discovery TTP
Remote Process Instantiation via WMI and PowerShell Script Block Windows Management Instrumentation TTP
Windows PowerShell MSIX Package Installation PowerShell, Registry Run Keys / Startup Folder TTP
PowerShell Start or Stop Service PowerShell Anomaly
PowerShell Loading DotNET into Memory via Reflection PowerShell Anomaly
Powershell Remote Services Add TrustedHost Windows Remote Management TTP
Windows Forest Discovery with GetForestDomain Domain Account TTP
Windows PowerView Unconstrained Delegation Discovery Remote System Discovery TTP
Powershell Fileless Script Contains Base64 Encoded Content Obfuscated Files or Information, PowerShell TTP
GetWmiObject User Account with PowerShell Script Block PowerShell, Local Account Hunting
Powershell Creating Thread Mutex Indicator Removal from Tools, PowerShell TTP
PowerShell Domain Enumeration PowerShell TTP
Windows WinPEAS PowerShell Script Execution System Service Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Information Discovery, Gather Victim Network Information, Software, Client Configurations, Group Policy Discovery TTP
Windows PowerShell Script TabExpansion Direct Call PowerShell, Shared Modules Anomaly

Supported Apps

Event Fields

+ Fields 
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">ActivityID</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">MessageNumber</span>
  
  <span class="pill kill-chain">MessageTotal</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">Path</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">ScriptBlockId</span>
  
  <span class="pill kill-chain">ScriptBlockText</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>4104</EventID><Version>1</Version><Level>5</Level><Task>2</Task><Opcode>15</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2022-05-02T12:39:41.710158900Z'/><EventRecordID>112748</EventRecordID><Correlation ActivityID='{547232D9-5B2B-0007-6CA6-72542B5BD801}'/><Execution ProcessID='5336' ThreadID='2228'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>win-dc-mhaag-attack-range-270.attackrange.local</Computer><Security UserID='S-1-5-21-2059343465-2300599999-2417073716-500'/></System><EventData><Data Name='MessageNumber'>1</Data><Data Name='MessageTotal'>1</Data><Data Name='ScriptBlockText'>function New-Mutex($MutexName) {

Required Output Fields

  • dest

  • signature

  • signature_id

  • user_id

  • vendor_product

  • Guid

  • Opcode

  • Name

  • Path

  • ProcessID

  • ScriptBlockId

  • ScriptBlockText

Source: GitHub | Version: 4