Detection rules › By event

Microsoft-Windows-PowerShell Event ID 4104

511 detection rules reference this event. View event page.

Sigma (218)

AADInternals PowerShell Cmdlets Execution - PsScript severity high
Abuse of Service Permissions to Hide Services Via Set-Service - PS severity high T1574, T1574.011
Access to Browser Login Data severity medium T1555, T1555.003
Active Directory Computers Enumeration With Get-AdComputer severity low T1018, T1087, T1087.002
Active Directory Forest PowerShell class called from a non administrative host severity medium T1482
Active Directory Group Enumeration With Get-AdGroup severity low T1069, T1069.002
AD Groups Or Users Enumeration Using PowerShell - ScriptBlock severity low T1069, T1069.001
Add Windows Capability Via PowerShell Script severity medium
AMSI Bypass Pattern Assembly GetType severity high T1685
Automated Collection Bookmarks Using Get-ChildItem PowerShell severity low T1217
Automated Collection Command PowerShell severity medium T1119
BitLocker server feature activation (PowerShell) severity high T1486
BITS payload downloaded via PowerShell severity medium T1048, T1105, T1197, T1570
Certificate Exported Via PowerShell - ScriptBlock severity medium T1552, T1552.004
Change PowerShell Policies to an Insecure Level - PowerShell severity medium T1059, T1059.001
Change User Agents with WebRequest severity medium T1071, T1071.001
Clear PowerShell History - PowerShell severity medium T1070, T1070.003
Clearing Windows Console History severity high T1070, T1070.003
Code Executed Via Office Add-in XLL File severity high T1137, T1137.006
Compress-Archive Cmdlet Execution severity low T1560
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell severity medium T1033
Create Volume Shadow Copy with Powershell severity high T1003, T1003.003
DCOM lateral movement (via MMC20) severity high T1021, T1021.003
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script severity high T1490
Detected Windows Software Discovery - PowerShell severity medium T1518
DirectorySearcher Powershell Exploitation severity medium T1018
Disable of ETW Trace - Powershell severity high T1070, T1685
Disable Powershell Command History severity high T1070, T1070.003
Disable-WindowsOptionalFeature Command PowerShell severity high T1685
DMSA Link Attributes Modified severity low T1078, T1078.002, T1098
DMSA Service Account Created in Specific OUs - PowerShell severity medium T1078, T1078.002, T1098
Domain group membership change severity high T1098
DoT (DNS over TLS) activation (PowerShell) severity medium T1071, T1071.004
DSInternals Suspicious PowerShell Cmdlets - ScriptBlock severity high T1059, T1059.001
DSRM password changed (Reg via PowerShell) severity high T1098
Dump Credentials from Windows Credential Manager With PowerShell severity medium T1555
Enable Windows Remote Management severity medium T1021, T1021.006
Encoded PowerShell payload deployed (PowerShell) severity high T1027, T1059, T1059.001
Enumerate Credentials from Windows Credential Manager With PowerShell severity medium T1555
Event log clear attempt (PowerShell) severity high T1070, T1070.001
Event log cleared using Diagnostics (via PowerShell) severity high T1070, T1070.001
Exchange transport agent installation artifacts (PowerShell) severity high T1505, T1505.002
Execute Invoke-command on Remote Host severity medium T1021, T1021.006
Extracting Information with PowerShell severity medium T1552, T1552.001
Firewall configuration enumerated (PowerShell) severity medium T1016
Firewall deactivation (PowerShell) severity high T1562, T1562.004
Get-ADUser Enumeration Using UserAccountControl Flags severity medium T1033
Group discovery (PowerShell) severity medium T1069, T1069.001, T1069.002
HackTool - Rubeus Execution - ScriptBlock severity high T1003, T1550, T1550.003, T1558, T1558.003
HackTool - WinPwn Execution - ScriptBlock severity high T1046, T1082, T1106, T1518, T1548, T1548.002
Import PowerShell Modules From Suspicious Directories severity medium T1059, T1059.001
Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet severity medium T1114, T1114.003, T1564, T1564.008
Invoke-Obfuscation CLIP+ Launcher - PowerShell severity high T1027, T1059, T1059.001
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell severity medium T1027, T1059, T1059.001
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell severity high T1027, T1059, T1059.001
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell severity medium T1027, T1059, T1059.001
Invoke-Obfuscation STDIN+ Launcher - Powershell severity high T1027, T1059, T1059.001
Invoke-Obfuscation VAR+ Launcher - PowerShell severity high T1027, T1059, T1059.001
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell severity high T1027, T1059, T1059.001
Invoke-Obfuscation Via Stdin - Powershell severity high T1027, T1059, T1059.001
Invoke-Obfuscation Via Use Clip - Powershell severity high T1027, T1059, T1059.001
Invoke-Obfuscation Via Use MSHTA - PowerShell severity high T1027, T1059, T1059.001
Invoke-Obfuscation Via Use Rundll32 - PowerShell severity high T1027, T1059, T1059.001
Lace Tempest PowerShell Evidence Eraser severity high T1059, T1059.001
Lace Tempest PowerShell Launcher severity high T1059, T1059.001
Live Memory Dump Using Powershell severity high T1003
Local group membership change severity high T1098
LSASS credential dump with LSASSY (PowerShell) severity medium T1003, T1003.001
Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet severity medium T1020, T1114, T1114.003, T1564, T1564.008
Malicious Nishang PowerShell Commandlets severity high T1059, T1059.001
Malicious PowerShell Commandlets - ScriptBlock severity high T1059, T1059.001, T1069, T1069.001, T1069.002, T1087
Malicious PowerShell Keywords severity medium T1059, T1059.001
Malicious ShellIntel PowerShell Commandlets severity high T1059, T1059.001
Manipulation of User Computer or Group Security Principals Across AD severity medium T1136, T1136.002
Microsoft Defender critical security components disabled (PowerShell) severity high T1562, T1562.001
Microsoft Defender default action changed to allow any threat (PowerShell) severity high T1562, T1562.001
Microsoft Defender security components disabled (PowerShell) severity medium T1562, T1562.001
Microsoft Defender threat exclusion added (PowerShell) severity high T1562, T1562.001
Modify Group Policy Settings - ScriptBlockLogging severity medium T1484, T1484.001
New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock severity low T1686, T1686.003
NTFS Alternate Data Stream severity high T1059, T1059.001, T1564, T1564.004
OpenSSH native server feature installation severity medium T1021, T1021.004
OpenSSH server firewall configuration on Windows (PowerShell) severity high T1562, T1562.004
OpenSSH service activation on Windows severity medium T1021, T1021.004
Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy severity low T1201
Payload downloaded via PowerShell severity high T1059, T1059.001, T1105
PipeShell exfiltration over named pipes severity medium T1059, T1059.001
Potential Active Directory Enumeration Using AD Module - PsScript severity medium
Potential AMSI Bypass Script Using NULL Bits severity medium T1685
Potential APT FIN7 POWERHOLD Execution severity high T1059, T1059.001
Potential COM Objects Download Cradles Usage - PS Script severity medium T1105
Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet severity medium T1048, T1048.003
Potential Data Exfiltration Via Audio File severity medium
Potential In-Memory Execution Using Reflection.Assembly severity medium T1620
Potential Invoke-Mimikatz PowerShell Script severity high T1003
Potential Keylogger Activity severity medium T1056, T1056.001
Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock severity medium T1040
Potential Persistence Via PowerShell User Profile Using Add-Content severity medium T1546, T1546.013
Potential Persistence Via Security Descriptors - ScriptBlock severity high
Potential PowerShell Obfuscation Using Alias Cmdlets severity low T1027, T1059, T1059.001
Potential PowerShell Obfuscation Using Character Join severity low T1027, T1059, T1059.001
Potential POWERTRASH Script Execution severity high T1059, T1059.001
Potential Registry Reconnaissance Via PowerShell Script severity medium T1007, T1012
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock severity high T1218
Potential Suspicious PowerShell Keywords severity medium T1059, T1059.001
Potential Suspicious Windows Feature Enabled severity medium
Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock severity medium T1018, T1558, T1589, T1589.002
Potential WinAPI Calls Via PowerShell Scripts severity high T1059, T1059.001, T1106
Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript severity medium
Powershell Add Name Resolution Policy Table Rule severity high T1565
PowerShell ADRecon Execution severity high T1059, T1059.001
PowerShell Create Local User severity medium T1059, T1059.001, T1136, T1136.001
Powershell Create Scheduled Task severity medium T1053, T1053.005
PowerShell Credential Prompt severity high T1059, T1059.001
PowerShell Deleted Mounted Share severity medium T1070, T1070.005
Powershell Detect Virtualization Environment severity medium T1497, T1497.001
Powershell Directory Enumeration severity medium T1083
Powershell DNSExfiltration severity high T1048
Powershell Execute Batch Script severity medium T1059, T1059.003
PowerShell Get-Process LSASS in ScriptBlock severity high T1003, T1003.001
PowerShell Hotfix Enumeration severity medium
PowerShell ICMP Exfiltration severity medium T1048, T1048.003
Powershell Install a DLL in System Directory severity high T1556, T1556.002
Powershell Keylogging severity medium T1056, T1056.001
Powershell Local Email Collection severity medium T1114, T1114.001
Powershell LocalAccount Manipulation severity medium T1098
Powershell MsXml COM Object severity medium T1059, T1059.001
PowerShell PSAttack severity high T1059, T1059.001
PowerShell Remote Session Creation severity medium T1059, T1059.001
PowerShell Script Change Permission Via Set-Acl - PsScript severity low T1222
PowerShell Script With File Hostname Resolving Capabilities severity medium T1020
PowerShell Script With File Upload Capabilities severity low T1020
Powershell Sensitive File Discovery severity medium T1083
PowerShell Set-Acl On Windows Folder - PsScript severity high T1222
PowerShell ShellCode severity high T1055, T1059, T1059.001
Powershell Store File In Alternate Data Stream severity medium T1564, T1564.004
Powershell Suspicious Win32_PnPEntity severity low T1120
Powershell Timestomp severity medium T1070, T1070.006
Powershell Token Obfuscation - Powershell severity medium T1027, T1027.009
PowerShell Web Access Installation - PsScript severity high T1059, T1059.001
Powershell WMI Persistence severity medium T1546, T1546.003
PowerShell WMI Win32_Product Install MSI severity medium T1218, T1218.007
PowerShell Write-EventLog Usage severity medium
Powershell XML Execute Command severity medium T1059, T1059.001
PowerView PowerShell Cmdlets - ScriptBlock severity high T1059, T1059.001
Print spooler privilege escalation via printer added (CVE-2020-1048) severity high T1547, T1547.010
PSAsyncShell - Asynchronous TCP Reverse Shell severity high T1059, T1059.001
Recon Information for Export with PowerShell severity medium T1119
Registry Modification Attempt Via VBScript - PowerShell severity medium T1059, T1059.005, T1112
Registry-Free Process Scope COR_PROFILER severity medium T1574, T1574.012
Remove Account From Domain Admin Group severity medium T1531
Replace Desktop Wallpaper by Powershell severity low T1491, T1491.001
Root Certificate Installed - PowerShell severity medium T1553, T1553.004
Security Software Discovery Via Powershell Script severity medium T1518, T1518.001
Service abuse with backdoored "command failure" (Reg via PowerShell) severity high T1543, T1543.003
Service abuse with malicious ImagePath (Reg via PowerShell) severity high T1543, T1543.003
Service creation (PowerShell) severity high T1543, T1543.003
Service permissions hijacked for privileges abuse (PowerShell) severity high T1543, T1543.003, T1574, T1574.010
Service permissions hijacked for privileges abuse (Reg via PowerShell) severity high T1543, T1543.003, T1574, T1574.010
Service Registry Permissions Weakness Check severity medium T1574, T1574.011
Silence.EDA Detection severity critical T1059, T1059.001, T1071, T1071.004, T1529, T1572
SMB over QUIC Via PowerShell Script severity medium T1570
Suspicious Connection to Remote Account severity low T1110, T1110.001
Suspicious Eventlog Clear severity medium T1685, T1685.005
Suspicious FromBase64String Usage On Gzip Archive - Ps Script severity medium T1132, T1132.001
Suspicious Get Information for SMB Share severity low T1069, T1069.001
Suspicious Get Local Groups Information - PowerShell severity low T1069, T1069.001
Suspicious Get-ADReplAccount severity medium T1003, T1003.006
Suspicious GetTypeFromCLSID ShellExecute severity medium T1546, T1546.015
Suspicious GPO Discovery With Get-GPO severity low T1615
Suspicious Hyper-V Cmdlets severity medium T1564, T1564.006
Suspicious Invoke-Item From Mount-DiskImage severity medium T1553, T1553.005
Suspicious IO.FileStream severity medium T1070, T1070.003
Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock severity high T1558, T1558.003
Suspicious Mount-DiskImage severity low T1553, T1553.005
Suspicious New-PSDrive to Admin Share severity medium T1021, T1021.002
Suspicious PowerShell Download - Powershell Script severity medium T1059, T1059.001
Suspicious PowerShell Get Current User severity low T1033
Suspicious PowerShell Invocations - Generic severity high T1059, T1059.001
Suspicious PowerShell Invocations - Specific severity high T1059, T1059.001
Suspicious PowerShell Mailbox Export to Share - PS severity critical
Suspicious PowerShell WindowStyle Option severity medium T1564, T1564.003
Suspicious Process Discovery With Get-Process severity low T1057
Suspicious Service DACL Modification Via Set-Service Cmdlet - PS severity high T1574, T1574.011
Suspicious SPN enumeration previous to Kerberoasting attack (PowerShell) severity high T1087, T1087.002, T1558, T1558.003
Suspicious SSL Connection severity low T1573
Suspicious Start-Process PassThru severity medium T1036, T1036.003
Suspicious TCP Tunnel Via PowerShell Script severity medium T1090
Suspicious Unblock-File severity medium T1553, T1553.005
Suspicious X509Enrollment - Ps Script severity medium T1553, T1553.004
SyncAppvPublishingServer Execution to Bypass Powershell Restriction severity medium T1218
System time changed (PowerShell) severity medium T1070, T1070.006
Tamper Windows Defender - ScriptBlockLogging severity high T1685
Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging severity high T1685
Testing Usage of Uncommonly Used Port severity medium T1571
Troubleshooting Pack Cmdlet Execution severity medium T1202
Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript severity medium
Usage Of Web Request Commands And Cmdlets - ScriptBlock severity medium T1059, T1059.001
Use Of Remove-Item to Delete File - ScriptBlock severity low T1070, T1070.004
User Discovery And Export Via Get-ADUser Cmdlet - PowerShell severity medium T1033
Vault credentials manager accessed severity high T1555, T1555.004
Veeam Backup Servers Credential Dumping Script Execution severity high
Vice Society directory crawling script for data exfiltration (via ps_script) severity high T1041, T1059, T1059.001
VSS backup deletion via WMI (Powershell) severity high T1490
Webserver IIS module installed (PowerShell) severity high T1505, T1505.004
Webserver IIS module installed via GAC manipulation (PowerShell) severity high T1505, T1505.004
WinAPI Function Calls Via PowerShell Scripts severity medium T1059, T1059.001, T1106
WinAPI Library Calls Via PowerShell Scripts severity medium T1059, T1059.001, T1106
Windows Defender Exclusions Added - PowerShell severity medium T1059, T1685
Windows Firewall Profile Disabled severity medium T1686, T1686.003
Windows Mail App Mailbox Access Via PowerShell Script severity medium T1070, T1070.008
Windows Screen Capture with CopyFromScreen severity medium T1113
Windows Subsystem for Linux (WSL) installation (PowerShell) severity medium T1564, T1564.006
Winlogon Helper DLL severity medium T1547, T1547.004
WMI registration (PowerShell) severity high T1546, T1546.003
WMIC Unquoted Services Path Lookup - PowerShell severity medium T1047
WMImplant Hack Tool severity high T1047, T1059, T1059.001
Zip A Folder With PowerShell For Staging In Temp - PowerShell Script severity medium T1074, T1074.001

Elastic (13)

Dynamic IEX Reconstruction via Method String Access severity low T1027, T1027.010, T1059, T1059.001, T1140
Potential Dynamic IEX Reconstruction via Environment Variables severity medium T1027, T1027.010, T1059, T1059.001, T1140
Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion severity high T1027, T1027.010, T1059, T1059.001, T1140
Potential PowerShell Obfuscation via Character Array Reconstruction severity high T1027, T1027.010, T1059, T1059.001, T1140
Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation severity high T1027, T1027.010, T1059, T1059.001, T1140
Potential PowerShell Obfuscation via High Numeric Character Proportion severity low T1027, T1027.010, T1059, T1059.001, T1140
Potential PowerShell Obfuscation via High Special Character Proportion severity low building block T1027, T1027.010, T1059, T1059.001, T1140
Potential PowerShell Obfuscation via Invalid Escape Sequences severity medium T1027, T1027.010, T1059, T1059.001, T1140
Potential PowerShell Obfuscation via Reverse Keywords severity low T1027, T1027.010, T1059, T1059.001, T1140
Potential PowerShell Obfuscation via Special Character Overuse severity medium T1027, T1027.010, T1059, T1059.001, T1140
Potential PowerShell Obfuscation via String Concatenation severity high T1027, T1027.010, T1059, T1059.001, T1140
Potential PowerShell Obfuscation via String Reordering severity medium T1027, T1027.010, T1059, T1059.001, T1140
PowerShell Obfuscation via Negative Index String Reversal severity low T1027, T1027.010, T1059, T1059.001, T1140

Splunk (279)

Kusto (1)

Suspicious Powershell Commandlet Executed severity medium T1059

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Microsoft-Windows-PowerShell Event ID 4104

Sigma (218)

Elastic (13)

Splunk (279)

Kusto (1)

Keyboard shortcuts

Search operators