Detection rules › By event

Microsoft-Windows-PowerShell Event ID 4103

182 detection rules reference this event. View event page.

Sigma (71)

Active Directory Forest PowerShell class called from a non administrative host severity medium T1482
AD Groups Or Users Enumeration Using PowerShell - PoshModule severity low T1069, T1069.001
Alternate PowerShell Hosts - PowerShell Module severity medium T1059, T1059.001
Bad Opsec Powershell Code Artifacts severity critical T1059, T1059.001
BitLocker server feature activation (PowerShell) severity high T1486
BITS payload downloaded via PowerShell severity medium T1048, T1105, T1197, T1570
Clear PowerShell History - PowerShell Module severity medium T1070, T1070.003
DCOM lateral movement (via MMC20) severity high T1021, T1021.003
DoT (DNS over TLS) activation (PowerShell) severity medium T1071, T1071.004
DSRM password changed (Reg via PowerShell) severity high T1098
Encoded PowerShell payload deployed (PowerShell) severity high T1027, T1059, T1059.001
Event log clear attempt (PowerShell) severity high T1070, T1070.001
Event log cleared using Diagnostics (via PowerShell) severity high T1070, T1070.001
Exchange transport agent installation artifacts (PowerShell) severity high T1505, T1505.002
Firewall configuration enumerated (PowerShell) severity medium T1016
Firewall deactivation (PowerShell) severity high T1562, T1562.004
Group discovery (PowerShell) severity medium T1069, T1069.001, T1069.002
HackTool - Evil-WinRm Execution - PowerShell Module severity high
Invoke-Obfuscation CLIP+ Launcher - PowerShell Module severity high T1027, T1059, T1059.001
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module severity medium T1027, T1059, T1059.001
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module severity high T1027, T1059, T1059.001
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module severity medium T1027, T1059, T1059.001
Invoke-Obfuscation STDIN+ Launcher - PowerShell Module severity high T1027, T1059, T1059.001
Invoke-Obfuscation VAR+ Launcher - PowerShell Module severity high T1027, T1059, T1059.001
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module severity high T1027, T1059, T1059.001
Invoke-Obfuscation Via Stdin - PowerShell Module severity high T1027, T1059, T1059.001
Invoke-Obfuscation Via Use Clip - PowerShell Module severity high T1027, T1059, T1059.001
Invoke-Obfuscation Via Use MSHTA - PowerShell Module severity high T1027, T1059, T1059.001
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module severity high T1027, T1059, T1059.001
Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet severity low T1016, T1518, T1518.001
LSASS credential dump with LSASSY (PowerShell) severity medium T1003, T1003.001
Malicious PowerShell Commandlets - PoshModule severity high T1059, T1059.001, T1069, T1069.001, T1069.002, T1087
Malicious PowerShell Scripts - PoshModule severity high T1059, T1059.001
Microsoft Defender critical security components disabled (PowerShell) severity high T1562, T1562.001
Microsoft Defender default action changed to allow any threat (PowerShell) severity high T1562, T1562.001
Microsoft Defender security components disabled (PowerShell) severity medium T1562, T1562.001
Microsoft Defender threat exclusion added (PowerShell) severity high T1562, T1562.001
OpenSSH native server feature installation severity medium T1021, T1021.004
OpenSSH server firewall configuration on Windows (PowerShell) severity high T1562, T1562.004
OpenSSH service activation on Windows severity medium T1021, T1021.004
Payload downloaded via PowerShell severity high T1059, T1059.001, T1105
PipeShell exfiltration over named pipes severity medium T1059, T1059.001
Potential Active Directory Enumeration Using AD Module - PsModule severity medium
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module severity high T1218
PowerShell Decompress Commands severity informational T1140
PowerShell Get Clipboard severity medium T1115
Print spooler privilege escalation via printer added (CVE-2020-1048) severity high T1547, T1547.010
Remote PowerShell Session (PS Module) severity high T1021, T1021.006, T1059, T1059.001
Service abuse with backdoored "command failure" (Reg via PowerShell) severity high T1543, T1543.003
Service abuse with malicious ImagePath (Reg via PowerShell) severity high T1543, T1543.003
Service creation (PowerShell) severity high T1543, T1543.003
Service permissions hijacked for privileges abuse (PowerShell) severity high T1543, T1543.003, T1574, T1574.010
Service permissions hijacked for privileges abuse (Reg via PowerShell) severity high T1543, T1543.003, T1574, T1574.010
Suspicious Computer Machine Password by PowerShell severity medium T1078
Suspicious Get Information for SMB Share - PowerShell Module severity low T1069, T1069.001
Suspicious Get Local Groups Information severity low T1069, T1069.001
Suspicious Get-ADDBAccount Usage severity high T1003, T1003.003
Suspicious PowerShell Download - PoshModule severity medium T1059, T1059.001
Suspicious PowerShell Invocations - Generic - PowerShell Module severity high T1059, T1059.001
Suspicious PowerShell Invocations - Specific - PowerShell Module severity high T1059, T1059.001
Suspicious SPN enumeration previous to Kerberoasting attack (PowerShell) severity high T1087, T1087.002, T1558, T1558.003
SyncAppvPublishingServer Bypass Powershell Restriction - PS Module severity medium T1218
System time changed (PowerShell) severity medium T1070, T1070.006
Use Get-NetTCPConnection - PowerShell Module severity low T1049
Vault credentials manager accessed severity high T1555, T1555.004
VSS backup deletion via WMI (Powershell) severity high T1490
Webserver IIS module installed (PowerShell) severity high T1505, T1505.004
Webserver IIS module installed via GAC manipulation (PowerShell) severity high T1505, T1505.004
Windows Subsystem for Linux (WSL) installation (PowerShell) severity medium T1564, T1564.006
WMI registration (PowerShell) severity high T1546, T1546.003
Zip A Folder With PowerShell For Staging In Temp - PowerShell Module severity medium T1074, T1074.001

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Microsoft-Windows-PowerShell Event ID 4103

Sigma (71)

Splunk (111)

Keyboard shortcuts

Search operators