powershell.json

{
  "dataset": {
    "name": "EID Quick Reference - PowerShell",
    "version": "1.11.0",
    "generatedAt": "2026-05-10T00:00:00Z",
    "id": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/powershell.json",
    "schema": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/schema.json",
    "license": {
      "name": "Creative Commons Attribution 4.0 International",
      "spdx": "CC-BY-4.0",
      "notice": "Event descriptions are paraphrased summaries written for this dataset. Source links point to authoritative references."
    },
    "sources": [
      {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/",
        "type": "primary"
      }
    ]
  },
  "entries": [
    {
      "id": 400,
      "log": "PowerShell",
      "provider": "PowerShell",
      "channel": "Windows PowerShell",
      "level": "Information",
      "title": "Engine Lifecycle State Changed: Started",
      "summary": "PowerShell engine started.",
      "details": "Generated when a PowerShell engine session starts. The HostApplication field records the full command line used to invoke PowerShell, including any encoded arguments.",
      "category": "PowerShell Execution",
      "tags": [
        "powershell",
        "lolbas",
        "engine-lifecycle",
        "execution"
      ],
      "relatedEventIds": [
        {
          "id": 403,
          "log": "PowerShell"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1059.001",
          "techniqueName": "Command and Scripting Interpreter: PowerShell",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "HostApplication is the primary pivot — flag -EncodedCommand, -WindowStyle Hidden, -NonInteractive, or -ExecutionPolicy Bypass in the invocation string",
          "HostApplication values showing invocation from wscript.exe, mshta.exe, cmd.exe, or Office processes are high-priority",
          "Correlate with EID 403 to calculate session duration — very short sessions may indicate one-liner or fileless execution"
        ],
        "commonFalsePositives": [
          "Legitimate administrative PowerShell sessions",
          "Scheduled tasks and software agents invoking PowerShell for automation"
        ]
      },
      "keyFields": [
        {
          "name": "HostApplication",
          "xpath": "EventData/Data[@Name='HostApplication']",
          "description": "Full command line used to invoke PowerShell, including arguments and encoded commands"
        },
        {
          "name": "HostName",
          "xpath": "EventData/Data[@Name='HostName']",
          "description": "Name of the PowerShell host process (e.g., ConsoleHost, ServerRemoteHost)"
        },
        {
          "name": "EngineVersion",
          "xpath": "EventData/Data[@Name='EngineVersion']",
          "description": "Version of the PowerShell engine that started"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_eventlogs"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-04-07"
    },
    {
      "id": 403,
      "log": "PowerShell",
      "provider": "PowerShell",
      "channel": "Windows PowerShell",
      "level": "Information",
      "title": "Engine Lifecycle State Changed: Stopped",
      "summary": "PowerShell engine stopped.",
      "details": "Generated when a PowerShell engine session ends. Records the same lifecycle metadata as EID 400 for the session that is stopping.",
      "category": "PowerShell Execution",
      "tags": [
        "powershell",
        "engine-lifecycle"
      ],
      "relatedEventIds": [
        {
          "id": 400,
          "log": "PowerShell"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1059.001",
          "techniqueName": "Command and Scripting Interpreter: PowerShell",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Pair with EID 400 to calculate session duration — sub-second sessions are characteristic of one-liner payload execution",
          "Missing EID 403 after EID 400 may indicate the engine was forcibly killed (e.g., by a security tool or crash)"
        ],
        "commonFalsePositives": [
          "Any normal PowerShell session ending"
        ]
      },
      "keyFields": [
        {
          "name": "HostApplication",
          "xpath": "EventData/Data[@Name='HostApplication']",
          "description": "Full command line of the PowerShell session that ended"
        },
        {
          "name": "HostName",
          "xpath": "EventData/Data[@Name='HostName']",
          "description": "Name of the PowerShell host process that stopped"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_eventlogs"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 500,
      "log": "PowerShell",
      "provider": "PowerShell",
      "channel": "Windows PowerShell",
      "level": "Information",
      "title": "Command Started",
      "summary": "PowerShell command execution started.",
      "details": "Generated at the start of each command execution in the classic Windows PowerShell log. Records the command name in the CommandLine field. High volume in normal operation.",
      "category": "PowerShell Execution",
      "tags": [
        "powershell",
        "command",
        "execution"
      ],
      "relatedEventIds": [
        {
          "id": 501,
          "log": "PowerShell"
        },
        {
          "id": 4103,
          "log": "PowerShell"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1059.001",
          "techniqueName": "Command and Scripting Interpreter: PowerShell",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "CommandLine field records the command name — use as a coarse filter to identify suspicious cmdlets, then correlate with EID 4103 for full parameter detail",
          "Pair with EID 501 to calculate per-command execution time"
        ],
        "commonFalsePositives": [
          "High-volume event during any PowerShell session — filter to specific command names of interest"
        ]
      },
      "keyFields": [
        {
          "name": "CommandLine",
          "xpath": "EventData/Data[@Name='CommandLine']",
          "description": "Name of the command being executed"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_eventlogs"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 501,
      "log": "PowerShell",
      "provider": "PowerShell",
      "channel": "Windows PowerShell",
      "level": "Information",
      "title": "Command Stopped",
      "summary": "PowerShell command execution completed.",
      "details": "Generated when a command execution ends in the classic Windows PowerShell log. Records the completion of the command started in EID 500.",
      "category": "PowerShell Execution",
      "tags": [
        "powershell",
        "command",
        "execution"
      ],
      "relatedEventIds": [
        {
          "id": 500,
          "log": "PowerShell"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1059.001",
          "techniqueName": "Command and Scripting Interpreter: PowerShell",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Pair with EID 500 to calculate per-command duration",
          "On its own this event has low fidelity — value increases when correlated with EID 4103 or 4104"
        ],
        "commonFalsePositives": [
          "Any normal command completion during a PowerShell session"
        ]
      },
      "keyFields": [
        {
          "name": "CommandLine",
          "xpath": "EventData/Data[@Name='CommandLine']",
          "description": "Name of the command that completed execution"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_eventlogs"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 600,
      "log": "PowerShell",
      "provider": "PowerShell",
      "channel": "Windows PowerShell",
      "level": "Information",
      "title": "Provider Lifecycle State Changed: Started",
      "summary": "PowerShell provider started.",
      "details": "Generated when a PowerShell provider is loaded into the session. The ProviderName field identifies which provider was loaded (e.g., WSMan, Registry, Certificate, FileSystem).",
      "category": "PowerShell Execution",
      "tags": [
        "powershell",
        "provider"
      ],
      "relatedEventIds": [
        {
          "id": 400,
          "log": "PowerShell"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1059.001",
          "techniqueName": "Command and Scripting Interpreter: PowerShell",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "WSMan provider loaded in a non-interactive or automated session may indicate PowerShell remoting activity",
          "Registry and Certificate providers loaded in unexpected contexts warrant review of subsequent EID 4103/4104 for what was accessed",
          "Correlate provider load order with EID 400 HostApplication to understand the session context"
        ],
        "commonFalsePositives": [
          "All standard providers (FileSystem, Registry, Certificate, etc.) load during normal interactive PowerShell sessions"
        ]
      },
      "keyFields": [
        {
          "name": "ProviderName",
          "xpath": "EventData/Data[@Name='ProviderName']",
          "description": "Name of the PowerShell provider that was loaded into the session"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_eventlogs"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 800,
      "log": "PowerShell",
      "provider": "PowerShell",
      "channel": "Windows PowerShell",
      "level": "Information",
      "title": "Pipeline Execution Details",
      "summary": "Classic-log pipeline execution details recorded.",
      "details": "Generated in the classic Windows PowerShell log with pipeline execution details including command name and pipeline ID. Lower fidelity than EID 4103 as it does not capture full parameters or script content. Present on older systems where the operational log or module logging is not configured.",
      "category": "PowerShell Execution",
      "tags": [
        "powershell",
        "pipeline",
        "execution"
      ],
      "relatedEventIds": [
        {
          "id": 4103,
          "log": "PowerShell"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1059.001",
          "techniqueName": "Command and Scripting Interpreter: PowerShell",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Primarily useful on systems without EID 4103 module logging configured — treat as a fallback data source",
          "Command name in this event can serve as a coarse filter; investigate further using other available telemetry"
        ],
        "commonFalsePositives": [
          "Any pipeline execution in a PowerShell session"
        ]
      },
      "keyFields": [
        {
          "name": "CommandLine",
          "xpath": "EventData/Data[@Name='CommandLine']",
          "description": "Name of the command executed in the pipeline"
        },
        {
          "name": "PipelineId",
          "xpath": "EventData/Data[@Name='PipelineId']",
          "description": "Identifier of the pipeline execution"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_eventlogs"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 4100,
      "log": "PowerShell",
      "provider": "Microsoft-Windows-PowerShell",
      "channel": "Microsoft-Windows-PowerShell/Operational",
      "level": "Warning",
      "title": "PowerShell Error",
      "summary": "Error during PowerShell pipeline execution.",
      "details": "Generated when an error occurs during pipeline execution in the operational log. The ErrorRecord field captures the error message, including command names, module names, and file paths involved in the failure.",
      "category": "PowerShell Execution",
      "tags": [
        "powershell",
        "error",
        "execution"
      ],
      "relatedEventIds": [
        {
          "id": 4104,
          "log": "PowerShell"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1059.001",
          "techniqueName": "Command and Scripting Interpreter: PowerShell",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "ErrorRecord field may expose command names, module names, or file paths associated with attacker tooling even when execution failed",
          "Clusters of errors referencing known offensive cmdlets (e.g., Invoke-Mimikatz, Set-MpPreference, Add-MpPreference) are high-confidence attack indicators",
          "Correlate with EID 4104 on the same ScriptBlockId to review the full script that generated the error"
        ],
        "commonFalsePositives": [
          "Script errors in legitimate automation due to missing modules or version mismatches",
          "Interactive users running commands with incorrect syntax"
        ]
      },
      "keyFields": [
        {
          "name": "ErrorRecord",
          "xpath": "EventData/Data[@Name='ErrorRecord']",
          "description": "Full error message from the failed pipeline execution"
        },
        {
          "name": "ScriptBlockId",
          "xpath": "EventData/Data[@Name='ScriptBlockId']",
          "description": "GUID linking to the EID 4104 script block that generated the error"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-03-29"
    },
    {
      "id": 4103,
      "log": "PowerShell",
      "provider": "Microsoft-Windows-PowerShell",
      "channel": "Microsoft-Windows-PowerShell/Operational",
      "level": "Information",
      "title": "Module Logging",
      "summary": "Module logging captured full pipeline execution with parameters.",
      "details": "Generated when module logging is enabled via GPO (Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn on Module Logging). Records the full command with all parameter values, pipeline input/output, and the user context. Higher fidelity than classic log EID 800. Requires GPO setting per module or wildcard (*).",
      "category": "PowerShell Execution",
      "tags": [
        "powershell",
        "lolbas",
        "module-logging",
        "execution"
      ],
      "relatedEventIds": [
        {
          "id": 4104,
          "log": "PowerShell"
        },
        {
          "id": 4105,
          "log": "PowerShell"
        },
        {
          "id": 4106,
          "log": "PowerShell"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1059.001",
          "techniqueName": "Command and Scripting Interpreter: PowerShell",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Full parameter values are recorded — look for credential strings, encoded payloads, or remote host names in parameter fields",
          "SubjectUserName and HostApplication establish user and process context",
          "Correlate with EID 4104 to link module-level execution to the script block that invoked it"
        ],
        "commonFalsePositives": [
          "High-volume event in environments with module logging enabled — filter to specific modules or cmdlets of interest",
          "Legitimate administrative scripts generating large volumes of module logging events"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows"
      },
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "keyFields": [
        {
          "name": "Payload",
          "xpath": "EventData/Data[@Name='Payload']",
          "description": "The pipeline execution detail or command output; search for download cradles, encoded strings, and suspicious cmdlets"
        },
        {
          "name": "ContextInfo",
          "xpath": "EventData/Data[@Name='ContextInfo']",
          "description": "Contextual information including host application, runspace, and connected user"
        },
        {
          "name": "HostName",
          "xpath": "EventData/Data[@Name='HostName']",
          "description": "PowerShell host running the command (e.g., ConsoleHost, Windows PowerShell ISE); non-standard hosts are suspicious"
        },
        {
          "name": "HostApplication",
          "xpath": "EventData/Data[@Name='HostApplication']",
          "description": "Full path of the application hosting PowerShell; unexpected parents like wscript.exe or mshta.exe are red flags"
        }
      ],
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "PowerShell Module Logging — Suspicious Download Cradle or Obfuscation",
          "rule": "Event\n| where Source == \"Microsoft-Windows-PowerShell\"\n| where EventID == 4103\n| where RenderedDescription has_any (\n    \"IEX\", \"Invoke-Expression\", \"DownloadString\", \"DownloadFile\",\n    \"WebClient\", \"Net.WebClient\", \"System.Net.WebClient\",\n    \"FromBase64String\", \"[Convert]::\", \"EncodedCommand\",\n    \"Invoke-Mimikatz\", \"Invoke-ReflectivePEInjection\"\n  )\n| project TimeGenerated, Computer, UserName, RenderedDescription",
          "notes": "Module logging captures all pipeline execution. Payload field contains the command. High volume — tune with additional context filters like HostApplication."
        },
        {
          "platform": "Splunk",
          "title": "PowerShell Module Logging Suspicious Keywords",
          "rule": "index=wineventlog EventCode=4103\n(Payload=\"*IEX*\" OR Payload=\"*Invoke-Expression*\" OR Payload=\"*DownloadString*\"\nOR Payload=\"*WebClient*\" OR Payload=\"*FromBase64String*\" OR Payload=\"*Invoke-Mimikatz*\")\n| table _time, Computer, User, Payload, ContextInfo",
          "notes": "Search the Payload field for known attacker keywords and download cradles."
        },
        {
          "platform": "Sigma",
          "title": "PowerShell Module Logging Suspicious Activity",
          "rule": "title: PowerShell Module Logging Suspicious Activity\nstatus: experimental\nlogsource:\n    product: windows\n    service: powershell\ndetection:\n    selection:\n        EventID: 4103\n        Payload|contains:\n            - 'IEX'\n            - 'Invoke-Expression'\n            - 'DownloadString'\n            - 'Net.WebClient'\n            - 'FromBase64String'\n            - 'Invoke-Mimikatz'\n            - 'Invoke-ReflectivePEInjection'\nfalsepositives:\n    - Legitimate administration scripts\n    - Software deployment tools\nlevel: medium",
          "notes": "Baseline keyword list; expand with environment-specific attacker TTPs."
        }
      ],
      "lastReviewed": "2026-04-07"
    },
    {
      "id": 4104,
      "log": "PowerShell",
      "provider": "Microsoft-Windows-PowerShell",
      "channel": "Microsoft-Windows-PowerShell/Operational",
      "level": "Information",
      "title": "Script Block Logging",
      "summary": "Full script block content captured.",
      "details": "Generated when script block logging is enabled (GPO: Turn on PowerShell Script Block Logging). Captures the full text of every compiled script block after deobfuscation, meaning even obfuscated or encoded scripts appear in cleartext. Level 3 (Warning) is generated automatically without GPO when AMSI flags a script block as suspicious. Large scripts are split across multiple sequential events sharing a MessageNumber/MessageTotal field.",
      "prerequisites": [
        {
          "type": "policy",
          "description": "Script Block Logging must be enabled via Group Policy ('Turn on PowerShell Script Block Logging'). Exception: Level 3 (Warning) events for AMSI-flagged suspicious scripts are generated automatically without GPO configuration."
        }
      ],
      "category": "PowerShell Execution",
      "tags": [
        "powershell",
        "lolbas",
        "script-block-logging",
        "execution",
        "defense-evasion"
      ],
      "relatedEventIds": [
        {
          "id": 4103,
          "log": "PowerShell"
        },
        {
          "id": 4105,
          "log": "PowerShell"
        },
        {
          "id": 4106,
          "log": "PowerShell"
        },
        {
          "id": 4100,
          "log": "PowerShell"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1059.001",
          "techniqueName": "Command and Scripting Interpreter: PowerShell",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        },
        {
          "techniqueId": "T1027",
          "techniqueName": "Obfuscated Files or Information",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "ScriptBlockText is post-deobfuscation — even heavily encoded or concatenated scripts appear in cleartext here",
          "Warning-level (3) events are AMSI-triggered and generated regardless of GPO configuration — always treat these as high priority",
          "MessageNumber/MessageTotal fields identify fragments of a split script — reassemble in order for full content",
          "Search ScriptBlockText for known IOCs: download cradles (Net.WebClient, IEX, Invoke-Expression), credential access (mimikatz, sekurlsa), and lateral movement cmdlets"
        ],
        "commonFalsePositives": [
          "Legitimate security tools and scripts that use encoding or obfuscation for intellectual property protection",
          "AMSI-triggered Warning events from security testing or red team activity in authorized environments"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows"
      },
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "keyFields": [
        {
          "name": "ScriptBlockText",
          "xpath": "EventData/Data[@Name='ScriptBlockText']",
          "description": "Full text of the script block being executed; the primary field for detecting malicious PowerShell content"
        },
        {
          "name": "Path",
          "xpath": "EventData/Data[@Name='Path']",
          "description": "Path of the script file if executed from disk; empty means executed interactively or from memory"
        },
        {
          "name": "ScriptBlockId",
          "xpath": "EventData/Data[@Name='ScriptBlockId']",
          "description": "GUID uniquely identifying the script block; large scripts are split across multiple events with the same ID"
        }
      ],
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "PowerShell Script Block — Attacker Toolkit Keywords",
          "rule": "Event\n| where Source == \"Microsoft-Windows-PowerShell\"\n| where EventID == 4104\n| where RenderedDescription has_any (\n    \"Invoke-Mimikatz\", \"Invoke-ReflectivePEInjection\", \"Invoke-Shellcode\",\n    \"PowerSploit\", \"Get-GPPPassword\", \"Invoke-CredentialInjection\",\n    \"AmsiUtils\", \"amsiInitFailed\", \"System.Management.Automation.AmsiUtils\",\n    \"-EncodedCommand\", \"-enc \", \"[System.Convert]::FromBase64String\",\n    \"VirtualAlloc\", \"WriteProcessMemory\", \"CreateThread\"\n  )\n| project TimeGenerated, Computer, UserName, RenderedDescription",
          "notes": "Script block logging captures full script content even for obfuscated scripts (AMSI sees decoded content). Higher fidelity than 4103 for detecting known tools."
        },
        {
          "platform": "Splunk",
          "title": "PowerShell Script Block Logging — Malicious Content",
          "rule": "index=wineventlog EventCode=4104\n(ScriptBlock_Text=\"*Invoke-Mimikatz*\" OR ScriptBlock_Text=\"*AmsiUtils*\"\nOR ScriptBlock_Text=\"*amsiInitFailed*\" OR ScriptBlock_Text=\"*FromBase64String*\"\nOR ScriptBlock_Text=\"*VirtualAlloc*\" OR ScriptBlock_Text=\"*Invoke-ReflectivePEInjection*\")\n| table _time, Computer, User, ScriptBlock_Text, Path",
          "notes": "The ScriptBlock_Text field contains the full decoded script content."
        },
        {
          "platform": "Sigma",
          "title": "PowerShell Script Block Logging Malicious Keywords",
          "rule": "title: PowerShell Script Block Logging Malicious Keywords\nstatus: stable\nlogsource:\n    product: windows\n    service: powershell\ndetection:\n    selection:\n        EventID: 4104\n        ScriptBlockText|contains:\n            - 'Invoke-Mimikatz'\n            - 'AmsiUtils'\n            - 'amsiInitFailed'\n            - 'Invoke-ReflectivePEInjection'\n            - 'PowerSploit'\n            - 'Get-GPPPassword'\n            - 'VirtualAlloc'\n            - 'WriteProcessMemory'\nfalsepositives:\n    - Security tooling and EDR agents\n    - Penetration testing\nlevel: high",
          "notes": "High confidence rule; these strings rarely appear in legitimate scripts."
        }
      ],
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4105,
      "log": "PowerShell",
      "provider": "Microsoft-Windows-PowerShell",
      "channel": "Microsoft-Windows-PowerShell/Operational",
      "level": "Information",
      "title": "Started Invocation",
      "summary": "Script block invocation started.",
      "details": "Generated at the start of a script block invocation. The ScriptBlockId field links back to the EID 4104 event that captured the script content.",
      "category": "PowerShell Execution",
      "tags": [
        "powershell",
        "script-block-logging",
        "execution"
      ],
      "relatedEventIds": [
        {
          "id": 4106,
          "log": "PowerShell"
        },
        {
          "id": 4104,
          "log": "PowerShell"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1059.001",
          "techniqueName": "Command and Scripting Interpreter: PowerShell",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "ScriptBlockId links this event back to the EID 4104 script block content — use it to identify what was being executed",
          "Correlate timestamp with network connections and Security EID 4688 process creation to build a full execution timeline"
        ],
        "commonFalsePositives": [
          "Any legitimate script block invocation"
        ]
      },
      "keyFields": [
        {
          "name": "ScriptBlockId",
          "xpath": "EventData/Data[@Name='ScriptBlockId']",
          "description": "GUID linking to the EID 4104 event containing the script block content"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows"
      },
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-03-29"
    },
    {
      "id": 4106,
      "log": "PowerShell",
      "provider": "Microsoft-Windows-PowerShell",
      "channel": "Microsoft-Windows-PowerShell/Operational",
      "level": "Information",
      "title": "Completed Invocation",
      "summary": "Script block invocation completed.",
      "details": "Generated when a script block invocation ends. The ScriptBlockId field links back to the EID 4104 event that captured the script content.",
      "category": "PowerShell Execution",
      "tags": [
        "powershell",
        "script-block-logging",
        "execution"
      ],
      "relatedEventIds": [
        {
          "id": 4105,
          "log": "PowerShell"
        },
        {
          "id": 4104,
          "log": "PowerShell"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1059.001",
          "techniqueName": "Command and Scripting Interpreter: PowerShell",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Pair with EID 4105 using ScriptBlockId to calculate execution duration",
          "Missing EID 4106 after EID 4105 may indicate the runspace was killed, crashed, or hijacked — correlate with Application EID 1000"
        ],
        "commonFalsePositives": [
          "Any legitimate script block completing normally"
        ]
      },
      "keyFields": [
        {
          "name": "ScriptBlockId",
          "xpath": "EventData/Data[@Name='ScriptBlockId']",
          "description": "GUID linking to the EID 4104 event containing the script block content"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows"
      },
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-03-29"
    },
    {
      "id": 40961,
      "log": "PowerShell",
      "provider": "Microsoft-Windows-PowerShell",
      "channel": "Microsoft-Windows-PowerShell/Operational",
      "level": "Information",
      "title": "PowerShell console host is starting up",
      "summary": "An interactive PowerShell console (ConsoleHost) session is initialising.",
      "details": "Generated at the start of an interactive PowerShell console session (powershell.exe or pwsh.exe launched interactively). This event distinguishes interactive console sessions from non-interactive script execution. A 40961 event fires for human-operated terminals but not for scripted automation, scheduled tasks, or WinRM-based remoting (which use ServerRemoteHost rather than ConsoleHost). The absence of 40961/40962 lifecycle events alongside 4103/4104 execution events indicates non-interactive (automated or remote) execution.",
      "category": "PowerShell Execution",
      "tags": [
        "powershell",
        "interactive",
        "console-host",
        "execution"
      ],
      "relatedEventIds": [
        {
          "id": 40962,
          "log": "PowerShell"
        },
        {
          "id": 400,
          "log": "PowerShell"
        },
        {
          "id": 4104,
          "log": "PowerShell"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1059.001",
          "techniqueName": "Command and Scripting Interpreter: PowerShell",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Interactive console (40961) on a server where no interactive admin activity is expected indicates hands-on attacker presence — treat as high priority",
          "40961 from a service account or non-admin user account is anomalous — interactive PS sessions should only be started by authorised administrators",
          "Absence of 40961/40962 alongside 4103/4104 execution events confirms non-interactive execution — correlate with EID 400 HostApplication for invocation method",
          "Correlate timestamp with Security EID 4648 (explicit credential logon) — interactive sessions started using RunAs or explicit credentials are higher fidelity"
        ],
        "commonFalsePositives": [
          "Administrators opening PowerShell consoles interactively for legitimate administrative work",
          "Developers using interactive PS sessions on workstations",
          "IT automation testing run interactively before productising as a scheduled task"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-04-10"
    },
    {
      "id": 40962,
      "log": "PowerShell",
      "provider": "Microsoft-Windows-PowerShell",
      "channel": "Microsoft-Windows-PowerShell/Operational",
      "level": "Information",
      "title": "PowerShell console host is ready for user input",
      "summary": "An interactive PowerShell console (ConsoleHost) session is fully initialised and awaiting input.",
      "details": "Generated when an interactive PowerShell ConsoleHost session completes initialisation and presents the prompt to the user. This event follows EID 40961 and confirms the interactive session is fully ready. The distinction between 40961 (starting) and 40962 (ready) allows calculation of console initialisation time.",
      "category": "PowerShell Execution",
      "tags": [
        "powershell",
        "interactive",
        "console-host",
        "execution"
      ],
      "relatedEventIds": [
        {
          "id": 40961,
          "log": "PowerShell"
        },
        {
          "id": 403,
          "log": "PowerShell"
        },
        {
          "id": 4103,
          "log": "PowerShell"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1059.001",
          "techniqueName": "Command and Scripting Interpreter: PowerShell",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Pair with EID 40961 to confirm session lifecycle — an interactive console is open between these two events and EID 403",
          "Correlate following 4103/4104 events with network connections (Sysmon EID 3) to build an attacker activity timeline",
          "On servers, correlate with RDP session events (EID 4778/4779) to determine if the interactive PS session was opened over an RDP connection"
        ],
        "commonFalsePositives": [
          "Any legitimate interactive PowerShell console session opened by an administrator"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-04-10"
    },
    {
      "id": 53504,
      "log": "PowerShell",
      "provider": "Microsoft-Windows-PowerShell",
      "channel": "Microsoft-Windows-PowerShell/Operational",
      "level": "Information",
      "title": "PowerShell is authenticating to remote server",
      "summary": "PowerShell is performing a WSMan/WinRM authentication handshake to a remote host.",
      "details": "Generated when Windows PowerShell authenticates to a remote server via WSMan (WinRM/PSRemoting). This event fires on the initiating (client) machine and records outbound PowerShell remoting connections before session establishment. The Server field records the remote host, AuthMechanism records the authentication method (Kerberos, NTLM, Negotiate, Basic, CredSSP), and UserName records the account used.",
      "category": "PowerShell Execution",
      "tags": [
        "powershell",
        "remoting",
        "psremoting",
        "winrm",
        "wsman",
        "lateral-movement",
        "credential-access"
      ],
      "relatedEventIds": [
        {
          "id": 4103,
          "log": "PowerShell"
        },
        {
          "id": 4104,
          "log": "PowerShell"
        },
        {
          "id": 6,
          "log": "WinRM"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1021.006",
          "techniqueName": "Remote Services: Windows Remote Management",
          "tactics": [
            {
              "tacticId": "TA0008",
              "tacticName": "Lateral Movement"
            }
          ]
        },
        {
          "techniqueId": "T1059.001",
          "techniqueName": "Command and Scripting Interpreter: PowerShell",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "AuthMechanism = 'Basic' indicates cleartext credential transmission — this should never occur on production systems and is a critical configuration finding",
          "AuthMechanism = 'CredSSP' delegates full credentials to the remote host — the remote host can then impersonate the user to any resource; flag unexpected CredSSP usage",
          "Server (destination host) not matching expected management targets for the user account indicates lateral movement",
          "NTLM PSRemoting (AuthMechanism = NTLM) to external or DMZ hosts may indicate data exfiltration staging via PSRemoting",
          "Correlate with WinRM EID 6 on the destination to confirm session establishment and identify what was executed remotely"
        ],
        "commonFalsePositives": [
          "IT administrators using Enter-PSSession for legitimate remote management",
          "Ansible, DSC, or other automation frameworks using PSRemoting for configuration management",
          "Monitoring solutions polling remote systems via PSRemoting"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_remote_troubleshooting"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "keyFields": [
        {
          "name": "Server",
          "xpath": "EventData/Data[@Name='Server']",
          "description": "Remote host being connected to; unexpected or external destinations are high risk"
        },
        {
          "name": "AuthMechanism",
          "xpath": "EventData/Data[@Name='AuthMechanism']",
          "description": "Authentication method; Basic = cleartext (critical), CredSSP = credential delegation (high risk), NTLM = relay risk"
        },
        {
          "name": "UserName",
          "xpath": "EventData/Data[@Name='UserName']",
          "description": "Account used for remote auth; service accounts or privileged accounts connecting to unusual hosts are anomalous"
        }
      ],
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "PowerShell Remoting with Basic or CredSSP Authentication",
          "rule": "Event\n| where Source == \"Microsoft-Windows-PowerShell\"\n| where EventID == 53504\n| where RenderedDescription has_any (\"Basic\", \"CredSSP\")\n| project TimeGenerated, Computer, UserName, RenderedDescription",
          "notes": "Basic auth sends credentials in cleartext. CredSSP delegates credentials to the remote host. Both should be banned by policy and any occurrence investigated."
        },
        {
          "platform": "Sigma",
          "title": "PowerShell Remoting with Unsafe Authentication Method",
          "rule": "title: PowerShell Remoting Using Basic or CredSSP Authentication\nstatus: stable\nlogsource:\n    product: windows\n    service: powershell\ndetection:\n    selection:\n        EventID: 53504\n        AuthMechanism:\n            - 'Basic'\n            - 'CredSSP'\n    condition: selection\nfalsepositives:\n    - Legacy management scripts not yet migrated to Kerberos\n    - Specific DSC pull server configurations using CredSSP\nlevel: high",
          "notes": "Basic auth is cleartext and should alert as critical. CredSSP is high risk if used outside documented and approved scenarios."
        }
      ],
      "lastReviewed": "2026-04-10"
    }
  ]
}