PowerShell Logging for Cyber Defense: Detecting Attacks Using Event ID 4103, 4104, 4688 & Security Log Analysis
In modern cyberattacks, PowerShell has become one of the most abused tools in Windows environments. Attackers don’t always drop malware anymore—instead, they live off the land, using built-in tools like PowerShell to execute fileless attacks, bypass antivirus, and move laterally inside enterprise networks.
In one real-world SOC investigation, a financial organization in the US detected unusual PowerShell activity running every few minutes on a domain-joined workstation. There were no antivirus alerts. No suspicious files. Yet, within hours, encrypted outbound traffic revealed a stealthy credential harvesting operation running entirely through PowerShell scripts.
This is exactly why PowerShell logging and Windows Event ID monitoring are critical for modern cybersecurity defense.
Table of Contents
- 1. Why PowerShell is a Cybersecurity Blind Spot
- 2. Key Event IDs for PowerShell Attack Detection
- 3. Event ID 4103 – Module Logging
- 4. Event ID 4104 – Script Block Logging
- 5. Event ID 4688 – Process Creation Monitoring
- 6. Security Log Event IDs (4624, 4625, 4672)
- 7. PowerShell Log Investigation Commands
- 8. Detection & SOC Investigation Strategy
- 9. Prevention Techniques
- 10. Expert SOC Tips
- 11. Frequently Asked Questions
Why PowerShell is a Cybersecurity Blind Spot?
PowerShell is deeply integrated into Windows systems. It allows administrators to automate tasks, manage systems, and configure environments efficiently. But this same power makes it dangerous in the wrong hands.
Attackers prefer PowerShell because:
- It is built into Windows (no need to drop external malware)
- It supports fileless execution (hard to detect)
- It can bypass traditional antivirus solutions
- It allows remote execution and credential dumping
Modern ransomware groups, APT actors, and penetration testers all rely heavily on PowerShell for stealth operations. That’s why SOC teams must focus heavily on logging and behavioral detection.
Key Event IDs for PowerShell Attack Detection
Windows Event Logging provides critical visibility into PowerShell activity. The most important Event IDs include:
- 4103 – PowerShell module logging
- 4104 – Script block logging
- 4688 – Process creation logs
Each of these logs reveals different layers of execution, helping analysts reconstruct attacker behavior.
Event ID 4103 – PowerShell Module Logging
Event ID 4103 records the execution of PowerShell cmdlets and pipeline activity. It is extremely useful for identifying suspicious command execution patterns.
What it detects:
- Executed PowerShell commands
- Module usage patterns
- Suspicious administrative actions
Why it matters: Attackers often use encoded commands like:
powershell -enc SQBFAFgA...Even if obfuscated, module logging can help reconstruct execution flow and identify malicious intent.
Event ID 4104 – PowerShell Script Block Logging
This is one of the most powerful defenses against PowerShell-based attacks.
Event ID 4104 captures decoded script content, even if the attacker tries to hide it using obfuscation techniques.
What it detects:
- Obfuscated PowerShell scripts
- Encoded commands
- Malicious in-memory scripts
Real-world scenario: Attackers often use Base64 encoding or string concatenation to hide payloads. However, 4104 logs reveal the actual script block after PowerShell interprets it.
This makes it extremely valuable for SOC analysts performing forensic investigations.
Event ID 4688 – Process Creation Monitoring
Event ID 4688 records process creation events in Windows systems. It helps track when PowerShell is launched and with what parameters.
What it detects:
- PowerShell execution by users or malware
- Parent-child process relationships
- Suspicious command-line arguments
Example suspicious execution:
powershell.exe -nop -w hidden -enc JABXAGgA...Flags like -nop, -w hidden, and -enc are commonly used by attackers to evade detection.
Security Log Event IDs (4624, 4625, 4672)
.png "Security Log Event IDs (4624, 4625, 4672)")
PowerShell attacks often coincide with authentication abuse. That’s why monitoring Security Logs is equally important.
| Event ID | Description |
| 4624 | Successful login (possible attacker access) |
| 4625 | Failed login attempts (brute force activity) |
| 4672 | Special privileges assigned (admin-level access) |
When combined with PowerShell logs, these events help SOC teams build a full attack timeline.
PowerShell Log Investigation Commands
One of the most effective ways to analyze logs in Windows is using Get-WinEvent. SOC analysts frequently use this command for filtering security events.
# Retrieve login and privilege-related security events
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=@(4624, 4625, 4672)} | Format-Table TimeCreated, Id, Message -AutoSizeWhat it does:
- Fetches authentication and privilege escalation events
- Displays timestamps and detailed messages
- Helps correlate suspicious login behavior
When to use:
- Incident response investigations
- Brute force detection
- Privilege escalation tracking
Detection & SOC Investigation Strategy
In real SOC environments, PowerShell attack detection is not based on a single log—it requires correlation across multiple Event IDs.
Step-by-step detection strategy:
- Step 1: Monitor Event ID 4688 for PowerShell process creation
- Step 2: Analyze Event ID 4103 for command execution patterns
- Step 3: Decode Event ID 4104 for hidden scripts
- Step 4: Correlate with Security Logs (4624, 4625, 4672)
- Step 5: Identify abnormal execution timelines
Example attack pattern:
- User login (4624)
- Privilege escalation (4672)
- PowerShell execution (4688)
- Encoded script execution (4104)
This chain often indicates a real compromise.
Prevention Techniques
Detecting attacks is not enough—prevention is critical in enterprise environments.
Recommended defenses:
- Enable PowerShell Script Block Logging (4104)
- Enable Module Logging (4103)
- Use Constrained Language Mode for PowerShell
- Disable PowerShell v2 (legacy version)
- Implement AppLocker or WDAC policies
- Monitor suspicious command-line flags (-enc, -nop, -hidden)
Organizations in the US financial and healthcare sectors increasingly enforce strict PowerShell logging due to ransomware threats.
Expert SOC Tips
From a real-world SOC analyst perspective, here are some practical insights:
- Always correlate PowerShell logs with endpoint telemetry tools like EDR
- Watch for “living-off-the-land” binaries (LOLbins) abuse
- Use SIEM correlation rules for Event IDs 4103 + 4104 together
- Flag encoded PowerShell execution immediately for investigation
- Monitor repeated short-lived PowerShell sessions
Attackers rarely use PowerShell once—they use it repeatedly in automation chains. That’s your detection opportunity.
Related Cybersecurity Guides
- This “Ignored” Windows Log Is Exposing Hackers — Are You Watching Application.evtx?
- This One Log File Reveals Every Hacker Move — Are You Checking Security.evtx?
- You’re Ignoring This Windows Log… And Hackers Love It (System.evtx Guide 2026)
- Detect Unauthorized Logins Before It’s Too Late: Event ID 4625 Guide (2026)
- Stop Using Event Viewer: This wevtutil Trick Changes Windows Log Analysis Forever
Frequently Asked Questions
Q1. Why is PowerShell dangerous in cybersecurity?
Because it is a built-in administrative tool that can execute malicious scripts without dropping files.
Q2. What is Event ID 4104 used for?
It logs PowerShell script block execution, including obfuscated and decoded scripts.
Q3. Can attackers hide PowerShell activity?
Yes, but logging mechanisms like 4103 and 4104 significantly reduce stealth capability.
Q4. What is the importance of Event ID 4688?
It tracks process creation and helps identify suspicious PowerShell execution chains.
Q5. How do SOC teams detect PowerShell attacks?
By correlating Event IDs 4103, 4104, 4688, and security logs like 4624/4625/4672.
Q6. What is the most common PowerShell attack technique?
Encoded command execution using Base64 and in-memory script execution.
Conclusion
PowerShell is both a powerful administrative tool and a major attack vector in modern cybersecurity threats. Attackers exploit its flexibility, but defenders can regain control through proper logging, monitoring, and correlation of Event IDs.
By understanding Event ID 4103, 4104, 4688, and Security Logs, SOC analysts can reconstruct attack chains, detect stealthy intrusions, and stop threats before they escalate.
In today’s cybersecurity landscape, visibility is everything—and PowerShell logging is one of your strongest lines of defense.