EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4103InformationMicrosoft-Windows-PowerShell/OperationalT1059.001

Windows Event ID 4103PowerShell Module Logging

Logged for each PowerShell pipeline execution, capturing the module and function called. Less detailed than Script Block Logging (4104) but lower overhead.

MITRE ATT&CK

Technique

T1059.001 · PowerShell

Tactic

Execution

View on attack.mitre.org →

Why It Matters

Module logging captures command invocations even when scripts are obfuscated or downloaded in-memory. Attackers using PowerShell for C2, lateral movement, or credential access will generate 4103 events.

Key Fields

PayloadThe command or module executed
UserThe account running PowerShell
Host Name / Host ApplicationWhere PowerShell is running — ConsoleHost is interactive; unexpected hosts may indicate process injection

Investigation Tips

  1. 1.Look for Invoke-Mimikatz, Invoke-ReflectivePEInjection, or other known offensive module names.
  2. 2.PowerShell running as SYSTEM in a non-interactive context is suspicious.
  3. 3.Correlate with 4688 to see what launched PowerShell.

Related Event IDs

4104PowerShell Script Block Logging — more detailed
4688Process creation for the PowerShell process

See Event ID 4103 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects powershell module logging patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →