PowerShell
5 events across 1 channel
| Event | Title | Channel |
|---|---|---|
| 300 | Event ID 300 | Windows PowerShell |
| 400 | Event ID 400 | Windows PowerShell |
| 403 | Event ID 403 | Windows PowerShell |
| 600 | Event ID 600 | Windows PowerShell |
| 800 | Event ID 800 | Windows PowerShell |
Event ID 300:
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Binary |
Example Event #
{
"system": {
"provider": "PowerShell",
"guid": "",
"event_source_name": "",
"event_id": 300,
"version": 0,
"level": 3,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-06-13T14:36:40.9532632+00:00",
"event_record_id": 248590,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Windows PowerShell",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "Could not find the drive 'Z:\\'. The drive might not be ready or might not be mapped.",
"Data_1": "\tProviderName=Microsoft.PowerShell.Core\\FileSystem\n\tExceptionClass=DriveNotFoundException\n\tErrorCategory=\n\tErrorId=\n\tErrorMessage=Could not find the drive 'Z:\\'. The drive might not be ready or might not be mapped.\n\n\tSeverity=Warning\n\n\tSequenceNumber=82233\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=e8ecf392-16f7-461a-9e04-2cf3b693e616\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.20348.558\n\tRunspaceId=7d22a55e-f35a-436b-aadc-c65ab73a8891\n\tPipelineId=4684\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine="
},
"message": "Provider Health: Could not find the drive 'Z:\\'. The drive might not be ready or might not be mapped.. \r\n\r\nDetails: \r\n\tProviderName=Microsoft.PowerShell.Core\\FileSystem\r\n\tExceptionClass=DriveNotFoundException\r\n\tErrorCategory=\r\n\tErrorId=\r\n\tErrorMessage=Could not find the drive 'Z:\\'. The drive might not be ready or might not be mapped.\r\n\r\n\tSeverity=Warning\r\n\r\n\tSequenceNumber=82233\r\n\r\n\tHostName=ServerRemoteHost\r\n\tHostVersion=1.0.0.0\r\n\tHostId=e8ecf392-16f7-461a-9e04-2cf3b693e616\r\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\r\n\tEngineVersion=5.1.20348.558\r\n\tRunspaceId=7d22a55e-f35a-436b-aadc-c65ab73a8891\r\n\tPipelineId=4684\r\n\tCommandName=\r\n\tCommandType=\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine="
}
Event ID 400:
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data_2 | |
Binary |
Example Event #
{
"system": {
"provider": "PowerShell",
"guid": "",
"event_source_name": "",
"event_id": 400,
"version": 0,
"level": 4,
"task": 4,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-06-13T14:08:49.4449408+00:00",
"event_record_id": 135234,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Windows PowerShell",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "Available",
"Data_1": "None",
"Data_2": "\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=aa212afc-f66e-4e09-a428-4989b19010a1\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.20348.558\n\tRunspaceId=55ce38e0-81ea-44db-9a08-0c9965b78525\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine="
},
"message": "Engine state is changed from None to Available. \r\n\r\nDetails: \r\n\tNewEngineState=Available\r\n\tPreviousEngineState=None\r\n\r\n\tSequenceNumber=13\r\n\r\n\tHostName=ServerRemoteHost\r\n\tHostVersion=1.0.0.0\r\n\tHostId=aa212afc-f66e-4e09-a428-4989b19010a1\r\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\r\n\tEngineVersion=5.1.20348.558\r\n\tRunspaceId=55ce38e0-81ea-44db-9a08-0c9965b78525\r\n\tPipelineId=\r\n\tCommandName=\r\n\tCommandType=\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine="
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Data | contains | engineversion=2. | 2 rules | sigma |
Data | contains | hostapplication=powershell | 2 rules | sigma |
Data | contains | hostname=consolehost | 2 rules | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Nslookup PowerShell Download Cradle source medium: Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
- Delete Volume Shadow Copies Via WMI With PowerShell source high: Shadow Copies deletion using operating systems utilities via PowerShell
- PowerShell Downgrade Attack - PowerShell source medium: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
Show 8 more (11 total)
- PowerShell Download Via Net.WebClient - PowerShell Classic source low: Detects PowerShell download activity, via the .DownloadFile() or .DownloadString() methods of the Net.WebClient class. This technique is often abused by attackers to download additional payloads.
- PowerShell Called from an Executable Version Mismatch source high: Detects PowerShell called from an executable by the version mismatch method
- Netcat The Powershell Version source medium: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
- Remote PowerShell Session (PS Classic) source low: Detects remote PowerShell sessions
- Renamed Powershell Under Powershell Channel source low: Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
- Use Get-NetTCPConnection source low: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
- Uncommon PowerShell Hosts source medium: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
- bXOR Operator Usage In PowerShell Command Line - PowerShell Classic source low: Detects powershell execution with that make use of to the bxor (Bitwise XOR). Attackers might use as an alternative obfuscation method to Base64 encoded commands. Investigate the CommandLine and process tree to determine if the activity is malicious.
References #
Event ID 403:
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data_2 | |
Binary |
Example Event #
{
"system": {
"provider": "PowerShell",
"guid": "",
"event_source_name": "",
"event_id": 403,
"version": 0,
"level": 4,
"task": 4,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-06-13T13:49:48.1625912+00:00",
"event_record_id": 135113,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Windows PowerShell",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "Stopped",
"Data_1": "Available",
"Data_2": "\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=0b367628-0beb-4200-bd3b-d971f76266ad\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.20348.558\n\tRunspaceId=80e8efda-cc77-49f0-ba78-d2a73183482b\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine="
},
"message": "Engine state is changed from Available to Stopped. \r\n\r\nDetails: \r\n\tNewEngineState=Stopped\r\n\tPreviousEngineState=Available\r\n\r\n\tSequenceNumber=37\r\n\r\n\tHostName=ServerRemoteHost\r\n\tHostVersion=1.0.0.0\r\n\tHostId=0b367628-0beb-4200-bd3b-d971f76266ad\r\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\r\n\tEngineVersion=5.1.20348.558\r\n\tRunspaceId=80e8efda-cc77-49f0-ba78-d2a73183482b\r\n\tPipelineId=\r\n\tCommandName=\r\n\tCommandType=\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine="
}
References #
Event ID 600:
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data_2 | |
Binary |
Example Event #
{
"system": {
"provider": "PowerShell",
"guid": "",
"event_source_name": "",
"event_id": 600,
"version": 0,
"level": 4,
"task": 6,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-06-13T14:08:49.4449408+00:00",
"event_record_id": 135233,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Windows PowerShell",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "Variable",
"Data_1": "Started",
"Data_2": "\tProviderName=Variable\n\tNewProviderState=Started\n\n\tSequenceNumber=11\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=aa212afc-f66e-4e09-a428-4989b19010a1\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine="
},
"message": "Provider \"Variable\" is Started. \r\n\r\nDetails: \r\n\tProviderName=Variable\r\n\tNewProviderState=Started\r\n\r\n\tSequenceNumber=11\r\n\r\n\tHostName=ServerRemoteHost\r\n\tHostVersion=1.0.0.0\r\n\tHostId=aa212afc-f66e-4e09-a428-4989b19010a1\r\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\r\n\tEngineVersion=\r\n\tRunspaceId=\r\n\tPipelineId=\r\n\tCommandName=\r\n\tCommandType=\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine="
}
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Tamper Windows Defender - PSClassic source high: Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
Event ID 800:
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data_2 | |
Binary |
Example Event #
{
"system": {
"provider": "PowerShell",
"guid": "",
"event_source_name": "",
"event_id": 800,
"version": 0,
"level": 4,
"task": 8,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-06-13T14:11:01.1637860+00:00",
"event_record_id": 135268,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Windows PowerShell",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": " return ($recs | ConvertTo-Json -Depth 14 -Compress)\n",
"Data_1": "\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=39\n\n\tUserId=cell-c\\domainadmin\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=aa212afc-f66e-4e09-a428-4989b19010a1\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.20348.558\n\tRunspaceId=55ce38e0-81ea-44db-9a08-0c9965b78525\n\tPipelineId=8\n\tScriptName=\n\tCommandLine= return ($recs | ConvertTo-Json -Depth 14 -Compress)\n",
"Data_2": "CommandInvocation(ConvertTo-Json): \"ConvertTo-Json\"\nParameterBinding(ConvertTo-Json): name=\"Depth\"; value=\"14\"\nParameterBinding(ConvertTo-Json): name=\"Compress\"; value=\"True\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\n"
},
"message": "Pipeline execution details for command line: return ($recs | ConvertTo-Json -Depth 14 -Compress)\n. \r\n\r\nContext Information: \r\n\tDetailSequence=1\r\n\tDetailTotal=1\r\n\r\n\tSequenceNumber=39\r\n\r\n\tUserId=cell-c\\domainadmin\r\n\tHostName=ServerRemoteHost\r\n\tHostVersion=1.0.0.0\r\n\tHostId=aa212afc-f66e-4e09-a428-4989b19010a1\r\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\r\n\tEngineVersion=5.1.20348.558\r\n\tRunspaceId=55ce38e0-81ea-44db-9a08-0c9965b78525\r\n\tPipelineId=8\r\n\tScriptName=\r\n\tCommandLine= return ($recs | ConvertTo-Json -Depth 14 -Compress)\n \r\n\r\nDetails: \r\nCommandInvocation(ConvertTo-Json): \"ConvertTo-Json\"\r\nParameterBinding(ConvertTo-Json): name=\"Depth\"; value=\"14\"\r\nParameterBinding(ConvertTo-Json): name=\"Compress\"; value=\"True\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\n"
}
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventData | contains | -itemproperty | 5 rules | sigma |
Payload | contains | -itemproperty | 5 rules | sigma |
ScriptBlockText | contains | -itemproperty | 5 rules | sigma |
EventData | contains | set-mppreference | 3 rules | sigma |
ScriptBlockText | contains | name | 3 rules | sigma |
EventData | contains | .dll | 3 rules | sigma |
EventData | contains | name | 3 rules | sigma |
Payload | contains | .dll | 3 rules | sigma |
Payload | contains | name | 3 rules | sigma |
ScriptBlockText | contains | .dll | 3 rules | sigma |
EventData | contains | add-mppreference | 2 rules | sigma |
ScriptBlockText | contains | set-mppreference | 2 rules | sigma |
EventData | contains | \system\currentcontrolset\services\ | 2 rules | sigma |
EventData | contains | ftp:// | 2 rules | sigma |
EventData | contains | http:// | 2 rules | sigma |