PowerShell Detections — Threat Research Release, August 2021

The Splunk Threat Research Team (STRT) most recently began evaluating more ways to generate security content using native Windows event logging regarding PowerShell Script Block Logging. This method provides greater depth of visibility as it provides the raw (entire) PowerShell script output. There are three sources that may enhance any defender's perspective: module, script block and transcript logging. We focused our security content on script block logging (Event Code 4104) as it provides the most granular visibility of PowerShell scripts that execute on an endpoint. However, we also provided a way to gather all three for testing validation, production or curiosity. Adversaries continue to use PowerShell and defenders are granted deeper visibility with Script Block Logging. 

Watch the video to understand how STRT has developed PowerShell analytics for Splunk by using the Splunk Attack Range to collect the generated logs, and hunt for suspicious PowerShell. 


PowerShell attacks have not surmised and Microsoft continues to expand on new features, plus it’s native integration in each operating system. Since version 5 of PowerShell, logging was expanded to include script block, module and transaction logging. What does this mean? Granular visibility into what is being run on our endpoints. 

What is PowerShell Script Block Logging?

This is the raw, deobfuscated script supplied through the command line or wrapped in a function, script, workflow or similar. Think of everytime an adversary executes an encoded PowerShell script or command, script block logging provides that data in its raw form. 

Windows Event Code=4104

What does it look like?

PowerShell Detections

The Splunk Threat Research Team has developed a set of detections to assist with getting started in detecting suspicious 4104 script block events. 





Detect Empire with PowerShell Script Block Logging



Identifies two values that are always found in the default PowerShell-Empire payloads.

Detect Mimikatz With PowerShell Script Block Logging



Identifies strings typically found in PowerShell script block code related to mimikatz.

Powershell Fileless Process Injection via GetProcAddress

T1059.001, T1055

Execution, Defense Evasion, Privilege Escalation

Identifies the use of GetProcAddress within the script block.

Powershell Fileless Script Contains Base64 Encoded Content

T1059.001, T1027


Identifies the use of Base64 within the script block.

Unloading AMSI via Reflection


Defense Evasion

Identifies within the script block, typically found in encoded commands disabling AMSI.

PowerShell Domain Enumeration



Identifies commands typically found with domain and trust enumeration.

PowerShell Loading .NET into Memory via System.Reflection.Assembly



Identifies system.reflection.assembly within the script block being used, typically found in malicious PowerShell script execution.

Powershell Creating Thread Mutex


Defense Evasion

Identifies the `mutex` function typically found and used in malicious PowerShell script execution.

Powershell Processing Stream Of Data



Identifies suspicious PowerShell script execution via EventCode 4104 that is processing compressed stream data.

Powershell Using memory As Backing Store


Defense Evasion

Identifies within the script block the use of memory stream as new object backstore.

Recon AVProduct Through Pwh or WMI



Identifies suspicious PowerShell script execution performing checks to identify anti-virus products installed on the endpoint.

Recon Using WMI Class



Identifies suspicious PowerShell where WMI is performing an event query looking for running processes or running services.

WMI Recon Running Process or Services



Identifies suspicious PowerShell script execution where WMI is performing an event query looking for running processes or running services.

Allow Inbound Traffic In Firewall Rule


Lateral Movement

Identifies suspicious PowerShell commands to allow inbound traffic inbound to a specific local port within the public profile.

Mailsniper Invoke functions



Identifies known mailsniper.ps1 functions executed on an endpoint.

Delete ShadowCopy With PowerShell



Identifies PowerShell commands to delete shadow copy using the WMIC PowerShell module.

Powershell Enable SMB1Protocol Feature


Defense Evasion

Identifies enabling of smb1protocol through PowerShell Script Block logging.

Detect WMI Event Subscription Persistence


Privilege Escalation, Persistence

Identifies WMI Event Subscription to establish persistence or perform privilege escalation.


Responding to PowerShell with Automated Playbooks

The following community Splunk SOAR playbooks mentioned below can be used in conjunction with some of the previously described Powershell analytics. 


Technique ID



Malware Hunt And Contain



This playbook hunts for malware across managed endpoints, disables affected users, shuts down their devices, and blocks files by their hash from further execution via Carbon Black.

Email Notification for Malware



This playbook tries to determine if a file is malware and whether or not the file is present on any managed machines. VirusTotal "file reputation" and PANW WildFire "detonate file" are used to determine if a file is malware, and CarbonBlack Response "hunt file" is used to search managed machines for the file. The results of these investigations are summarized in an email to the incident response team.

Block Indicators



This playbook retrieves IP addresses, domains, and file hashes, blocks them on various services, and adds them to specific blocklists as custom lists

For more information about how Splunk SOAR can accelerate investigations and remediations for your SOC, check out the upcoming Splunk4Ninjas Splunk SOAR Hands On Workshop.


Why Should You Care About PowerShell Logging?

PowerShell is not leaving the Windows endpoint any time soon. As defenders, we need to expand beyond process and command-line analytics and begin diving deeper into our logs to identify more unique ways to capture malicious or suspicious activity. Script block logging, albeit not new, opens our horizons to see complete scripts being executed

For a full list of security content, check out the release notes on Splunk Docs:

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update. 


Any feedback or requests? Feel free to put in an issue on GitHub, and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.


We would like to thank the whole threat research team Jose Hernandez, Rod Soto, Bhavin Patel, Mauricio Velazco, Michael Haag, Teoderick Contreras, Lou Stella and Patrick Bareiss for their contribution to this release.


The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.

Read more Splunk Security Content