Message

Computer Name $null or . resolve to LocalHost

Message

Resolving to default scheme http

Message

Remote shell name resolved to default Microsoft.PowerShell

Message

%3

Context:
%1

User Data:
%2

Fields

Example Event

system:
  provider: Microsoft-Windows-PowerShell
  guid: A0C1853B-5C40-4B15-8766-3CF1C58F985A
  event_source_name: ''
  event_id: 4100
  version: 1
  level: 3
  task: 106
  opcode: 19
  keywords: 0
  time_created: '2022-04-07T17:04:47.579256+00:00'
  event_record_id: 144
  correlation:
    ActivityID: E0AAB88C-4A9F-0000-0BCA-AAE09F4AD801
  execution:
    process_id: 380
    thread_id: 3624
  channel: Microsoft-Windows-PowerShell/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data:
  ContextInfo: "        Severity = Warning\r\n        Host Name = ADMUX\r\n        Host
    Version = 1.0.0.0\r\n        Host ID = 2e800f71-2f5c-4821-bd98-9e3b61b6b054\r\n
    \       Host Application = C:\\Windows\\system32\\dsac.exe\r\n        Engine Version
    = 5.1.20348.617\r\n        Runspace ID = 4e800c4b-dc8b-408d-8e82-38150ba7d4fe\r\n
    \       Pipeline ID = 31\r\n        Command Name = Set-ADAccountPassword\r\n        Command
    Type = Cmdlet\r\n        Script Name = \r\n        Command Path = \r\n        Sequence
    Number = 23\r\n        User = SIGMA\\Administrator\r\n        Connected User =
    \r\n        Shell ID = Microsoft.PowerShell\r\n"
  UserData: ''
  Payload: "Error Message = The password does not meet the length, complexity, or
    history requirement of the domain.\r\nFully Qualified Error ID = ActiveDirectoryServer:1325,Microsoft.ActiveDirectory.Management.Commands.SetADAccountPassword\r\n"
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

%3

Context:
%1

User Data:
%2

Fields

Message

%3

Context:
%1

User Data:
%2

Fields

Example Event

system:
  provider: Microsoft-Windows-PowerShell
  guid: A0C1853B-5C40-4B15-8766-3CF1C58F985A
  event_source_name: ''
  event_id: 4102
  version: 1
  level: 3
  task: 106
  opcode: 19
  keywords: 0
  time_created: '2023-10-25T21:34:05.630892+00:00'
  event_record_id: 11
  correlation:
    ActivityID: DE03B784-07C3-0001-BC98-04DEC307DA01
  execution:
    process_id: 1796
    thread_id: 2088
  channel: Microsoft-Windows-PowerShell/Operational
  computer: WinDevEval
  security:
    user_id: S-1-5-21-2533829718-189860685-2477588761-500
event_data:
  ContextInfo: "        Severity = Warning\r\n        Host Name = ConsoleHost\r\n
    \       Host Version = 5.1.22621.2428\r\n        Host ID = d4db7522-7ab1-46f8-add0-ee6f22c6c812\r\n
    \       Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
    -ExecutionPolicy Bypass a:\\FixPublicNetworkType.ps1\r\n        Engine Version
    = 5.1.22621.2428\r\n        Runspace ID = c5b2be04-de37-4a47-bfdd-d75d2d714efd\r\n
    \       Pipeline ID = 1\r\n        Command Name = \r\n        Command Type = \r\n
    \       Script Name = \r\n        Command Path = \r\n        Sequence Number =
    16\r\n        User = WINDEVEVAL\\Administrator\r\n        Connected User = \r\n
    \       Shell ID = Microsoft.PowerShell\r\n"
  UserData: ''
  Payload: "Error Message = Could not find the drive 'a:\\'. The drive might not be
    ready or might not be mapped.\r\n\r\nProvider name = Microsoft.PowerShell.Core\\FileSystem\r\n"
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

%3

Context:
%1

User Data:
%2

Fields

Example Event

system:
  provider: Microsoft-Windows-PowerShell
  guid: A0C1853B-5C40-4B15-8766-3CF1C58F985A
  event_source_name: ''
  event_id: 4103
  version: 1
  level: 4
  task: 106
  opcode: 20
  keywords: 0
  time_created: '2023-11-06T01:35:06.007359+00:00'
  event_record_id: 907
  correlation:
    ActivityID: E4DB489E-1037-0000-CD79-E9E43710DA01
  execution:
    process_id: 15468
    thread_id: 15184
  channel: Microsoft-Windows-PowerShell/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  ContextInfo: "        Severity = Informational\r\n        Host Name = ConsoleHost\r\n
    \       Host Version = 5.1.22621.2428\r\n        Host ID = 9500ad9e-7709-413f-b91b-8945cbb52940\r\n
    \       Host Application = powershell.exe -NoExit -Command &{Import-Module \"C:\\Program
    Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\Tools\\Microsoft.VisualStudio.DevShell.dll\";
    Enter-VsDevShell d5dcd421 -SkipAutomaticLocation -DevCmdArguments \"-arch=x64
    -host_arch=x64\"}\r\n        Engine Version = 5.1.22621.2428\r\n        Runspace
    ID = 6fa4bb48-d600-4d4b-b445-e1fa0a41db53\r\n        Pipeline ID = 23\r\n        Command
    Name = Set-StrictMode\r\n        Command Type = Cmdlet\r\n        Script Name
    = C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadLine\\2.0.0\\PSReadLine.psm1\r\n
    \       Command Path = \r\n        Sequence Number = 58\r\n        User = WINDEV2310EVAL\\User\r\n
    \       Connected User = \r\n        Shell ID = Microsoft.PowerShell\r\n"
  UserData: ''
  Payload: "CommandInvocation(Set-StrictMode): \"Set-StrictMode\"\r\nParameterBinding(Set-StrictMode):
    name=\"Off\"; value=\"True\"\r\n"
message: ''

Sigma Rules

• Potential Active Directory Enumeration Using AD Module - PsModule
  Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
• Alternate PowerShell Hosts - PowerShell Module
  Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
• Bad Opsec Powershell Code Artifacts
  focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.
• Clear PowerShell History - PowerShell Module
  Detects keywords that could indicate clearing PowerShell history
• PowerShell Decompress Commands
  A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.

Showing 5 of 33 matching Sigma rules.

References

• Microsoft Learn https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows
• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Creating Scriptblock text (%1 of %2):
%3

ScriptBlock ID: %4
Path: %5

Fields

Example Event

system:
  provider: Microsoft-Windows-PowerShell
  guid: A0C1853B-5C40-4B15-8766-3CF1C58F985A
  event_source_name: ''
  event_id: 4104
  version: 1
  level: 5
  task: 2
  opcode: 15
  keywords: 0
  time_created: '2023-11-06T01:35:05.990326+00:00'
  event_record_id: 901
  correlation:
    ActivityID: E4DB489E-1037-0002-FA44-ECE43710DA01
  execution:
    process_id: 15468
    thread_id: 15184
  channel: Microsoft-Windows-PowerShell/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  MessageNumber: 1
  MessageTotal: 1
  ScriptBlockText: prompt
  ScriptBlockId: 6baf0dc7-a83f-43e1-bb6a-d7ab8d05eeb0
  Path: ''
message: ''

Sigma Rules

• AADInternals PowerShell Cmdlets Execution - PsScript
  Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
• Access to Browser Login Data
  Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
• Potential Active Directory Enumeration Using AD Module - PsScript
  Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
• Powershell Add Name Resolution Policy Table Rule
  Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query.
• Add Windows Capability Via PowerShell Script
  Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.

Showing 5 of 160 matching Sigma rules.

References

• Microsoft Learn https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows
• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Started invocation of ScriptBlock ID: %1
Runspace ID: %2

Fields

Example Event

system:
  provider: Microsoft-Windows-PowerShell
  guid: A0C1853B-5C40-4B15-8766-3CF1C58F985A
  event_source_name: ''
  event_id: 4105
  version: 1
  level: 5
  task: 102
  opcode: 15
  keywords: 0
  time_created: '2023-11-06T01:35:05.999333+00:00'
  event_record_id: 906
  correlation:
    ActivityID: E4DB489E-1037-0000-CC79-E9E43710DA01
  execution:
    process_id: 15468
    thread_id: 15184
  channel: Microsoft-Windows-PowerShell/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  ScriptBlockId: 4b7eebd5-d6e3-46f7-b795-a7d9736e5810
  RunspaceId: 6fa4bb48-d600-4d4b-b445-e1fa0a41db53
message: ''

References

• Microsoft Learn https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows
• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Completed invocation of ScriptBlock ID: %1
Runspace ID: %2

Fields

Example Event

system:
  provider: Microsoft-Windows-PowerShell
  guid: A0C1853B-5C40-4B15-8766-3CF1C58F985A
  event_source_name: ''
  event_id: 4106
  version: 1
  level: 5
  task: 103
  opcode: 15
  keywords: 0
  time_created: '2023-11-06T01:35:05.993908+00:00'
  event_record_id: 905
  correlation:
    ActivityID: E4DB489E-1037-0002-FB44-ECE43710DA01
  execution:
    process_id: 15468
    thread_id: 15184
  channel: Microsoft-Windows-PowerShell/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  ScriptBlockId: 6baf0dc7-a83f-43e1-bb6a-d7ab8d05eeb0
  RunspaceId: 6fa4bb48-d600-4d4b-b445-e1fa0a41db53
message: ''

References

• Microsoft Learn https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows
• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

%3

Context:
%1

User Data:
%2

Fields

Message

%3

Context:
%1

User Data:
%2

Fields

Message

%3

Context:
%1

User Data:
%2

Fields

Message

%3

Context:
%1

User Data:
%2

Fields

Message

Correlating activity id's. 
 	 CurrentActivityId: %1 
 	 ParentActivityId: %2

Fields

Message

Class Name = %1
Method Name = %2
Workflow GUID = %3
Message = %4
%5
Activity Name = %6
Activity GUID = %7
Parameters = %8

Fields

Message

Creating Runspace object 
 	 Instance Id: %1

Fields

Example Event

system:
  provider: Microsoft-Windows-PowerShell
  guid: A0C1853B-5C40-4B15-8766-3CF1C58F985A
  event_source_name: ''
  event_id: 8193
  version: 1
  level: 5
  task: 1
  opcode: 16
  keywords: 0
  time_created: '2022-04-07T17:06:32.284732+00:00'
  event_record_id: 9
  correlation:
    ActivityID: C88130F4-85B6-4F22-BDD1-6F6F4B29582D
  execution:
    process_id: 5272
    thread_id: 5572
  channel: Microsoft-Windows-PowerShell/Operational
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data:
  param1: c88130f4-85b6-4f22-bdd1-6f6f4b29582d
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Creating RunspacePool object 
 	 InstanceId %1 
 	 MinRunspaces %2 
 	 MaxRunspaces %3

Fields

Example Event

system:
  provider: Microsoft-Windows-PowerShell
  guid: A0C1853B-5C40-4B15-8766-3CF1C58F985A
  event_source_name: ''
  event_id: 8194
  version: 1
  level: 5
  task: 1
  opcode: 16
  keywords: 0
  time_created: '2022-04-07T17:21:29.409715+00:00'
  event_record_id: 146
  correlation:
    ActivityID: 1480B89F-E871-42E4-BFB4-C8F88B053137
  execution:
    process_id: 4444
    thread_id: 4780
  channel: Microsoft-Windows-PowerShell/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data:
  InstanceId: 1480b89f-e871-42e4-bfb4-c8f88b053137
  MaxRunspaces: '2'
  MinRunspaces: '10'
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Opening RunspacePool

Example Event

system:
  provider: Microsoft-Windows-PowerShell
  guid: A0C1853B-5C40-4B15-8766-3CF1C58F985A
  event_source_name: ''
  event_id: 8195
  version: 1
  level: 5
  task: 1
  opcode: 10
  keywords: 0
  time_created: '2022-04-07T17:21:29.483155+00:00'
  event_record_id: 147
  correlation:
    ActivityID: 1480B89F-E871-42E4-BFB4-C8F88B053137
  execution:
    process_id: 4444
    thread_id: 4780
  channel: Microsoft-Windows-PowerShell/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Modifying activity Id and correlating

Example Event

system:
  provider: Microsoft-Windows-PowerShell
  guid: A0C1853B-5C40-4B15-8766-3CF1C58F985A
  event_source_name: ''
  event_id: 8196
  version: 1
  level: 4
  task: 0
  opcode: 20
  keywords: 0
  time_created: '2022-04-07T17:21:43.024925+00:00'
  event_record_id: 191
  correlation:
    ActivityID: 1480B89F-E871-42E4-BFB4-C8F88B053137
  execution:
    process_id: 4444
    thread_id: 940
  channel: Microsoft-Windows-PowerShell/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Runspace state changed to %1

Fields

Message

Attempting session creation retry %1 for error code %2 on session Id %3

Fields

Message

Port resolved to %1

Fields

Message

AppName resolved to %1

Fields

Message

ComputerName resolved to %1

Fields

Message

Scheme is %1

Fields

Message

Test analytic message

Message

Connection Paramters are 
 Connection URI: %1 
 Resource URI: %2 
 User: %3 
 OpenTimeout: %4 
 IdleTimeout: %5 
 CancelTimeout: %6 
 AuthenticationMechanism: %7 
 Thumb Print: %8 
 MaxUriRedirectionCount: %9 
 MaxReceivedDataSizePerCommand: %10 
 MaxReceivedObjectSize: %11

Fields

Message

Modifying activity Id and correlating

Example Event

system:
  provider: Microsoft-Windows-PowerShell
  guid: A0C1853B-5C40-4B15-8766-3CF1C58F985A
  event_source_name: ''
  event_id: 12039
  version: 1
  level: 4
  task: 0
  opcode: 20
  keywords: 0
  time_created: '2022-04-07T17:21:43.024926+00:00'
  event_record_id: 192
  correlation:
    ActivityID: 1480B89F-E871-42E4-BFB4-C8F88B053137
  execution:
    process_id: 4444
    thread_id: 940
  channel: Microsoft-Windows-PowerShell/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

AmsiUtil state. 
 	 state: %1 
 	 Context: %2

Fields

Message

Windows PowerShell ISE has started to run script file %1.

Fields

Message

Windows PowerShell ISE has started to run a user-selected script from file %1.

Fields

Message

Windows PowerShell ISE is stopping the current command.

Message

Windows PowerShell ISE is resuming the debugger.

Message

Windows PowerShell ISE is stopping the debugger.

Message

Windows PowerShell ISE is stepping into debugging.

Message

Windows PowerShell ISE is stepping over debugging.

Message

Windows PowerShell ISE is stepping out of debugging.

Message

Windows PowerShell ISE is enabling all breakpoints.

Message

Windows PowerShell ISE is disabling all breakpoints.

Message

Windows PowerShell ISE is removing all breakpoints.

Message

Windows PowerShell ISE is setting the breakpoint at line #: %1 of file %2.

Fields

Message

Windows PowerShell ISE is removing the breakpoint on line #: %1 of file %2.

Fields

Message

Windows PowerShell ISE is enabling the breakpoint on line #: %1 of file %2.

Fields

Message

Windows PowerShell ISE is disabling the breakpoint on line #: %1 of file %2.

Fields

Message

Windows PowerShell ISE has hit a breakpoint on line #: %1 of file %2.

Fields

Message

Successfully rehydrated an object. 
 	 Deserialized type name: %1 
 	 Rehydrated by casting to type: %2 
 	 Rehydrated object is of type: %3

Fields

Message

Failed to rehydrated an object. 
 	 Deserialized type name: %1 
 	 Rehydrated by casting to type: %2 
 	 Type cast exception: %3 
 	 Type cast inner exception: %4

Fields

Message

Serialization depth has been overriden. 
 	 Serialized type name: %1 
 	 Original depth: %2 
 	 Overriden depth: %3 
 	 Current depth below top level: %4

Fields

Message

Serialization mode has been overriden. 
 	 Serialized type name: %1 
 	 Overriden mode: %2

Fields

Message

Serialization of a script property has been skipped, because there is no runspace to use for evaluation of the property. 
 	 Property name: %1 
 	 Property owner's type name: %2 
 	 Getter script: %3

Fields

Message

Serialization of a property has been skipped, because property getter failed. 
 	 Property name: %1 
 	 Property owner's type name: %2 
 	 Exception from property getter: %3 
 	 Inner exception from property getter: %4

Fields

Message

Serialization of an enumerable object might not be complete, because object being enumerated threw an exception. 
 	 Type of object being enumerated: %1 
 	 Exception: %2

Fields

Message

Serialization called object's ToString method which failed. 
 	 Type of object: %1 
 	 Exception: %2

Fields

Message

Maximum depth below top level has been reached, forcing object to be serialized as strings. 
 	 Object type at max depth: %1 
 	 Property name at max depth: %2 
 	 Depth: %3

Fields

Message

XmlException has been thrown by the deserializer (most likely indicating incorrect clixml format). 
 	 Line number: %1 Line position: %2 
 	 Exception: %3

Fields

Message

Serialization of specified properties failed, because one of the specified properties was missing. 
 	 Type of object: %1 
 	 Property name: %2

Fields

Message

Received object with Runspace Id: %1 Command Id: %2 Destination: %3 DataType: %4 TargetInterface: %5

Fields

Message

An unhandled exception occurred in the appdomain. 
Exception Type: %1 
Exception Message: %2 
Exception StackTrace: %3

Fields

Message

Runspace Id: %1 Pipeline Id: %2. WSMan reported an error with error code: %3. 
 Error message: %4 
 StackTrace: %5

Fields

Message

An unhandled exception occurred in the appdomain. 
Exception Type: %1 
Exception Message: %2 
Exception StackTrace: %3

Fields

Message

Runspace Id: %1 Pipeline Id: %2. WSMan reported an error with error code: %3. 
 Error message: %4 
 StackTrace: %5

Fields

Message

Runspace Id %1. Establishing a connection using WSMan Create Shell

Fields

Message

Runspace Id %1. Callback received for WSMan Create Shell

Fields

Message

Runspace Id: %1. Closing shell using WSManCloseShell

Fields

Message

Runspace Id: %1. Callback received for WSManCloseShell

Fields

Message

Runspace Id: %1 Pipeline Id: %2. Sending data of size %3

Fields

Message

Runspace Id: %1 Pipeline Id: %2. Callback received for WSManSendShellInputEx

Fields

Message

Runspace Id: %1 Pipeline Id: %2. Placing Receive request using WSManReceiveShellOutputEx

Fields

Message

Runspace Id: %1 Pipeline Id: %2. Received Data of size %3.

Fields

Message

Runspace Id %1 Pipeline Id %2. Establishing a command connection using WSManRunShellCommandEx

Fields

Message

Runspace Id %1 Pipeline Id %2. Callback received for command connection

Fields

Message

Runspace Id: %1 Pipeline Id %2. Closing transport for command

Fields

Message

Runspace Id: %1 Pipeline Id %2. Callback received for command close

Fields

Message

Runspace Id: %1 Pipeline Id %2. Sending signal with code %3 using WSManSignalShellEx

Fields

Message

Runspace Id: %1 Pipeline Id %2. Callback received for WSManSignalShellEx

Fields

Message

Runspace Id: %1. Connection is getting redirected to Uri: %2

Fields

Message

Runspace Id: %1 Pipeline Id: %2. Server is sending data of size %3 to client. DataType: %4 TargetInterface: %5

Fields

Message

Request %1. Creating a server remote session. UserName: %2 Custome Shell Id: %3

Fields

Message

Reporting context for request: %1 Context Reported: %1

Fields

Message

Reporting operation complete for request: %1 
 Error Code: %2 
 Error Message: %3 
 StackTrace: %4

Fields

Message

Shell Context %1. Request Id %2. Creating a commonad session for running a command.

Fields

Message

Shell Context %1 Command Context %2 Request Id %3. Stopping command.

Fields

Message

Shell Context %1 Command Context %2 Request Id %3. Received data from client.

Fields

Message

Shell Context %1 Command Context %2 Request Id %3. Client sent a receive request so that server can send data.

Fields

Message

Shell Context %1 Command Context %2 IsReceiveOperation %3. Got close operation request.

Fields

Message

Loading assembly %1 for custom shell with shell Id %2

Fields

Message

Loading type %1 for custom shell with shell Id %2

Fields

Message

Received remoting fragment. 
 	 Object Id: %1 
 	 Fragment Id: %2 
 	 Start Flag: %3 
 	 End Flag: %4 
 	 Payload Length: %5 
 	 Payload Data: %6

Fields

Message

Sent remoting fragment. 
 	 Object Id: %1 
 	 Fragment Id: %2 
 	 Start Flag: %3 
 	 End Flag: %4 
 	 Payload Length: %5 
 	 Payload Data: %6

Fields

Message

Shutting down winrm service.

Message

PowerShell console is starting up

Example Event

system:
  provider: Microsoft-Windows-PowerShell
  guid: A0C1853B-5C40-4B15-8766-3CF1C58F985A
  event_source_name: ''
  event_id: 40961
  version: 1
  level: 4
  task: 4
  opcode: 1
  keywords: 0
  time_created: '2023-11-06T01:18:27.730646+00:00'
  event_record_id: 772
  correlation:
    ActivityID: E4DB489E-1037-0002-CA26-E6E43710DA01
  execution:
    process_id: 12192
    thread_id: 16872
  channel: Microsoft-Windows-PowerShell/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

PowerShell console is ready for user input

Example Event

system:
  provider: Microsoft-Windows-PowerShell
  guid: A0C1853B-5C40-4B15-8766-3CF1C58F985A
  event_source_name: ''
  event_id: 40962
  version: 1
  level: 4
  task: 4
  opcode: 2
  keywords: 0
  time_created: '2023-11-06T01:18:31.505927+00:00'
  event_record_id: 788
  correlation:
    ActivityID: E4DB489E-1037-0002-CA26-E6E43710DA01
  execution:
    process_id: 12192
    thread_id: 16872
  channel: Microsoft-Windows-PowerShell/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Tracing ErrorRecord: 
 Message: %1 
 CategoryInfo.Category: %2 
 CategoryInfo.Reason : %3 
 CategoryInfo.TargetName : %4 
 FullyQualifiedErrorId: %5 
 Exception Details: 
 Message : %6 
 Stack Trace: %7 
 InnerException %8

Fields

Message

Exception: 
 Message: %1 
 StackTrace: %2 
 InnerException : %3

Fields

Message

Tracing PSObject

Message

Tracing Job: 
 Id: %1 
 InstanceId: %2 
 Name: %3 
 Location: %4 
 State: %5 
 Command: %6

Fields

Message

Trace Information: 
 %1

Fields

Message

Connection Paramters are 
 Connection URI: %1 
 Resource URI: %2 
 User: %3 
 OpenTimeout: %4 
 IdleTimeout: %5 
 CancelTimeout: %6 
 AuthenticationMechanism: %7 
 Thumb Print: %8 
 MaxUriRedirectionCount: %9 
 MaxReceivedDataSizePerCommand: %10 
 MaxReceivedObjectSize: %11

Fields

Message

Workflow plugin loaded. 
 	 EndpointName: %1 
 	 User: %2 
 	 HostingMode: %3 
 	 Protocol: %4 
 	 Configuration: 
 %5

Fields

Message

Workflow execution started. 
 	 WorkflowId: %1 
 	 ManagedNodes: %2

Fields

Message

Workflow state changed. 
 	 WorkflowId: %1 
 	 NewState: %2 
 	 OldState: %3

Fields

Message

Workflow plugin has been requested for a shutdown. 
 	 EndpointName: %1

Fields

Message

Workflow plugin restarted. 
 	 EndpointName: %1

Fields

Message

Workflow is resuming. 
 	 WorkflowId: %1

Fields

Message

A quota limit that was set for the endpoint was exceeded. 
 	 EndpointName: %1 
 	 ConfigName: %2 
 	 AllowedValue: %3 
 	 ValueInQuestion: %4

Fields

Message

Workflow has resumed. 
 	 WorkflowId: %1

Fields

Message

Workflow runspace pool was created. 
 	 WorkflowId: %1 
 	 ManagedNode: %2

Fields

Message

Activity was queued for execution. 
 	 WorkflowId: %1 
 	 ActivityName: %2

Fields

Message

Activity execution started. 
 	 ActivityName: %1 
 	 ActivityTypeName: %2

Fields

Message

Workflow is being imported from a XAML file. 
 	 WorkflowId: %1 
 	 XamlFile: %2

Fields

Message

Workflow has been imported from a XAML file. 
 	 WorkflowId: %1 
 	 XamlFile: %2

Fields

Message

Workflow could not be imported from a XAML file because of an error. 
 	 WorkflowId: %1 
 	 ErrorDescription: %2

Fields

Message

Workflow validation started. 
 	 WorkflowId: %1

Fields

Message

Workflow validation succeeded. 
 	 WorkflowId: %1

Fields

Message

Workflow validation failed with error. 
 	 WorkflowId: %1

Fields

Message

Workflow activity validated. 
 	 WorkflowId: %1 
 	 ActivityDisplayName: %2 
 	 ActivityTypeName: %3

Fields

Message

Workflow activity could not be validated. 
 	 WorkflowId: %1 
 	 ActivityDisplayName: %2 
 	 ActivityTypeName: %3

Fields