PowerShell
5 events across 1 channel
| Event ID | Title | Channel |
|---|---|---|
| 300 | Windows PowerShell | |
| 400 | Windows PowerShell | |
| 403 | Windows PowerShell | |
| 600 | Windows PowerShell | |
| 800 | Windows PowerShell |
Event ID 300 —
#Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "PowerShell",
"guid": "",
"event_source_name": "",
"event_id": 300,
"version": 0,
"level": 3,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-10-25T21:34:05.614206+00:00",
"event_record_id": 24,
"correlation": {},
"execution": {
"process_id": 1796,
"thread_id": 0
},
"channel": "Windows PowerShell",
"computer": "WinDevEval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "Could not find the drive 'a:\\'. The drive might not be ready or might not be mapped.",
"Data_1": "\tProviderName=Microsoft.PowerShell.Core\\FileSystem\r\n\tExceptionClass=DriveNotFoundException\r\n\tErrorCategory=\r\n\tErrorId=\r\n\tErrorMessage=Could not find the drive 'a:\\'. The drive might not be ready or might not be mapped.\r\n\r\n\tSeverity=Warning\r\n\r\n\tSequenceNumber=15\r\n\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.22621.2428\r\n\tHostId=d4db7522-7ab1-46f8-add0-ee6f22c6c812\r\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass a:\\FixPublicNetworkType.ps1\r\n\tEngineVersion=5.1.22621.2428\r\n\tRunspaceId=c5b2be04-de37-4a47-bfdd-d75d2d714efd\r\n\tPipelineId=1\r\n\tCommandName=\r\n\tCommandType=\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine=",
"Binary": ""
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 400 —
#Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "PowerShell",
"guid": "",
"event_source_name": "",
"event_id": 400,
"version": 0,
"level": 4,
"task": 4,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-06T01:18:31.405203+00:00",
"event_record_id": 365,
"correlation": {},
"execution": {
"process_id": 12192,
"thread_id": 0
},
"channel": "Windows PowerShell",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "Available",
"Data_1": "None",
"Data_2": "\tNewEngineState=Available\r\n\tPreviousEngineState=None\r\n\r\n\tSequenceNumber=13\r\n\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.22621.2428\r\n\tHostId=4913f17e-97b6-4a6b-87a8-c754ea3b2fc8\r\n\tHostApplication=powershell.exe -NoProfile -Command & {if($PSVersionTable.PSVersion.Major -ge 3){Import-Module 'C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\Tools\\\\Microsoft.VisualStudio.DevShell.dll'; Send-VsDevShellTelemetry -NewInstanceType Cmd; }}\r\n\tEngineVersion=5.1.22621.2428\r\n\tRunspaceId=fb50de9f-94e8-415e-a531-420630257558\r\n\tPipelineId=\r\n\tCommandName=\r\n\tCommandType=\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine=",
"Binary": ""
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Nslookup PowerShell Download Cradle source medium: Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
- Delete Volume Shadow Copies Via WMI With PowerShell source high: Shadow Copies deletion using operating systems utilities via PowerShell
- PowerShell Downgrade Attack - PowerShell source medium: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
Show 6 more (9 total)
- PowerShell Called from an Executable Version Mismatch source high: Detects PowerShell called from an executable by the version mismatch method
- Netcat The Powershell Version source medium: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
- Remote PowerShell Session (PS Classic) source low: Detects remote PowerShell sessions
- Renamed Powershell Under Powershell Channel source low: Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
- Suspicious PowerShell Download source medium: Detects suspicious PowerShell download command
- Use Get-NetTCPConnection source low: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 403 —
#Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "PowerShell",
"guid": "",
"event_source_name": "",
"event_id": 403,
"version": 0,
"level": 4,
"task": 4,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-06T01:18:33.203476+00:00",
"event_record_id": 371,
"correlation": {},
"execution": {
"process_id": 12192,
"thread_id": 0
},
"channel": "Windows PowerShell",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "Stopped",
"Data_1": "Available",
"Data_2": "\tNewEngineState=Stopped\r\n\tPreviousEngineState=Available\r\n\r\n\tSequenceNumber=21\r\n\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.22621.2428\r\n\tHostId=4913f17e-97b6-4a6b-87a8-c754ea3b2fc8\r\n\tHostApplication=powershell.exe -NoProfile -Command & {if($PSVersionTable.PSVersion.Major -ge 3){Import-Module 'C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\Tools\\\\Microsoft.VisualStudio.DevShell.dll'; Send-VsDevShellTelemetry -NewInstanceType Cmd; }}\r\n\tEngineVersion=5.1.22621.2428\r\n\tRunspaceId=fb50de9f-94e8-415e-a531-420630257558\r\n\tPipelineId=\r\n\tCommandName=\r\n\tCommandType=\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine=",
"Binary": ""
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 600 —
#Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "PowerShell",
"guid": "",
"event_source_name": "",
"event_id": 600,
"version": 0,
"level": 4,
"task": 6,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-06T01:18:30.049125+00:00",
"event_record_id": 363,
"correlation": {},
"execution": {
"process_id": 12192,
"thread_id": 0
},
"channel": "Windows PowerShell",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "Variable",
"Data_1": "Started",
"Data_2": "\tProviderName=Variable\r\n\tNewProviderState=Started\r\n\r\n\tSequenceNumber=11\r\n\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.22621.2428\r\n\tHostId=4913f17e-97b6-4a6b-87a8-c754ea3b2fc8\r\n\tHostApplication=powershell.exe -NoProfile -Command & {if($PSVersionTable.PSVersion.Major -ge 3){Import-Module 'C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\Tools\\\\Microsoft.VisualStudio.DevShell.dll'; Send-VsDevShellTelemetry -NewInstanceType Cmd; }}\r\n\tEngineVersion=\r\n\tRunspaceId=\r\n\tPipelineId=\r\n\tCommandName=\r\n\tCommandType=\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine=",
"Binary": ""
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Tamper Windows Defender - PSClassic source high: Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 800 —
#Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "PowerShell",
"guid": "",
"event_source_name": "",
"event_id": 800,
"version": 0,
"level": 4,
"task": 8,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-06T01:35:06.006085+00:00",
"event_record_id": 390,
"correlation": {},
"execution": {
"process_id": 15468,
"thread_id": 0
},
"channel": "Windows PowerShell",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": " Microsoft.PowerShell.Core\\Set-StrictMode -Off\r\n",
"Data_1": "\tDetailSequence=1\r\n\tDetailTotal=1\r\n\r\n\tSequenceNumber=57\r\n\r\n\tUserId=WINDEV2310EVAL\\User\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.22621.2428\r\n\tHostId=9500ad9e-7709-413f-b91b-8945cbb52940\r\n\tHostApplication=powershell.exe -NoExit -Command &{Import-Module \"C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\Tools\\Microsoft.VisualStudio.DevShell.dll\"; Enter-VsDevShell d5dcd421 -SkipAutomaticLocation -DevCmdArguments \"-arch=x64 -host_arch=x64\"}\r\n\tEngineVersion=5.1.22621.2428\r\n\tRunspaceId=6fa4bb48-d600-4d4b-b445-e1fa0a41db53\r\n\tPipelineId=23\r\n\tScriptName=C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadLine\\2.0.0\\PSReadLine.psm1\r\n\tCommandLine= Microsoft.PowerShell.Core\\Set-StrictMode -Off\r\n",
"Data_2": "CommandInvocation(Set-StrictMode): \"Set-StrictMode\"\r\nParameterBinding(Set-StrictMode): name=\"Off\"; value=\"True\"\r\n",
"Binary": ""
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows
- Example event sourced from https://github.com/NextronSystems/evtx-baseline