GitHub Repo

Data Source: Powershell Script Block Logging 4104

Date: 2025-07-10

ID: 5cfd0c72-d989-47a0-92f9-6edc6f8d3564

Author: Patrick Bareiss, Splunk

Description

Logs detailed content of PowerShell script blocks as they are executed, including the full command text and context for the execution.

Details

Property Value
Source XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sourcetype XmlWinEventLog
Separator EventID
Name ▲▼ Technique ▲▼ Type ▲▼
AdsiSearcher Account Discovery Domain Account TTP
Allow Inbound Traffic In Firewall Rule Remote Desktop Protocol TTP
Delete ShadowCopy With PowerShell Inhibit System Recovery TTP
Detect Certify With PowerShell Script Block Logging PowerShell, Steal or Forge Authentication Certificates TTP
Detect Copy of ShadowCopy with Script Block Logging Security Account Manager TTP
Detect Empire with PowerShell Script Block Logging PowerShell TTP
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping, PowerShell TTP
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser AS-REP Roasting TTP
Disabled Kerberos Pre-Authentication Discovery With PowerView AS-REP Roasting TTP
Domain Group Discovery with Adsisearcher Domain Groups TTP
Elevated Group Discovery with PowerView Domain Groups Hunting
Exchange PowerShell Module Usage PowerShell TTP
Get ADDefaultDomainPasswordPolicy with Powershell Script Block Password Policy Discovery Hunting
Get ADUser with PowerShell Script Block Domain Account Hunting
Get ADUserResultantPasswordPolicy with Powershell Script Block Password Policy Discovery TTP
Get DomainPolicy with Powershell Script Block Password Policy Discovery TTP
Get-DomainTrust with PowerShell Script Block Domain Trust Discovery TTP
Get DomainUser with PowerShell Script Block Domain Account TTP
Get-ForestTrust with PowerShell Script Block Domain Trust Discovery, PowerShell TTP
Get WMIObject Group Discovery with Script Block Logging Local Groups Hunting
GetAdComputer with PowerShell Script Block Remote System Discovery Hunting
GetAdGroup with PowerShell Script Block Domain Groups Hunting
GetCurrent User with PowerShell Script Block System Owner/User Discovery Hunting
GetDomainComputer with PowerShell Script Block Remote System Discovery TTP
GetDomainController with PowerShell Script Block Remote System Discovery TTP
GetDomainGroup with PowerShell Script Block Domain Groups TTP
GetLocalUser with PowerShell Script Block PowerShell, Local Account Hunting
GetNetTcpconnection with PowerShell Script Block System Network Connections Discovery Hunting
GetWmiObject Ds Computer with PowerShell Script Block Remote System Discovery TTP
GetWmiObject Ds Group with PowerShell Script Block Domain Groups TTP
GetWmiObject DS User with PowerShell Script Block Domain Account TTP
GetWmiObject User Account with PowerShell Script Block PowerShell, Local Account Hunting
Interactive Session on Remote Endpoint with PowerShell Windows Remote Management TTP
Kerberos Pre-Authentication Flag Disabled with PowerShell AS-REP Roasting TTP
Mailsniper Invoke functions Local Email Collection TTP
PowerShell 4104 Hunting PowerShell Hunting
Powershell COM Hijacking InprocServer32 Modification PowerShell, Component Object Model Hijacking TTP
Powershell Creating Thread Mutex Indicator Removal from Tools, PowerShell TTP
PowerShell Domain Enumeration PowerShell TTP
PowerShell Enable PowerShell Remoting PowerShell Anomaly
Powershell Enable SMB1Protocol Feature Indicator Removal from Tools TTP
Powershell Execute COM Object PowerShell, Component Object Model Hijacking TTP
Powershell Fileless Process Injection via GetProcAddress Process Injection, PowerShell TTP
Powershell Fileless Script Contains Base64 Encoded Content Obfuscated Files or Information, PowerShell TTP
Powershell Get LocalGroup Discovery with Script Block Logging Local Groups Hunting
PowerShell Invoke CIMMethod CIMSession Windows Management Instrumentation Anomaly
PowerShell Invoke WmiExec Usage Windows Management Instrumentation TTP
Powershell Load Module in Meterpreter PowerShell TTP
PowerShell Loading DotNET into Memory via Reflection PowerShell Anomaly
Powershell Processing Stream Of Data PowerShell TTP
Powershell Remote Services Add TrustedHost Windows Remote Management TTP
Powershell Remove Windows Defender Directory Disable or Modify Tools TTP
PowerShell Script Block With URL Chain PowerShell, Ingress Tool Transfer TTP
PowerShell Start or Stop Service PowerShell Anomaly
Powershell Using memory As Backing Store PowerShell TTP
PowerShell WebRequest Using Memory Stream PowerShell, Ingress Tool Transfer, Fileless Storage TTP
Powershell Windows Defender Exclusion Commands Disable or Modify Tools TTP
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Recon Using WMI Class Gather Victim Host Information, PowerShell Anomaly
Remote Process Instantiation via DCOM and PowerShell Script Block Distributed Component Object Model TTP
Remote Process Instantiation via WinRM and PowerShell Script Block Windows Remote Management TTP
Remote Process Instantiation via WMI and PowerShell Script Block Windows Management Instrumentation TTP
Remote System Discovery with Adsisearcher Remote System Discovery TTP
ServicePrincipalNames Discovery with PowerShell Kerberoasting TTP
Unloading AMSI via Reflection PowerShell, Impair Defenses TTP
User Discovery With Env Vars PowerShell Script Block System Owner/User Discovery Hunting
Windows Account Discovery for None Disable User Account Local Account Hunting
Windows Account Discovery for Sam Account Name Account Discovery Anomaly
Windows Account Discovery With NetUser PreauthNotRequire Account Discovery Hunting
Windows Archive Collected Data via Powershell Archive Collected Data Anomaly
Windows ClipBoard Data via Get-ClipBoard Clipboard Data Anomaly
Windows Domain Account Discovery Via Get-NetComputer Domain Account Anomaly
Windows Enable PowerShell Web Access PowerShell TTP
Windows ESX Admins Group Creation via PowerShell Domain Account, Local Account TTP
Windows Exfiltration Over C2 Via Invoke RestMethod Exfiltration Over C2 Channel TTP
Windows Exfiltration Over C2 Via Powershell UploadString Exfiltration Over C2 Channel TTP
Windows File Share Discovery With Powerview Network Share Discovery TTP
Windows Find Domain Organizational Units with GetDomainOU Domain Account TTP
Windows Find Interesting ACL with FindInterestingDomainAcl Domain Account TTP
Windows Forest Discovery with GetForestDomain Domain Account TTP
Windows Gather Victim Host Information Camera Hardware Anomaly
Windows Get-AdComputer Unconstrained Delegation Discovery Remote System Discovery TTP
Windows Get Local Admin with FindLocalAdminAccess Domain Account TTP
Windows Linked Policies In ADSI Discovery Domain Account Anomaly
Windows PowerShell Add Module to Global Assembly Cache IIS Components TTP
Windows Powershell Cryptography Namespace PowerShell Anomaly
Windows PowerShell Disable HTTP Logging IIS Components, Disable Windows Event Logging TTP
Windows PowerShell Export Certificate Private Keys, Steal or Forge Authentication Certificates Anomaly
Windows PowerShell Export PfxCertificate Private Keys, Steal or Forge Authentication Certificates Anomaly
Windows PowerShell Get CIMInstance Remote Computer PowerShell Anomaly
Windows Powershell History File Deletion Windows Command Shell, Clear Command History Anomaly
Windows PowerShell IIS Components WebGlobalModule Usage IIS Components Anomaly
Windows Powershell Import Applocker Policy PowerShell, Disable or Modify Tools TTP
Windows PowerShell Invoke-RestMethod IP Information Collection System Information Discovery, System Network Configuration Discovery, PowerShell Anomaly
Windows PowerShell Invoke-Sqlcmd Execution PowerShell, Windows Command Shell Hunting
Windows Powershell Logoff User via Quser PowerShell, Account Access Removal Anomaly
Windows PowerShell MSIX Package Installation PowerShell, Registry Run Keys / Startup Folder TTP
Windows PowerShell ScheduleTask Scheduled Task, PowerShell Anomaly
Windows PowerShell Script Block With Malicious String PowerShell TTP
Windows PowerShell WMI Win32 ScheduledJob PowerShell TTP
Windows PowerSploit GPP Discovery Group Policy Preferences TTP
Windows PowerView AD Access Control List Enumeration Domain Accounts, Permission Groups Discovery TTP
Windows PowerView Constrained Delegation Discovery Remote System Discovery TTP
Windows PowerView Kerberos Service Ticket Request Kerberoasting TTP
Windows PowerView SPN Discovery Kerberoasting TTP
Windows PowerView Unconstrained Delegation Discovery Remote System Discovery TTP
Windows Root Domain linked policies Discovery Domain Account Anomaly
Windows Screen Capture Via Powershell Screen Capture TTP
WMI Recon Running Process Or Services Gather Victim Host Information Anomaly

Supported Apps

Event Fields

+ Fields 
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">ActivityID</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">MessageNumber</span>
  
  <span class="pill kill-chain">MessageTotal</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">Path</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">ScriptBlockId</span>
  
  <span class="pill kill-chain">ScriptBlockText</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>4104</EventID><Version>1</Version><Level>5</Level><Task>2</Task><Opcode>15</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2022-05-02T12:39:41.710158900Z'/><EventRecordID>112748</EventRecordID><Correlation ActivityID='{547232D9-5B2B-0007-6CA6-72542B5BD801}'/><Execution ProcessID='5336' ThreadID='2228'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>win-dc-mhaag-attack-range-270.attackrange.local</Computer><Security UserID='S-1-5-21-2059343465-2300599999-2417073716-500'/></System><EventData><Data Name='MessageNumber'>1</Data><Data Name='MessageTotal'>1</Data><Data Name='ScriptBlockText'>function New-Mutex($MutexName) {

Required Output Fields

  • dest

  • signature

  • signature_id

  • user_id

  • vendor_product

  • Guid

  • Opcode

  • Name

  • Path

  • ProcessID

  • ScriptBlockId

  • ScriptBlockText

Source: GitHub | Version: 3