Event ID 400 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "PowerShell",
"guid": "",
"event_source_name": "",
"event_id": 400,
"version": 0,
"level": 4,
"task": 4,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-06T01:18:31.405203+00:00",
"event_record_id": 365,
"correlation": {},
"execution": {
"process_id": 12192,
"thread_id": 0
},
"channel": "Windows PowerShell",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "Available",
"Data_1": "None",
"Data_2": "\tNewEngineState=Available\r\n\tPreviousEngineState=None\r\n\r\n\tSequenceNumber=13\r\n\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.22621.2428\r\n\tHostId=4913f17e-97b6-4a6b-87a8-c754ea3b2fc8\r\n\tHostApplication=powershell.exe -NoProfile -Command & {if($PSVersionTable.PSVersion.Major -ge 3){Import-Module 'C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\Tools\\\\Microsoft.VisualStudio.DevShell.dll'; Send-VsDevShellTelemetry -NewInstanceType Cmd; }}\r\n\tEngineVersion=5.1.22621.2428\r\n\tRunspaceId=fb50de9f-94e8-415e-a531-420630257558\r\n\tPipelineId=\r\n\tCommandName=\r\n\tCommandType=\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine=",
"Binary": ""
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Nslookup PowerShell Download Cradle source medium: Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
- Delete Volume Shadow Copies Via WMI With PowerShell source high: Shadow Copies deletion using operating systems utilities via PowerShell
- PowerShell Downgrade Attack - PowerShell source medium: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
Show 6 more (9 total)
- PowerShell Called from an Executable Version Mismatch source high: Detects PowerShell called from an executable by the version mismatch method
- Netcat The Powershell Version source medium: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
- Remote PowerShell Session (PS Classic) source low: Detects remote PowerShell sessions
- Renamed Powershell Under Powershell Channel source low: Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
- Suspicious PowerShell Download source medium: Detects suspicious PowerShell download command
- Use Get-NetTCPConnection source low: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows
- Example event sourced from https://github.com/NextronSystems/evtx-baseline