EventID 4104: PowerShell Script Block Logging

This event is logged to the Microsoft-Windows-PowerShell/Operational channel whenever a script is run through PowerShell.

This event will only be logged if PowerShell Script Block Logging is configured and enabled. This is a GPO setting that can be found under Administrative Templates → Windows Components → Windows PowerShell.

Analysis Value

Evidence of ExecutionParent and Child InformationFirst ExecutedFile PathSecurity Identifier

Operating System Availability

Major Version	Support	Major Version	Support
Windows 11	✅	Server 2019	✅
Windows 10	✅	Server 2016	✅
Windows 8	✅	Server 2012	✅
Windows 7	✅	Server 2008	✅
Windows Vista	❌	Server 2003	❌
Windows XP	❌

Artifact Location(s)

• %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

Artifact Interpretation

Field	Interpretation	Reference
System/Level	This field may indicate a suspicious script. If its value is Warning this indicates the script was flagged as suspicious based on its contents.
EventData/ScriptBlockId	This field is used to uniquely identify a script across multiple 4104 events. Large scripts may be split across multiple events, to reconstruct the full script, concatenate all the events with this unique ID together.
EventData/Path	This field indicates the full path to the executed script, if available.	File Path
System/Execution/ProcessID	This field indicates the parent Process ID (PID) that executed the script.	Parent and Child Information
System/Security/UserID	This field contains the SID of the user that executed the script.	Security Identifier

This event is only logged the first time that a script is executed.

This event will not capture the resultant output of an executed script as module logging does.

Example

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}" /> 
  <EventID>4104</EventID> 
  <Version>1</Version> 
  <Level>5</Level> 
  <Task>2</Task> 
  <Opcode>15</Opcode> 
  <Keywords>0x0</Keywords> 
  <TimeCreated SystemTime="2023-11-06T20:24:01.8911267Z" /> 
  <EventRecordID>194</EventRecordID> 
  <Correlation ActivityID="{7af08a74-10ed-0003-e08b-f07aed10da01}" /> 
  <Execution ProcessID="4328" ThreadID="4600" /> 
  <Channel>Microsoft-Windows-PowerShell/Operational</Channel> 
  <Computer>DESKTOP-TUMSOE7</Computer> 
  <Security UserID="S-1-5-21-1392459375-2353216063-1350843065-1001" /> 
  </System>
- <EventData>
  <Data Name="MessageNumber">1</Data> 
  <Data Name="MessageTotal">1</Data> 
  <Data Name="ScriptBlockText">Invoke-WebRequest -Uri "https://example.com" -OutFile "C:\Temp\test.exe"</Data> 
  <Data Name="ScriptBlockId">808e4d85-977e-4418-9218-59dd2aa1b0ef</Data> 
  <Data Name="Path" /> 
  </EventData>
  </Event>

This example was produced on Windows 10, Version 10.0.19044 Build 19044