PowerShell Script Block & Operational Logs

Location

Description

PowerShell Operational log and Script Block Logging (Event 4104) capturing the full text of executed scripts, including those decoded at runtime from Base64 or obfuscation layers.

Forensic Value

Script Block Logging defeats obfuscation by recording scripts after all decoding layers are resolved, exposing the final plaintext payload. This is often the only artifact that reveals encoded download cradles, credential harvesting, and in-memory-only tools like Invoke-Mimikatz. Module logging (Event 4103) adds pipeline execution details for reconstruction.

Tools Required

Collection Commands

kape.exe --tsource C: --tdest C:\output --target EventLogs

EvtxECmd.exe -f "C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx" --csv C:\output --csvf PowerShell.csv

Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-PowerShell/Operational"; Id=4104} | Export-Csv ps_scriptblocks.csv

chainsaw hunt "C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx" -s sigma/

Collection Constraints

• •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
• •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.

MITRE ATT&CK Techniques

References