Microsoft-Windows-PowerShell
189 events across 3 channels
Event ID 4097 — Computer Name $null or.
Description
Computer Name $null or . resolve to LocalHost.
Message #
Event ID 4098 — Resolving to default scheme http
Description
Resolving to default scheme http.
Message #
Event ID 4099 — Remote shell name resolved to default Microsoft.
Description
Remote shell name resolved to default Microsoft.PowerShell.
Message #
Event ID 4100 — Payload Context: ContextInfo User Data: UserData.
#Message #
Fields #
| Name | Description |
|---|---|
ContextInfo UnicodeString | Context |
UserData UnicodeString | — |
Payload UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
"event_source_name": "",
"event_id": 4100,
"version": 1,
"level": 3,
"task": 106,
"opcode": 19,
"keywords": 0,
"time_created": "2022-04-07T17:04:47.579256+00:00",
"event_record_id": 144,
"correlation": {
"ActivityID": "E0AAB88C-4A9F-0000-0BCA-AAE09F4AD801"
},
"execution": {
"process_id": 380,
"thread_id": 3624
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"ContextInfo": " Severity = Warning\r\n Host Name = ADMUX\r\n Host Version = 1.0.0.0\r\n Host ID = 2e800f71-2f5c-4821-bd98-9e3b61b6b054\r\n Host Application = C:\\Windows\\system32\\dsac.exe\r\n Engine Version = 5.1.20348.617\r\n Runspace ID = 4e800c4b-dc8b-408d-8e82-38150ba7d4fe\r\n Pipeline ID = 31\r\n Command Name = Set-ADAccountPassword\r\n Command Type = Cmdlet\r\n Script Name = \r\n Command Path = \r\n Sequence Number = 23\r\n User = SIGMA\\Administrator\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n",
"UserData": "",
"Payload": "Error Message = The password does not meet the length, complexity, or history requirement of the domain.\r\nFully Qualified Error ID = ActiveDirectoryServer:1325,Microsoft.ActiveDirectory.Management.Commands.SetADAccountPassword\r\n"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4101 — Payload Context: ContextInfo User Data: UserData.
Message #
Fields #
| Name | Description |
|---|---|
ContextInfo UnicodeString | — |
UserData UnicodeString | — |
Payload UnicodeString | — |
Context | — |
User_Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
"event_source_name": "",
"event_id": 4101,
"version": 1,
"level": 4,
"task": 0,
"opcode": 19,
"keywords": 9223372036854775840,
"time_created": "2026-03-13T19:32:29.608586+00:00",
"event_record_id": 149117,
"correlation": {
"ActivityID": "DF92C490-B30B-000C-6802-93DF0BB3DC01"
},
"execution": {
"process_id": 4068,
"thread_id": 956
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"ContextInfo": "Install",
"UserData": "Package=nuget, Version=2.8.5.208, Provider=Bootstrap, Source=https://cdn.oneget.org/providers/nuget-2.8.5.208.package.swidtag, Status=Installed, DestinationPath=",
"Payload": "PackageManagement: A package is installed."
},
"message": ""
}
Event ID 4102 — Payload Context: ContextInfo User Data: UserData.
#Message #
Fields #
| Name | Description |
|---|---|
ContextInfo UnicodeString | Context |
UserData UnicodeString | — |
Payload UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
"event_source_name": "",
"event_id": 4102,
"version": 1,
"level": 3,
"task": 106,
"opcode": 19,
"keywords": 0,
"time_created": "2023-10-25T21:34:05.630892+00:00",
"event_record_id": 11,
"correlation": {
"ActivityID": "DE03B784-07C3-0001-BC98-04DEC307DA01"
},
"execution": {
"process_id": 1796,
"thread_id": 2088
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
}
},
"event_data": {
"ContextInfo": " Severity = Warning\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.22621.2428\r\n Host ID = d4db7522-7ab1-46f8-add0-ee6f22c6c812\r\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass a:\\FixPublicNetworkType.ps1\r\n Engine Version = 5.1.22621.2428\r\n Runspace ID = c5b2be04-de37-4a47-bfdd-d75d2d714efd\r\n Pipeline ID = 1\r\n Command Name = \r\n Command Type = \r\n Script Name = \r\n Command Path = \r\n Sequence Number = 16\r\n User = WINDEVEVAL\\Administrator\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n",
"UserData": "",
"Payload": "Error Message = Could not find the drive 'a:\\'. The drive might not be ready or might not be mapped.\r\n\r\nProvider name = Microsoft.PowerShell.Core\\FileSystem\r\n"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4103 — Payload Context: ContextInfo User Data: UserData.
#Message #
Fields #
| Name | Description |
|---|---|
ContextInfo UnicodeString | Context |
UserData UnicodeString | — |
Payload UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
"event_source_name": "",
"event_id": 4103,
"version": 1,
"level": 4,
"task": 106,
"opcode": 20,
"keywords": 0,
"time_created": "2023-11-06T01:35:06.007359+00:00",
"event_record_id": 907,
"correlation": {
"ActivityID": "E4DB489E-1037-0000-CD79-E9E43710DA01"
},
"execution": {
"process_id": 15468,
"thread_id": 15184
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"ContextInfo": " Severity = Informational\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.22621.2428\r\n Host ID = 9500ad9e-7709-413f-b91b-8945cbb52940\r\n Host Application = powershell.exe -NoExit -Command &{Import-Module \"C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\Tools\\Microsoft.VisualStudio.DevShell.dll\"; Enter-VsDevShell d5dcd421 -SkipAutomaticLocation -DevCmdArguments \"-arch=x64 -host_arch=x64\"}\r\n Engine Version = 5.1.22621.2428\r\n Runspace ID = 6fa4bb48-d600-4d4b-b445-e1fa0a41db53\r\n Pipeline ID = 23\r\n Command Name = Set-StrictMode\r\n Command Type = Cmdlet\r\n Script Name = C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadLine\\2.0.0\\PSReadLine.psm1\r\n Command Path = \r\n Sequence Number = 58\r\n User = WINDEV2310EVAL\\User\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n",
"UserData": "",
"Payload": "CommandInvocation(Set-StrictMode): \"Set-StrictMode\"\r\nParameterBinding(Set-StrictMode): name=\"Off\"; value=\"True\"\r\n"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Potential Active Directory Enumeration Using AD Module - PsModule source medium: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
- Alternate PowerShell Hosts - PowerShell Module source medium: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
- Bad Opsec Powershell Code Artifacts source critical: focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.
Show 17 more (33 total)
- Clear PowerShell History - PowerShell Module source medium: Detects keywords that could indicate clearing PowerShell history
- PowerShell Decompress Commands source informational: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.
- Malicious PowerShell Scripts - PoshModule source high: Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
- Suspicious Get-ADDBAccount Usage source high: Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
- PowerShell Get Clipboard source medium: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
- HackTool - Evil-WinRm Execution - PowerShell Module source high: Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.
- Invoke-Obfuscation CLIP+ Launcher - PowerShell Module source high: Detects Obfuscated use of Clip.exe to execute PowerShell
- Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module source high: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
- Invoke-Obfuscation STDIN+ Launcher - PowerShell Module source high: Detects Obfuscated use of stdin to execute PowerShell
- Invoke-Obfuscation VAR+ Launcher - PowerShell Module source high: Detects Obfuscated use of Environment Variables to execute PowerShell
- Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module source medium: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
- Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module source medium: Detects Obfuscated Powershell via RUNDLL LAUNCHER
- Invoke-Obfuscation Via Stdin - PowerShell Module source high: Detects Obfuscated Powershell via Stdin in Scripts
- Invoke-Obfuscation Via Use Clip - PowerShell Module source high: Detects Obfuscated Powershell via use Clip.exe in Scripts
- Invoke-Obfuscation Via Use MSHTA - PowerShell Module source high: Detects Obfuscated Powershell via use MSHTA in Scripts
- Invoke-Obfuscation Via Use Rundll32 - PowerShell Module source high: Detects Obfuscated Powershell via use Rundll32 in Scripts
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module source high: Detects Obfuscated Powershell via VAR++ LAUNCHER
References #
- Microsoft Learn https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4104 — Creating Scriptblock text (MessageNumber of MessageTotal).
#Description
Creating Scriptblock text (MessageNumber of MessageTotal).
Message #
Fields #
| Name | Description |
|---|---|
MessageNumber Int32 | Part number of the current script block fragment (large scripts are split across multiple events) |
MessageTotal Int32 | Total number of script block fragments for the complete script |
ScriptBlockText UnicodeString | Content of the executed PowerShell script block |
ScriptBlockId UnicodeString | ScriptBlock ID. |
Path UnicodeString | Full path to the executed script file |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
"event_source_name": "",
"event_id": 4104,
"version": 1,
"level": 5,
"task": 2,
"opcode": 15,
"keywords": 0,
"time_created": "2023-11-06T01:35:05.990326+00:00",
"event_record_id": 901,
"correlation": {
"ActivityID": "E4DB489E-1037-0002-FA44-ECE43710DA01"
},
"execution": {
"process_id": 15468,
"thread_id": 15184
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"MessageNumber": 1,
"MessageTotal": 1,
"ScriptBlockText": "prompt",
"ScriptBlockId": "6baf0dc7-a83f-43e1-bb6a-d7ab8d05eeb0",
"Path": ""
},
"message": ""
}
Detection Patterns #
Execution: Command and Scripting Interpreter
Defender-DeviceEvents Event ID 9007001: PowerShell command executedORPowerShell Event ID 4104: Creating Scriptblock text (MessageNumber of MessageTotal).
1 rule
Kusto Query Language
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- AADInternals PowerShell Cmdlets Execution - PsScript source high: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
- Access to Browser Login Data source medium: Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
- Potential Active Directory Enumeration Using AD Module - PsScript source medium: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Show 17 more (162 total)
- Powershell Add Name Resolution Policy Table Rule source high: Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query.
- Add Windows Capability Via PowerShell Script source medium: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
- PowerShell ADRecon Execution source high: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7
- AMSI Bypass Pattern Assembly GetType source high: Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
- Potential AMSI Bypass Script Using NULL Bits source medium: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
- Silence.EDA Detection source critical: Detects Silence EmpireDNSAgent as described in the Group-IP report
- Get-ADUser Enumeration Using UserAccountControl Flags source medium: Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.
- Potential Data Exfiltration Via Audio File source medium: Detects potential exfiltration attempt via audio file using PowerShell
- Automated Collection Command PowerShell source medium: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
- Windows Screen Capture with CopyFromScreen source medium: Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations
- Clear PowerShell History - PowerShell source medium: Detects keywords that could indicate clearing PowerShell history
- Clearing Windows Console History source high: Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
- Powershell Create Scheduled Task source medium: Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code
- Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell source medium: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
- Powershell Install a DLL in System Directory source high: Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"
- Registry-Free Process Scope COR_PROFILER source medium: Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) (Citation: Microsoft COR_PROFILER Feb 2013)
- PowerShell Create Local User source medium: Detects creation of a local user via PowerShell
Elastic # view in reference
- Potential PowerShell Obfuscation via Invalid Escape Sequences source medium: Detects PowerShell scripts with repeated invalid backtick escapes between word characters (letters, digits, underscore, or dash), splitting tokens while preserving execution. Attackers use this obfuscation to fragment keywords and evade pattern-based detection and AMSI.
- Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion source high: Detects PowerShell scripts that uses backtick-escaped characters inside `${}` variable expansion (multiple backticks between word characters) to reconstruct strings at runtime. Attackers use variable-expansion obfuscation to split keywords, hide commands, and evade static analysis and AMSI.
- Potential PowerShell Obfuscation via Character Array Reconstruction source high: Detects PowerShell scripts that reconstructs strings from char[] arrays, index lookups, or repeated ([char]NN)+ concatenation/join logic. Attackers use character-array reconstruction to hide commands, URLs, or payloads and evade static analysis and AMSI.
Show 9 more (12 total)
- Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation source high: Detects PowerShell scripts that builds commands from concatenated string literals inside dynamic invocation constructs like &() or .(). Attackers use concatenated dynamic invocation to obscure execution intent, bypass keyword-based detections, and evade AMSI.
- Potential PowerShell Obfuscation via High Numeric Character Proportion source low: Detects long PowerShell script block content with unusually high numeric character density (high digit-to-length ratio), often produced by byte arrays, character-code reconstruction, or embedded encoded blobs. Attackers use numeric-heavy obfuscation to conceal payloads and rebuild them at runtime to avoid static inspection.
- Potential Dynamic IEX Reconstruction via Environment Variables source medium: Detects PowerShell scripts that reconstructs IEX (Invoke-Expression) by indexing environment variable strings (for example, $env:VAR[1,2,3]) or related `.name[...]` slices and joining characters at runtime. Attackers use environment-variable slicing to hide dynamic execution and evade keyword-based detections and AMSI.
- Dynamic IEX Reconstruction via Method String Access source low: Detects PowerShell scripts that rebuilds IEX by converting method references to strings (for example, ''.IndexOf.ToString()) and extracting multiple indexed characters (for example, [n,n,n]). Attackers use method-string reconstruction to conceal dynamic execution and bypass static detections and AMSI.
- PowerShell Obfuscation via Negative Index String Reversal source low: Detects PowerShell scripts that uses negative index ranges (for example, $var[-1..0]) to reverse strings or arrays and rebuild content at runtime. Attackers use index reversal to reconstruct hidden commands or payloads and evade static analysis and AMSI.
- Potential PowerShell Obfuscation via Reverse Keywords source low: Detects PowerShell scripts containing reversed keyword strings associated with execution or network activity (for example, ekovni, noisserpxe, daolnwod, tcejbo-wen, tcejboimw, etc.). Attackers reverse keywords and reconstruct them at runtime to hide intent and evade static detection and AMSI.
- Potential PowerShell Obfuscation via String Concatenation source high: Detects PowerShell scripts that repeatedly concatenates multiple quoted string literals with + to assemble commands or tokens at runtime. Attackers use string concatenation to fragment keywords or URLs and evade static analysis and AMSI.
- Potential PowerShell Obfuscation via String Reordering source medium: Detects PowerShell scripts that uses format placeholders like "{0}{1}" with the -f operator or ::Format to reorder strings at runtime. Attackers use format-based reconstruction to hide commands or payload strings and evade static analysis and AMSI.
- Potential PowerShell Obfuscation via Special Character Overuse source medium: Detects PowerShell scripts dominated by whitespace and special characters with low symbol diversity, a profile often produced by formatting or encoding obfuscation. Attackers use symbol-heavy encoding or formatting (for example, SecureString-style blobs or character-level transforms) to hide payloads and evade static analysis and AMSI.
Splunk # view in reference
- AdsiSearcher Account Discovery source: The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify script blocks containing `[adsisearcher]`, `objectcategory=user`, and `.findAll()`. This activity is significant as it may indicate an attempt by adversaries or Red Teams to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this could lead to further reconnaissance, privilege escalation, or lateral movement within the network.
- Allow Inbound Traffic In Firewall Rule source: The following analytic detects a suspicious PowerShell command that allows inbound traffic to a specific local port within the public profile. It leverages PowerShell script block logging (EventCode 4104) to identify commands containing keywords like "firewall," "Inbound," "Allow," and "-LocalPort." This activity is significant because it may indicate an attacker attempting to establish remote access by modifying firewall rules. If confirmed malicious, this could allow unauthorized access to the machine, potentially leading to further exploitation and data exfiltration.
- Delete ShadowCopy With PowerShell source: The following analytic detects the use of PowerShell to delete shadow copies via the WMIC PowerShell module. It leverages EventCode 4104 and searches for specific keywords like "ShadowCopy," "Delete," or "Remove" within the ScriptBlockText. This activity is significant because deleting shadow copies is a common tactic used by ransomware, such as DarkSide, to prevent data recovery. If confirmed malicious, this action could lead to irreversible data loss and hinder recovery efforts, significantly impacting business continuity and data integrity.
Show 17 more (109 total)
- Detect Certify With PowerShell Script Block Logging source: The following analytic detects the use of the Certify tool via an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. It leverages PowerShell Script Block Logging (EventCode 4104) to identify specific command patterns associated with Certify's enumeration and exploitation functions. This activity is significant as it indicates potential reconnaissance or exploitation attempts against AD CS, which could lead to unauthorized certificate issuance. If confirmed malicious, attackers could leverage this to escalate privileges, persist in the environment, or access sensitive information by abusing AD CS.
- Detect Copy of ShadowCopy with Script Block Logging source: The following analytic detects the use of PowerShell commands to copy the SAM, SYSTEM, or SECURITY hives, which are critical for credential theft. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This activity is significant as it indicates an attempt to exfiltrate sensitive registry hives for offline password cracking. If confirmed malicious, this could lead to unauthorized access to credentials, enabling further compromise of the system and potential lateral movement within the network.
- Detect Empire with PowerShell Script Block Logging source: The following analytic detects suspicious PowerShell execution indicative of PowerShell-Empire activity. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze commands sent to PowerShell, specifically looking for patterns involving `system.net.webclient` and base64 encoding. This behavior is significant as it often represents initial stagers used by PowerShell-Empire, a known post-exploitation framework. If confirmed malicious, this activity could allow attackers to download and execute additional payloads, leading to potential code execution, data exfiltration, or further compromise of the affected system.
- Detect Mimikatz With PowerShell Script Block Logging source: The following analytic detects the execution of Mimikatz commands via PowerShell by leveraging PowerShell Script Block Logging (EventCode=4104). This method captures and logs the full command sent to PowerShell, allowing for the identification of suspicious activities such as Pass the Ticket, Pass the Hash, and credential dumping. This activity is significant as Mimikatz is a well-known tool used for credential theft and lateral movement. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the environment.
- Disabled Kerberos Pre-Authentication Discovery With Get-ADUser source: The following analytic detects the execution of the `Get-ADUser` PowerShell cmdlet with parameters indicating a search for domain accounts with Kerberos Pre-Authentication disabled. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific activity. This behavior is significant because discovering accounts with Kerberos Pre-Authentication disabled can allow adversaries to perform offline password cracking. If confirmed malicious, this activity could lead to unauthorized access to user accounts, potentially compromising sensitive information and escalating privileges within the network.
- Disabled Kerberos Pre-Authentication Discovery With PowerView source: The following analytic detects the execution of the `Get-DomainUser` commandlet with the `-PreauthNotRequired` parameter using PowerShell Script Block Logging (EventCode=4104). This command is part of PowerView, a tool used for enumerating Windows Active Directory networks. Identifying domain accounts with Kerberos Pre-Authentication disabled is significant because adversaries can leverage this information to attempt offline password cracking. If confirmed malicious, this activity could lead to unauthorized access to domain accounts, potentially compromising sensitive information and escalating privileges within the network.
- Domain Group Discovery with Adsisearcher source: The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for domain groups. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks containing `[adsisearcher]` and group-related queries. This activity is significant as it may indicate an attempt by adversaries or Red Teams to enumerate domain groups for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, privilege escalation, or lateral movement within the network.
- Elevated Group Discovery with PowerView source: The following analytic detects the execution of the `Get-DomainGroupMember` cmdlet from PowerView, identified through PowerShell Script Block Logging (EventCode=4104). This cmdlet is used to enumerate members of elevated domain groups such as Domain Admins and Enterprise Admins. Monitoring this activity is crucial as it indicates potential reconnaissance efforts by adversaries to identify high-privileged users within the domain. If confirmed malicious, this activity could lead to targeted attacks on privileged accounts, facilitating further compromise and lateral movement within the network.
- Exchange PowerShell Module Usage source: The following analytic detects the usage of specific Exchange PowerShell modules, such as New-MailboxExportRequest, New-ManagementRoleAssignment, New-MailboxSearch, and Get-Recipient. It leverages PowerShell Script Block Logging (EventCode 4104) to identify these commands. This activity is significant because these modules can be exploited by adversaries who have gained access via ProxyShell or ProxyNotShell vulnerabilities. If confirmed malicious, attackers could export mailbox contents, assign management roles, conduct mailbox searches, or view recipient objects, potentially leading to data exfiltration, privilege escalation, or unauthorized access to sensitive information.
- Get ADDefaultDomainPasswordPolicy with Powershell Script Block source: The following analytic detects the execution of the `Get-ADDefaultDomainPasswordPolicy` PowerShell cmdlet, which is used to retrieve the password policy in a Windows domain. This detection leverages PowerShell Script Block Logging (EventCode=4104) to identify the specific command execution. Monitoring this activity is significant as it can indicate an attempt to gather domain policy information, which is often a precursor to further malicious actions. If confirmed malicious, this activity could allow an attacker to understand password policies, aiding in password attacks or further domain enumeration.
- Get ADUser with PowerShell Script Block source: The following analytic detects the execution of the `Get-AdUser` PowerShell cmdlet, which is used to enumerate all domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify instances where this command is executed with a filter. This activity is significant as it may indicate an attempt by adversaries or Red Teams to gather information about domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance and potential exploitation of user accounts within the domain.
- Get ADUserResultantPasswordPolicy with Powershell Script Block source: The following analytic detects the execution of the `Get-ADUserResultantPasswordPolicy` PowerShell cmdlet, which is used to obtain the password policy in a Windows domain. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Monitoring this behavior is significant as it may indicate an attempt to enumerate domain policies, a common tactic used by adversaries for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to understand password policies, aiding in further attacks such as password guessing or policy exploitation.
- Get DomainPolicy with Powershell Script Block source: The following analytic detects the execution of the `Get-DomainPolicy` cmdlet using PowerShell Script Block Logging (EventCode=4104). It leverages logs capturing script block text to identify attempts to obtain the password policy in a Windows domain. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to gather domain policy information, which is crucial for planning further attacks. If confirmed malicious, this behavior could lead to detailed knowledge of domain security settings, aiding in privilege escalation or lateral movement within the network.
- Get-DomainTrust with PowerShell Script Block source: The following analytic detects the execution of the Get-DomainTrust command from PowerView using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed inspection. Identifying this activity is significant because it may indicate an attempt to gather domain trust information, which is often a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could enable an attacker to map trust relationships within the domain, potentially leading to further exploitation and compromise of additional systems.
- Get DomainUser with PowerShell Script Block source: The following analytic detects the execution of the `Get-DomainUser` cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is part of PowerView, a tool often used for domain enumeration. The detection leverages PowerShell operational logs to identify instances where this command is executed. Monitoring this activity is crucial as it may indicate an adversary's attempt to gather information about domain users, which is a common step in Active Directory Discovery. If confirmed malicious, this activity could lead to further reconnaissance and potential exploitation of domain resources.
- Get-ForestTrust with PowerShell Script Block source: The following analytic detects the execution of the Get-ForestTrust command from PowerSploit using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, providing detailed visibility into potentially suspicious activities. Monitoring this behavior is crucial as it can indicate an attempt to gather domain trust information, which is often a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to map trust relationships within the domain, facilitating further exploitation and access to sensitive resources.
- Get WMIObject Group Discovery with Script Block Logging source: The following analytic detects the execution of the `Get-WMIObject Win32_Group` command using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed analysis. Identifying group information on an endpoint is not inherently malicious but can be suspicious based on context such as time, endpoint, and user. This activity is significant as it may indicate reconnaissance efforts by an attacker. If confirmed malicious, it could lead to further enumeration and potential lateral movement within the network.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/execution/evtx-4104-script-block-logging.md
Event ID 4105 — Started invocation of ScriptBlock ID: ScriptBlockId.
#Description
Started invocation of ScriptBlock ID: ScriptBlockId.
Message #
Fields #
| Name | Description |
|---|---|
ScriptBlockId UnicodeString | Started invocation of ScriptBlock ID. |
RunspaceId UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
"event_source_name": "",
"event_id": 4105,
"version": 1,
"level": 5,
"task": 102,
"opcode": 15,
"keywords": 0,
"time_created": "2023-11-06T01:35:05.999333+00:00",
"event_record_id": 906,
"correlation": {
"ActivityID": "E4DB489E-1037-0000-CC79-E9E43710DA01"
},
"execution": {
"process_id": 15468,
"thread_id": 15184
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"ScriptBlockId": "4b7eebd5-d6e3-46f7-b795-a7d9736e5810",
"RunspaceId": "6fa4bb48-d600-4d4b-b445-e1fa0a41db53"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4106 — Completed invocation of ScriptBlock ID: ScriptBlockId.
#Description
Completed invocation of ScriptBlock ID: ScriptBlockId.
Message #
Fields #
| Name | Description |
|---|---|
ScriptBlockId UnicodeString | Completed invocation of ScriptBlock ID. |
RunspaceId UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
"event_source_name": "",
"event_id": 4106,
"version": 1,
"level": 5,
"task": 103,
"opcode": 15,
"keywords": 0,
"time_created": "2023-11-06T01:35:05.993908+00:00",
"event_record_id": 905,
"correlation": {
"ActivityID": "E4DB489E-1037-0002-FB44-ECE43710DA01"
},
"execution": {
"process_id": 15468,
"thread_id": 15184
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"ScriptBlockId": "6baf0dc7-a83f-43e1-bb6a-d7ab8d05eeb0",
"RunspaceId": "6fa4bb48-d600-4d4b-b445-e1fa0a41db53"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7937 — ContextInfo Context: Context User Data: User_Data.
Event ID 7938 — Payload Context: ContextInfo User Data: UserData.
Message #
Fields #
| Name | Description |
|---|---|
ContextInfo UnicodeString | — |
UserData UnicodeString | — |
Payload UnicodeString | — |
Context | — |
User_Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
"event_source_name": "",
"event_id": "7938",
"version": "1",
"level": "4",
"task": "100",
"opcode": "20",
"keywords": 0,
"time_created": "2026-03-15T04:33:37.067269800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{d73f5340-b345-0001-748f-44d745b3dc01}"
},
"execution": {
"process_id": "5820",
"thread_id": "12172"
},
"channel": "Microsoft-Windows-PowerShell/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ContextInfo": " Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.20348.558\n Host ID = 247af873-a1bf-4dba-9ce9-5140eb54ab09\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -File C:\\Users\\domainadmin\\Desktop\\automaton\\onedrive_etw_capture.ps1 -Action stop\n Engine Version = 5.1.20348.558\n Runspace ID = 83d77211-d444-44c5-9530-51739db0c2f4\n Pipeline ID = \n Command Name = \n Command Type = \n Script Name = \n Command Path = \n Sequence Number = 14\n User = ludus\\domainadmin\n Connected User = \n Shell ID = Microsoft.PowerShell\n",
"UserData": "",
"Payload": "Engine state changed from None to Available.\n"
},
"message": ""
}
Event ID 7939 — Payload Context: ContextInfo User Data: UserData.
Message #
Fields #
| Name | Description |
|---|---|
ContextInfo UnicodeString | — |
UserData UnicodeString | — |
Payload UnicodeString | — |
Context | — |
User_Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
"event_source_name": "",
"event_id": "7939",
"version": "1",
"level": "4",
"task": "104",
"opcode": "20",
"keywords": 0,
"time_created": "2026-03-15T04:33:36.400594000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{d73f5340-b345-0001-748f-44d745b3dc01}"
},
"execution": {
"process_id": "5820",
"thread_id": "8064"
},
"channel": "Microsoft-Windows-PowerShell/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ContextInfo": " Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.20348.558\n Host ID = 247af873-a1bf-4dba-9ce9-5140eb54ab09\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -File C:\\Users\\domainadmin\\Desktop\\automaton\\onedrive_etw_capture.ps1 -Action stop\n Engine Version = \n Runspace ID = \n Pipeline ID = \n Command Name = \n Command Type = \n Script Name = \n Command Path = \n Sequence Number = 2\n User = ludus\\domainadmin\n Connected User = \n Shell ID = Microsoft.PowerShell\n",
"UserData": "",
"Payload": "Provider Registry changed state to Started.\n"
},
"message": ""
}
Event ID 7940 — ContextInfo Context: Context User Data: User_Data.
Event ID 7941 — Correlating activity id's.
Event ID 7942 — Class Name = ClassName.
Description
Class Name = ClassName.
Message #
Fields #
| Name | Description |
|---|---|
ClassName UnicodeString | — |
MethodName UnicodeString | — |
WorkflowGuid UnicodeString | — |
Message UnicodeString | — |
JobData UnicodeString | — |
ActivityName UnicodeString | — |
ActivityGuid UnicodeString | — |
Parameters UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
"event_source_name": "",
"event_id": "7942",
"version": "1",
"level": "5",
"task": "0",
"opcode": "20",
"keywords": 0,
"time_created": "2026-03-15T04:33:36.215006100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{d73f5340-b345-0001-748f-44d745b3dc01}"
},
"execution": {
"process_id": "5820",
"thread_id": "12008"
},
"channel": "Microsoft-Windows-PowerShell/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ClassName": "RemoteSessionNamedPipeServer",
"MethodName": "StartListening",
"WorkflowGuid": "00000000-0000-0000-0000-000000000000",
"Message": "Listener thread started on Process 5820 in AppDomainName DefaultAppDomain.",
"JobData": "",
"ActivityName": "",
"ActivityGuid": "",
"Parameters": ""
},
"message": ""
}
Event ID 8193 — Creating Runspace object Instance Id.
#Description
Creating Runspace object.
Message #
Fields #
| Name | Description |
|---|---|
InstanceId UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
"event_source_name": "",
"event_id": 8193,
"version": 1,
"level": 5,
"task": 1,
"opcode": 16,
"keywords": 0,
"time_created": "2022-04-07T17:06:32.284732+00:00",
"event_record_id": 9,
"correlation": {
"ActivityID": "C88130F4-85B6-4F22-BDD1-6F6F4B29582D"
},
"execution": {
"process_id": 5272,
"thread_id": 5572
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"param1": "c88130f4-85b6-4f22-bdd1-6f6f4b29582d"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8194 — Creating RunspacePool object.
#Description
Creating RunspacePool object.
Message #
Fields #
| Name | Description |
|---|---|
InstanceId UnicodeString | — |
MaxRunspaces UnicodeString | — |
MinRunspaces UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
"event_source_name": "",
"event_id": 8194,
"version": 1,
"level": 5,
"task": 1,
"opcode": 16,
"keywords": 0,
"time_created": "2022-04-07T17:21:29.409715+00:00",
"event_record_id": 146,
"correlation": {
"ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
},
"execution": {
"process_id": 4444,
"thread_id": 4780
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"InstanceId": "1480b89f-e871-42e4-bfb4-c8f88b053137",
"MaxRunspaces": "2",
"MinRunspaces": "10"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8195 — Opening RunspacePool
#Description
Opening RunspacePool.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
"event_source_name": "",
"event_id": 8195,
"version": 1,
"level": 5,
"task": 1,
"opcode": 10,
"keywords": 0,
"time_created": "2022-04-07T17:21:29.483155+00:00",
"event_record_id": 147,
"correlation": {
"ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
},
"execution": {
"process_id": 4444,
"thread_id": 4780
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8196 — Modifying activity Id and correlating
#Description
Modifying activity Id and correlating.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
"event_source_name": "",
"event_id": 8196,
"version": 1,
"level": 4,
"task": 0,
"opcode": 20,
"keywords": 0,
"time_created": "2022-04-07T17:21:43.024925+00:00",
"event_record_id": 191,
"correlation": {
"ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
},
"execution": {
"process_id": 4444,
"thread_id": 940
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8197 — Runspace state changed to param1.
Description
Runspace state changed to param1.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
"event_source_name": "",
"event_id": 8197,
"version": 1,
"level": 5,
"task": 1,
"opcode": 10,
"keywords": 0,
"time_created": "2026-03-13T19:06:18.830885+00:00",
"event_record_id": 451785,
"correlation": {
"ActivityID": "E345B8F4-8ABD-45C2-9C94-77A035AE705C"
},
"execution": {
"process_id": 8572,
"thread_id": 13812
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"param1": "Closing"
},
"message": ""
}
Event ID 8198 — Attempting session creation retry param1 for error code param2 on session Id param3.
Event ID 12033 — Port resolved to param1.
Event ID 12034 — AppName resolved to param1.
Event ID 12035 — ComputerName resolved to param1.
Event ID 12036 — Scheme is param1.
Event ID 12037 — Test analytic message
Description
Test analytic message.
Message #
Event ID 12038 — Connection Paramters are Connection URI: Connection_URI Resource URI: Resource_URI User: User OpenTimeout: OpenTimeout IdleTimeout: IdleTimeout CancelTimeout: CancelTimeout AuthenticationMechanism:...
Description
Connection Paramters are.
Message #
Fields #
| Name | Description |
|---|---|
Connection_URI UnicodeString | — |
Resource_URI UnicodeString | — |
User UnicodeString | — |
OpenTimeout UnicodeString | — |
IdleTimeout UnicodeString | — |
CancelTimeout UnicodeString | — |
AuthenticationMechanism UInt32 | — |
Thumb_Print UnicodeString | — |
MaxUriRedirectionCount UnicodeString | — |
MaxReceivedDataSizePerCommand UnicodeString | — |
MaxReceivedObjectSize UnicodeString | — |
uri UnicodeString | — |
shell UnicodeString | — |
userName UnicodeString | — |
opentimeout UnicodeString | — |
idletimeout UnicodeString | — |
canceltimeout UnicodeString | — |
auth UInt32 | — |
thumbPrint UnicodeString | — |
redircount UnicodeString | — |
recvdDataSize UnicodeString | — |
recvdObjSize UnicodeString | — |
Event ID 12039 — Modifying activity Id and correlating
#Description
Modifying activity Id and correlating.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
"event_source_name": "",
"event_id": 12039,
"version": 1,
"level": 4,
"task": 0,
"opcode": 20,
"keywords": 0,
"time_created": "2022-04-07T17:21:43.024926+00:00",
"event_record_id": 192,
"correlation": {
"ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
},
"execution": {
"process_id": 4444,
"thread_id": 940
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 16385 — AmsiUtil state.
Event ID 24577 — Windows PowerShell ISE has started to run script file FileName.
Event ID 24578 — Windows PowerShell ISE has started to run a user-selected script from file FileName.
Event ID 24579 — Windows PowerShell ISE is stopping the current command.
Description
Windows PowerShell ISE is stopping the current command.
Message #
Event ID 24580 — Windows PowerShell ISE is resuming the debugger.
Description
Windows PowerShell ISE is resuming the debugger.
Message #
Event ID 24581 — Windows PowerShell ISE is stopping the debugger.
Description
Windows PowerShell ISE is stopping the debugger.
Message #
Event ID 24582 — Windows PowerShell ISE is stepping into debugging.
Description
Windows PowerShell ISE is stepping into debugging.
Message #
Event ID 24583 — Windows PowerShell ISE is stepping over debugging.
Description
Windows PowerShell ISE is stepping over debugging.
Message #
Event ID 24584 — Windows PowerShell ISE is stepping out of debugging.
Description
Windows PowerShell ISE is stepping out of debugging.
Message #
Event ID 24592 — Windows PowerShell ISE is enabling all breakpoints.
Description
Windows PowerShell ISE is enabling all breakpoints.
Message #
Event ID 24593 — Windows PowerShell ISE is disabling all breakpoints.
Description
Windows PowerShell ISE is disabling all breakpoints.
Message #
Event ID 24594 — Windows PowerShell ISE is removing all breakpoints.
Description
Windows PowerShell ISE is removing all breakpoints.
Message #
Event ID 24595 — Windows PowerShell ISE is setting the breakpoint at line #: CurrentLine of file FileName.
Event ID 24596 — Windows PowerShell ISE is removing the breakpoint on line #: CurrentLine of file FileName.
Event ID 24597 — Windows PowerShell ISE is enabling the breakpoint on line #: CurrentLine of file FileName.
Event ID 24598 — Windows PowerShell ISE is disabling the breakpoint on line #: CurrentLine of file FileName.
Event ID 24599 — Windows PowerShell ISE has hit a breakpoint on line #: CurrentLine of file FileName.
Event ID 28673 — Successfully rehydrated an object.
Event ID 28674 — Failed to rehydrated an object.
Event ID 28675 — Serialization depth has been overriden.
Event ID 28676 — Serialization mode has been overriden.
Event ID 28677 — Serialization of a script property has been skipped, because there is no runspace to use for evaluation of the property.
Description
Serialization of a script property has been skipped, because there is no runspace to use for evaluation of the property.
Message #
Fields #
| Name | Description |
|---|---|
Property_name UnicodeString | — |
Property_owners_type_name UnicodeString | Property owner's type name. |
Getter_script UnicodeString | — |
PropertyName UnicodeString | — |
PropertyOwnerType UnicodeString | — |
GetterScript UnicodeString | — |
Event ID 28678 — Serialization of a property has been skipped, because property getter failed.
Event ID 28679 — Serialization of an enumerable object might not be complete, because object being enumerated threw an exception.
Event ID 28680 — Serialization called object's ToString method which failed.
Event ID 28682 — Maximum depth below top level has been reached, forcing object to be serialized as strings.
Description
Maximum depth below top level has been reached, forcing object to be serialized as strings.
Message #
Fields #
| Name | Description |
|---|---|
Object_type_at_max_depth UnicodeString | — |
Property_name_at_max_depth UnicodeString | — |
Depth Int32 | — |
TypeOfObjectAtMaxDepth UnicodeString | — |
PropertyNameAtMaxDepth UnicodeString | — |
Event ID 28683 — XmlException has been thrown by the deserializer (most likely indicating incorrect clixml format).
Event ID 28684 — Serialization of specified properties failed, because one of the specified properties was missing.
Event ID 32769 — Received object with Runspace Id: Runspace_InstanceId Command Id: PowerShell_InstanceId Destination: Destination DataType: DataType TargetInterface: TargetInterface.
Description
Received object with Runspace Id: Runspace_InstanceId Command Id: PowerShell_InstanceId Destination: Destination DataType: DataType TargetInterface: TargetInterface.
Message #
Fields #
| Name | Description |
|---|---|
Runspace_InstanceId UnicodeString | — |
PowerShell_InstanceId UnicodeString | — |
Destination UInt32 | — |
DataType UInt32 | — |
TargetInterface UInt32 | — |
Event ID 32775 — An unhandled exception occurred in the appdomain.
Event ID 32776 — Runspace Id: SessionId Pipeline Id: PipelineId.
Event ID 32777 — An unhandled exception occurred in the appdomain.
Event ID 32784 — Runspace Id: SessionId Pipeline Id: PipelineId.
Description
Runspace Id: SessionId Pipeline Id: PipelineId. WSMan reported an error with error code: ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UnicodeString | — |
PipelineId UnicodeString | — |
ErrorCode UnicodeString | — |
ErrorMessage UnicodeString | — |
StackTrace UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
"event_source_name": "",
"event_id": 32784,
"version": 1,
"level": 2,
"task": 0,
"opcode": 10,
"keywords": 0,
"time_created": "2026-03-13T19:48:48.051299+00:00",
"event_record_id": 692957,
"correlation": {
"ActivityID": "0DB6BBF5-303D-4E93-8DE3-887C047E8B68"
},
"execution": {
"process_id": 1512,
"thread_id": 1452
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"SessionId": "0db6bbf5-303d-4e93-8de3-887c047e8b68",
"PipelineId": "00000000-0000-0000-0000-000000000000",
"ErrorCode": "-2144108101",
"ErrorMessage": "Connecting to remote server 10.2.10.21 failed with the following error message : The WinRM client cannot process the request. Default authentication may be used with an IP address under the following conditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more information on how to set TrustedHosts run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.",
"StackTrace": ""
},
"message": ""
}
Event ID 32785 — Runspace Id param1.
Event ID 32786 — Runspace Id param1.
Event ID 32787 — Runspace Id: RunspaceId.
Event ID 32788 — Runspace Id: RunspaceId.
Event ID 32789 — Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id.
Event ID 32790 — Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id.
Event ID 32791 — Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id.
Event ID 32792 — Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id.
Event ID 32793 — Runspace Id SessionId Pipeline Id PipelineId.
Event ID 32800 — Runspace Id SessionId Pipeline Id PipelineId.
Event ID 32801 — Runspace Id: Runspace_Id Pipeline Id SessionId.
Event ID 32802 — Runspace Id: Runspace_Id Pipeline Id SessionId.
Event ID 32803 — Runspace Id: Runspace_Id Pipeline Id SessionId.
Event ID 32804 — Runspace Id: Runspace_Id Pipeline Id SessionId.
Event ID 32805 — Runspace Id: SessionId.
Event ID 32849 — Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id.
Description
Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id. Server is sending data of size TargetInterface to client. DataType: Runspace_InstanceId TargetInterface: PowerShell_InstanceId.
Message #
Fields #
| Name | Description |
|---|---|
Runspace_Id | — |
Pipeline_Id | — |
TargetInterface UInt32 | 3 to client. DataType. |
Runspace_InstanceId UnicodeString | — |
PowerShell_InstanceId UnicodeString | — |
DataSize UnicodeString | — |
DataType UInt32 | — |
Event ID 32850 — Request param1.
Event ID 32851 — Reporting context for request: ReportingContextForRequest Context Reported: ReportingContextForRequest.
Event ID 32852 — Reporting operation complete for request: ReportingOperationCompleteForRequest.
Event ID 32853 — Shell Context param1.
Event ID 32854 — Shell Context param1 Command Context param2 Request Id param3.
Event ID 32855 — Shell Context param1 Command Context param2 Request Id param3.
Event ID 32856 — Shell Context param1 Command Context param2 Request Id param3.
Event ID 32857 — Shell Context param1 Command Context param2 IsReceiveOperation param3.
Event ID 32865 — Loading assembly param1 for custom shell with shell Id param2.
Event ID 32866 — Loading type param1 for custom shell with shell Id param2.
Event ID 32867 — Received remoting fragment.
Event ID 32868 — Sent remoting fragment.
Event ID 32869 — Shutting down winrm service.
Description
Shutting down winrm service.
Message #
Event ID 40961 — PowerShell console is starting up
#Description
PowerShell console is starting up.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
"event_source_name": "",
"event_id": 40961,
"version": 1,
"level": 4,
"task": 4,
"opcode": 1,
"keywords": 0,
"time_created": "2023-11-06T01:18:27.730646+00:00",
"event_record_id": 772,
"correlation": {
"ActivityID": "E4DB489E-1037-0002-CA26-E6E43710DA01"
},
"execution": {
"process_id": 12192,
"thread_id": 16872
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 40962 — PowerShell console is ready for user input
#Description
PowerShell console is ready for user input.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
"event_source_name": "",
"event_id": 40962,
"version": 1,
"level": 4,
"task": 4,
"opcode": 2,
"keywords": 0,
"time_created": "2023-11-06T01:18:31.505927+00:00",
"event_record_id": 788,
"correlation": {
"ActivityID": "E4DB489E-1037-0002-CA26-E6E43710DA01"
},
"execution": {
"process_id": 12192,
"thread_id": 16872
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 45057 — Tracing ErrorRecord.
Description
Tracing ErrorRecord.
Message #
Fields #
| Name | Description |
|---|---|
Message UnicodeString | [Tracing ErrorRecord] Message. |
CategoryInfoCategory | [Tracing ErrorRecord] CategoryInfo.Category. |
CategoryInfoReason | [Tracing ErrorRecord] CategoryInfo.Reason. |
CategoryInfoTargetName | [Tracing ErrorRecord] CategoryInfo.TargetName. |
FullyQualifiedErrorId UnicodeString | [Tracing ErrorRecord] FullyQualifiedErrorId. |
Message UnicodeString | [Exception Details] Message. |
Stack_Trace | [Exception Details] Stack Trace. |
Category UnicodeString | — |
Reason UnicodeString | — |
TargetName UnicodeString | — |
ExceptionMessage UnicodeString | — |
ExceptionStackTrace UnicodeString | — |
ExceptionInnerException UnicodeString | — |
Event ID 45058 — Exception: Message: Message StackTrace: StackTrace InnerException : InnerException.
Event ID 45059 — Tracing PSObject
Description
Tracing PSObject.
Message #
Event ID 45060 — Tracing Job: Id: Id InstanceId: InstanceId Name: Name Location: Location State: State Command: Command.
Description
Tracing Job.
Message #
Fields #
| Name | Description |
|---|---|
Id UnicodeString | [Tracing Job] Id. |
InstanceId UnicodeString | [Tracing Job] InstanceId. |
Name UnicodeString | [Tracing Job] Name. |
Location UnicodeString | [Tracing Job] Location. |
State UnicodeString | [Tracing Job] State. |
Command UnicodeString | [Tracing Job] Command. |
Event ID 45061 — Trace Information.
Event ID 45062 — Connection Paramters are Connection URI: Connection_URI Resource URI: Resource_URI User: User OpenTimeout: OpenTimeout IdleTimeout: IdleTimeout CancelTimeout: CancelTimeout AuthenticationMechanism:...
Description
Connection Paramters are.
Message #
Fields #
| Name | Description |
|---|---|
Connection_URI UnicodeString | — |
Resource_URI UnicodeString | — |
User UnicodeString | — |
OpenTimeout UnicodeString | — |
IdleTimeout UnicodeString | — |
CancelTimeout UnicodeString | — |
AuthenticationMechanism UInt32 | — |
Thumb_Print UnicodeString | — |
MaxUriRedirectionCount UnicodeString | — |
MaxReceivedDataSizePerCommand UnicodeString | — |
MaxReceivedObjectSize UnicodeString | — |
uri UnicodeString | — |
shell UnicodeString | — |
userName UnicodeString | — |
opentimeout UnicodeString | — |
idletimeout UnicodeString | — |
canceltimeout UnicodeString | — |
auth UInt32 | — |
thumbPrint UnicodeString | — |
redircount UnicodeString | — |
recvdDataSize UnicodeString | — |
recvdObjSize UnicodeString | — |
Event ID 45063 — Workflow plugin loaded.
Description
Workflow plugin loaded.
Message #
Fields #
| Name | Description |
|---|---|
EndpointName UnicodeString | — |
User UnicodeString | — |
HostingMode UnicodeString | — |
Protocol UnicodeString | — Known values
|
Configuration UnicodeString | — |
endpointName UnicodeString | — |
user UnicodeString | — |
hostingMode UnicodeString | — |
protocol UnicodeString | — |
configuration UnicodeString | — |
Event ID 45064 — Workflow execution started.
Event ID 45065 — Workflow state changed.
Event ID 45072 — Workflow plugin has been requested for a shutdown.
Event ID 45073 — Workflow plugin restarted.
Event ID 45074 — Workflow is resuming.
Event ID 45075 — A quota limit that was set for the endpoint was exceeded.
Description
A quota limit that was set for the endpoint was exceeded.
Message #
Fields #
| Name | Description |
|---|---|
EndpointName UnicodeString | — |
ConfigName UnicodeString | — |
AllowedValue UnicodeString | — |
ValueInQuestion UnicodeString | — |
endpointName UnicodeString | — |
configName UnicodeString | — |
allowedValue UnicodeString | — |
valueInQuestion UnicodeString | — |
Event ID 45076 — Workflow has resumed.
Event ID 45078 — Workflow runspace pool was created.
Event ID 45079 — Activity was queued for execution.
Event ID 45080 — Activity execution started.
Event ID 45081 — Workflow is being imported from a XAML file.
Event ID 45082 — Workflow has been imported from a XAML file.
Event ID 45083 — Workflow could not be imported from a XAML file because of an error.
Event ID 45084 — Workflow validation started.
Event ID 45085 — Workflow validation succeeded.
Event ID 45086 — Workflow validation failed with error.
Event ID 45087 — Workflow activity validated.
Event ID 45088 — Workflow activity could not be validated.
Event ID 45089 — Activity execution failed.
Event ID 45090 — Runspace availability changed.
Event ID 45091 — Runspace state changed.
Event ID 45092 — Workflow loaded for execution.
Event ID 45093 — Workflow unloaded.
Event ID 45094 — Workflow execution cancelled.
Event ID 45095 — Workflow execution aborted.
Event ID 45096 — Workflow cleanup operation executed.
Event ID 45097 — Persisted workflow loaded from disk.
Event ID 45098 — Workflow data was deleted from disk.
Event ID 45100 — Starting remove job.
Event ID 45101 — Job state changed.
Event ID 45102 — Job error.
Event ID 45104 — Job created for workflow (child job).
Event ID 45105 — Parent job created for workflow.
Event ID 45106 — All required jobs were created for workflow execution.
Event ID 45107 — Child job removed for workflow.
Event ID 45108 — An error occurred while removing job.
Event ID 45109 — Loading workflow for execution.
Event ID 45110 — Workflow execution finished.
Event ID 45111 — Cancelling workflow execution.
Event ID 45112 — Aborting workflow execution.
Event ID 45113 — Unloading workflow.
Event ID 45114 — Forced workflow shutdown started.
Event ID 45115 — Forced workflow shutdown finished.
Event ID 45116 — An error occurred while forcefully shutting down a workflow.
Event ID 45117 — Persisting workflow to disk.
Event ID 45118 — Workflow persisted to disk.
Event ID 45119 — Activity execution finished.
Event ID 45120 — Workflow execution error.
Event ID 45121 — A new PowerShell endpoint was registered.
Event ID 45122 — Endpoint configuration modified.
Event ID 45123 — Endpoint configuration unregistered.
Event ID 45124 — Endpoint configuration disabled.
Event ID 45125 — Endpoint configuration enabled.
Event ID 45126 — Out of process runspace started.
Event ID 45127 — Parameter splatting was performed during workflow execution.
Event ID 45128 — Workflow engine started.
Event ID 45129 — Workflow manager instantiated with CheckpointPath: CheckpointPath ConfigProviderId: ConfigProviderId UserName: UserName Path: Path.
Event ID 46337 — BEGIN ImportWorkflowCommand::StartWorkflowApplication.
Event ID 46338 — END ImportWorkflowCommand::StartWorkflowApplication.
Event ID 46339 — BEGIN Creating new job in ImportWorkflowCommand::StartWorkflowApplication.
Event ID 46340 — END Creating new job in ImportWorkflowCommand::StartWorkflowApplication.
Event ID 46341 — END Creating new job in ImportWorkflowCommand::StartWorkflowApplication.
Event ID 46342 — BEGIN JobLogic ContainerParentJob Guid WorkflowJobJobInstanceId.
Event ID 46343 — END JobLogic ContainerParentJob Guid WorkflowJobJobInstanceId.
Event ID 46344 — BEGIN WorkflowExecution ContainerParentJob Guid WorkflowJobJobInstanceId.
Event ID 46345 — END WorkflowExecution ContainerParentJob Guid WorkflowJobJobInstanceId.
Event ID 46346 — WorkflowJob with Guid WorkflowJobInstanceId added to ContainerParentJob with Guid ContainerParentJobInstanceId.
Event ID 46347 — ProxyJob with Guid ProxyJobInstanceId associated with remote ContainerParentJob with Guid ContainerParentJobInstanceId.
Event ID 46348 — BEGIN Execution of ContainerParentJob with Guid ContainerParentJobInstanceId.
Event ID 46349 — END Execution of ContainerParentJob with Guid ContainerParentJobInstanceId.
Event ID 46350 — BEGIN Execution of Proxy Job with Guid ProxyJobInstanceId.
Event ID 46351 — END Execution of Proxy Job with Guid ProxyJobInstanceId.
Event ID 46352 — BEGIN StateChanged event handler for Proxy Job with Guid ProxyJobInstanceId.
Event ID 46353 — END StateChanged event handler for Proxy Job with Guid ProxyJobInstanceId.
Event ID 46354 — BEGIN StateChanged event handler for Proxy Child Job with Guid ProxyChildJobInstanceId.
Event ID 46355 — END StateChanged event handler for Proxy Child Job with Guid ProxyChildJobInstanceId.
Event ID 46356 — BEGIN Running garbage collection
Description
BEGIN Running garbage collection.
Message #
Event ID 46357 — END Running garbage collection
Description
END Running garbage collection.
Message #
Event ID 46358 — Persistence store has reached its maximum specified size
Description
Persistence store has reached its maximum specified size.
Message #
Event ID 49153 — Trace Information.
Event ID 53249 — Scheduled Job ScheduledJobDefName started at StartTime.
Event ID 53250 — Scheduled Job ScheduledJobDefName completed at StopTime with state State.
Event ID 53251 — Scheduled Job Exception Message.
Event ID 53504 — Windows PowerShell has started an IPC listening thread on process: param1 in AppDomain: param2.
#Description
Windows PowerShell has started an IPC listening thread on process: param1 in AppDomain: param2.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | Windows PowerShell has started an IPC listening thread on process. |
param2 UnicodeString | in AppDomain. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
"event_source_name": "",
"event_id": 53504,
"version": 1,
"level": 4,
"task": 111,
"opcode": 10,
"keywords": 0,
"time_created": "2023-11-06T01:18:29.006927+00:00",
"event_record_id": 774,
"correlation": {
"ActivityID": "E4DB489E-1037-0002-CA26-E6E43710DA01"
},
"execution": {
"process_id": 12192,
"thread_id": 10468
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"param1": "12192",
"param2": "DefaultAppDomain"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline