PowerShell
5 events across 1 channel
| Event | Title | Channel | Sample |
|---|---|---|---|
| 300 | Event ID 300 | Windows PowerShell | Y |
| 400 | Event ID 400 | Windows PowerShell | Y |
| 403 | Event ID 403 | Windows PowerShell | Y |
| 600 | Event ID 600 | Windows PowerShell | Y |
| 800 | Event ID 800 | Windows PowerShell | Y |
Event ID 300
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Binary |
Example Event #
{
"system": {
"provider": "PowerShell",
"guid": "",
"event_source_name": "",
"event_id": 300,
"version": 0,
"level": 3,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-06-13T14:36:40.9532632+00:00",
"event_record_id": 248590,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Windows PowerShell",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "Could not find the drive 'Z:\\'. The drive might not be ready or might not be mapped.",
"Data_1": "\tProviderName=Microsoft.PowerShell.Core\\FileSystem\n\tExceptionClass=DriveNotFoundException\n\tErrorCategory=\n\tErrorId=\n\tErrorMessage=Could not find the drive 'Z:\\'. The drive might not be ready or might not be mapped.\n\n\tSeverity=Warning\n\n\tSequenceNumber=82233\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=e8ecf392-16f7-461a-9e04-2cf3b693e616\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.20348.558\n\tRunspaceId=7d22a55e-f35a-436b-aadc-c65ab73a8891\n\tPipelineId=4684\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine="
},
"message": "Provider Health: Could not find the drive 'Z:\\'. The drive might not be ready or might not be mapped.. \r\n\r\nDetails: \r\n\tProviderName=Microsoft.PowerShell.Core\\FileSystem\r\n\tExceptionClass=DriveNotFoundException\r\n\tErrorCategory=\r\n\tErrorId=\r\n\tErrorMessage=Could not find the drive 'Z:\\'. The drive might not be ready or might not be mapped.\r\n\r\n\tSeverity=Warning\r\n\r\n\tSequenceNumber=82233\r\n\r\n\tHostName=ServerRemoteHost\r\n\tHostVersion=1.0.0.0\r\n\tHostId=e8ecf392-16f7-461a-9e04-2cf3b693e616\r\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\r\n\tEngineVersion=5.1.20348.558\r\n\tRunspaceId=7d22a55e-f35a-436b-aadc-c65ab73a8891\r\n\tPipelineId=4684\r\n\tCommandName=\r\n\tCommandType=\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine="
}
Event ID 400
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data_2 | |
Binary |
Example Event #
{
"system": {
"provider": "PowerShell",
"guid": "",
"event_source_name": "",
"event_id": 400,
"version": 0,
"level": 4,
"task": 4,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-06-13T14:08:49.4449408+00:00",
"event_record_id": 135234,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Windows PowerShell",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "Available",
"Data_1": "None",
"Data_2": "\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=aa212afc-f66e-4e09-a428-4989b19010a1\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.20348.558\n\tRunspaceId=55ce38e0-81ea-44db-9a08-0c9965b78525\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine="
},
"message": "Engine state is changed from None to Available. \r\n\r\nDetails: \r\n\tNewEngineState=Available\r\n\tPreviousEngineState=None\r\n\r\n\tSequenceNumber=13\r\n\r\n\tHostName=ServerRemoteHost\r\n\tHostVersion=1.0.0.0\r\n\tHostId=aa212afc-f66e-4e09-a428-4989b19010a1\r\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\r\n\tEngineVersion=5.1.20348.558\r\n\tRunspaceId=55ce38e0-81ea-44db-9a08-0c9965b78525\r\n\tPipelineId=\r\n\tCommandName=\r\n\tCommandType=\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine="
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Data | contains | engineversion=2. | 2 rules | sigma |
Data | contains | hostname=consolehost | 2 rules | sigma |
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
Show 8 more (11 total)
References #
Event ID 403
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data_2 | |
Binary |
Example Event #
{
"system": {
"provider": "PowerShell",
"guid": "",
"event_source_name": "",
"event_id": 403,
"version": 0,
"level": 4,
"task": 4,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-06-13T13:49:48.1625912+00:00",
"event_record_id": 135113,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Windows PowerShell",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "Stopped",
"Data_1": "Available",
"Data_2": "\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=0b367628-0beb-4200-bd3b-d971f76266ad\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.20348.558\n\tRunspaceId=80e8efda-cc77-49f0-ba78-d2a73183482b\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine="
},
"message": "Engine state is changed from Available to Stopped. \r\n\r\nDetails: \r\n\tNewEngineState=Stopped\r\n\tPreviousEngineState=Available\r\n\r\n\tSequenceNumber=37\r\n\r\n\tHostName=ServerRemoteHost\r\n\tHostVersion=1.0.0.0\r\n\tHostId=0b367628-0beb-4200-bd3b-d971f76266ad\r\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\r\n\tEngineVersion=5.1.20348.558\r\n\tRunspaceId=80e8efda-cc77-49f0-ba78-d2a73183482b\r\n\tPipelineId=\r\n\tCommandName=\r\n\tCommandType=\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine="
}
References #
Event ID 600
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data_2 | |
Binary |
Example Event #
{
"system": {
"provider": "PowerShell",
"guid": "",
"event_source_name": "",
"event_id": 600,
"version": 0,
"level": 4,
"task": 6,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-06-13T14:08:49.4449408+00:00",
"event_record_id": 135233,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Windows PowerShell",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "Variable",
"Data_1": "Started",
"Data_2": "\tProviderName=Variable\n\tNewProviderState=Started\n\n\tSequenceNumber=11\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=aa212afc-f66e-4e09-a428-4989b19010a1\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine="
},
"message": "Provider \"Variable\" is Started. \r\n\r\nDetails: \r\n\tProviderName=Variable\r\n\tNewProviderState=Started\r\n\r\n\tSequenceNumber=11\r\n\r\n\tHostName=ServerRemoteHost\r\n\tHostVersion=1.0.0.0\r\n\tHostId=aa212afc-f66e-4e09-a428-4989b19010a1\r\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\r\n\tEngineVersion=\r\n\tRunspaceId=\r\n\tPipelineId=\r\n\tCommandName=\r\n\tCommandType=\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine="
}
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
Event ID 800
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data_2 | |
Binary |
Example Event #
{
"system": {
"provider": "PowerShell",
"guid": "",
"event_source_name": "",
"event_id": 800,
"version": 0,
"level": 4,
"task": 8,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-06-13T14:11:01.1637860+00:00",
"event_record_id": 135268,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Windows PowerShell",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": " return ($recs | ConvertTo-Json -Depth 14 -Compress)\n",
"Data_1": "\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=39\n\n\tUserId=cell-c\\domainadmin\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=aa212afc-f66e-4e09-a428-4989b19010a1\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.20348.558\n\tRunspaceId=55ce38e0-81ea-44db-9a08-0c9965b78525\n\tPipelineId=8\n\tScriptName=\n\tCommandLine= return ($recs | ConvertTo-Json -Depth 14 -Compress)\n",
"Data_2": "CommandInvocation(ConvertTo-Json): \"ConvertTo-Json\"\nParameterBinding(ConvertTo-Json): name=\"Depth\"; value=\"14\"\nParameterBinding(ConvertTo-Json): name=\"Compress\"; value=\"True\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\n"
},
"message": "Pipeline execution details for command line: return ($recs | ConvertTo-Json -Depth 14 -Compress)\n. \r\n\r\nContext Information: \r\n\tDetailSequence=1\r\n\tDetailTotal=1\r\n\r\n\tSequenceNumber=39\r\n\r\n\tUserId=cell-c\\domainadmin\r\n\tHostName=ServerRemoteHost\r\n\tHostVersion=1.0.0.0\r\n\tHostId=aa212afc-f66e-4e09-a428-4989b19010a1\r\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\r\n\tEngineVersion=5.1.20348.558\r\n\tRunspaceId=55ce38e0-81ea-44db-9a08-0c9965b78525\r\n\tPipelineId=8\r\n\tScriptName=\r\n\tCommandLine= return ($recs | ConvertTo-Json -Depth 14 -Compress)\n \r\n\r\nDetails: \r\nCommandInvocation(ConvertTo-Json): \"ConvertTo-Json\"\r\nParameterBinding(ConvertTo-Json): name=\"Depth\"; value=\"14\"\r\nParameterBinding(ConvertTo-Json): name=\"Compress\"; value=\"True\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\n"
}
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventData | contains | -itemproperty | 5 rules | sigma |
EventData | contains | .dll | 3 rules | sigma |
EventData | contains | name | 3 rules | sigma |
EventData | contains | set-mppreference | 3 rules | sigma |
EventData | contains | \system\currentcontrolset\services\ | 2 rules | sigma |
EventData | contains | add-mppreference | 2 rules | sigma |
EventData | contains | ftp:// | 2 rules | sigma |
EventData | contains | http:// | 2 rules | sigma |
EventData | contains | https:// | 2 rules | sigma |
Payload | contains | -itemproperty | 5 rules | sigma |
Payload | contains | .dll | 3 rules | sigma |
Payload | contains | name | 3 rules | sigma |
ScriptBlockText | contains | -itemproperty | 5 rules | sigma |
ScriptBlockText | contains | .dll | 3 rules | sigma |
ScriptBlockText | contains | name | 3 rules | sigma |