Event ID 4103 — Payload Context: ContextInfo User Data: UserData.
Message #
Fields #
| Name | Description |
|---|---|
ContextInfo UnicodeString | Context |
UserData UnicodeString | — |
Payload UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-PowerShell",
"guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
"event_source_name": "",
"event_id": 4103,
"version": 1,
"level": 4,
"task": 106,
"opcode": 20,
"keywords": 0,
"time_created": "2023-11-06T01:35:06.007359+00:00",
"event_record_id": 907,
"correlation": {
"ActivityID": "E4DB489E-1037-0000-CD79-E9E43710DA01"
},
"execution": {
"process_id": 15468,
"thread_id": 15184
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"ContextInfo": " Severity = Informational\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.22621.2428\r\n Host ID = 9500ad9e-7709-413f-b91b-8945cbb52940\r\n Host Application = powershell.exe -NoExit -Command &{Import-Module \"C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\Tools\\Microsoft.VisualStudio.DevShell.dll\"; Enter-VsDevShell d5dcd421 -SkipAutomaticLocation -DevCmdArguments \"-arch=x64 -host_arch=x64\"}\r\n Engine Version = 5.1.22621.2428\r\n Runspace ID = 6fa4bb48-d600-4d4b-b445-e1fa0a41db53\r\n Pipeline ID = 23\r\n Command Name = Set-StrictMode\r\n Command Type = Cmdlet\r\n Script Name = C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadLine\\2.0.0\\PSReadLine.psm1\r\n Command Path = \r\n Sequence Number = 58\r\n User = WINDEV2310EVAL\\User\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n",
"UserData": "",
"Payload": "CommandInvocation(Set-StrictMode): \"Set-StrictMode\"\r\nParameterBinding(Set-StrictMode): name=\"Off\"; value=\"True\"\r\n"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Potential Active Directory Enumeration Using AD Module - PsModule source medium: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
- Alternate PowerShell Hosts - PowerShell Module source medium: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
- Bad Opsec Powershell Code Artifacts source critical: focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.
Show 17 more (33 total)
- Clear PowerShell History - PowerShell Module source medium: Detects keywords that could indicate clearing PowerShell history
- PowerShell Decompress Commands source informational: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.
- Malicious PowerShell Scripts - PoshModule source high: Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
- Suspicious Get-ADDBAccount Usage source high: Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
- PowerShell Get Clipboard source medium: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
- HackTool - Evil-WinRm Execution - PowerShell Module source high: Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.
- Invoke-Obfuscation CLIP+ Launcher - PowerShell Module source high: Detects Obfuscated use of Clip.exe to execute PowerShell
- Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module source high: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
- Invoke-Obfuscation STDIN+ Launcher - PowerShell Module source high: Detects Obfuscated use of stdin to execute PowerShell
- Invoke-Obfuscation VAR+ Launcher - PowerShell Module source high: Detects Obfuscated use of Environment Variables to execute PowerShell
- Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module source medium: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
- Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module source medium: Detects Obfuscated Powershell via RUNDLL LAUNCHER
- Invoke-Obfuscation Via Stdin - PowerShell Module source high: Detects Obfuscated Powershell via Stdin in Scripts
- Invoke-Obfuscation Via Use Clip - PowerShell Module source high: Detects Obfuscated Powershell via use Clip.exe in Scripts
- Invoke-Obfuscation Via Use MSHTA - PowerShell Module source high: Detects Obfuscated Powershell via use MSHTA in Scripts
- Invoke-Obfuscation Via Use Rundll32 - PowerShell Module source high: Detects Obfuscated Powershell via use Rundll32 in Scripts
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module source high: Detects Obfuscated Powershell via VAR++ LAUNCHER
References #
- Microsoft Learn https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows
- Example event sourced from https://github.com/NextronSystems/evtx-baseline