← Back to Explore
splunk_escuHunting
PowerShell 4104 Hunting
The following analytic identifies suspicious PowerShell execution using Script Block Logging (EventCode 4104). It leverages specific patterns and keywords within the ScriptBlockText field to detect potentially malicious activities. This detection is significant for SOC analysts as PowerShell is commonly used by attackers for various malicious purposes, including code execution, privilege escalation, and persistence. If confirmed malicious, this activity could allow attackers to execute arbitrary commands, exfiltrate data, or maintain long-term access to the compromised system, posing a severe threat to the organization's security.
Detection Query
`powershell` EventCode=4104
| eval DoIt = if(match(ScriptBlockText,"(?i)(\$doit)"), "4", 0)
| eval enccom=if(match(ScriptBlockText,"[A-Za-z0-9+\/]{44,}([A-Za-z0-9+\/]{4}
| [A-Za-z0-9+\/]{3}=
| [A-Za-z0-9+\/]{2}==)") OR match(ScriptBlockText, "(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\s+[^-]"),4,0)
| eval suspcmdlet=if(match(ScriptBlockText, "(?i)Add-Exfiltration
| Add-Persistence
| Add-RegBackdoor
| Add-ScrnSaveBackdoor
| Check-VM
| Do-Exfiltration
| Enabled-DuplicateToken
| Exploit-Jboss
| Find-Fruit
| Find-GPOLocation
| Find-TrustedDocuments
| Get-ApplicationHost
| Get-ChromeDump
| Get-ClipboardContents
| Get-FoxDump
| Get-GPPPassword
| Get-IndexedItem
| Get-Keystrokes
| LSASecret
| Get-PassHash
| Get-RegAlwaysInstallElevated
| Get-RegAutoLogon
| Get-RickAstley
| Get-Screenshot
| Get-SecurityPackages
| Get-ServiceFilePermission
| Get-ServicePermission
| Get-ServiceUnquoted
| Get-SiteListPassword
| Get-System
| Get-TimedScreenshot
| Get-UnattendedInstallFile
| Get-Unconstrained
| Get-VaultCredential
| Get-VulnAutoRun
| Get-VulnSchTask
| Gupt-Backdoor
| HTTP-Login
| Install-SSP
| Install-ServiceBinary
| Invoke-ACLScanner
| Invoke-ADSBackdoor
| Invoke-ARPScan
| Invoke-AllChecks
| Invoke-BackdoorLNK
| Invoke-BypassUAC
| Invoke-CredentialInjection
| Invoke-DCSync
| Invoke-DllInjection
| Invoke-DowngradeAccount
| Invoke-EgressCheck
| Invoke-Inveigh
| Invoke-InveighRelay
| Invoke-Mimikittenz
| Invoke-NetRipper
| Invoke-NinjaCopy
| Invoke-PSInject
| Invoke-Paranoia
| Invoke-PortScan
| Invoke-PoshRat
| Invoke-PostExfil
| Invoke-PowerDump
| Invoke-PowerShellTCP
| Invoke-PsExec
| Invoke-PsUaCme
| Invoke-ReflectivePEInjection
| Invoke-ReverseDNSLookup
| Invoke-RunAs
| Invoke-SMBScanner
| Invoke-SSHCommand
| Invoke-Service
| Invoke-Shellcode
| Invoke-Tater
| Invoke-ThunderStruck
| Invoke-Token
| Invoke-UserHunter
| Invoke-VoiceTroll
| Invoke-WScriptBypassUAC
| Invoke-WinEnum
| MailRaider
| New-HoneyHash
| Out-Minidump
| Port-Scan
| PowerBreach
| PowerUp
| PowerView
| Remove-Update
| Set-MacAttribute
| Set-Wallpaper
| Show-TargetScreen
| Start-CaptureServer
| VolumeShadowCopyTools
| NEEEEWWW
| (Computer
| User)Property
| CachedRDPConnection
| get-net\S+
| invoke-\S+hunter
| Install-Service
| get-\S+(credent
| password)
| remoteps
| Kerberos.*(policy
| ticket)
| netfirewall
| Uninstall-Windows
| Verb\s+Runas
| AmsiBypass
| nishang
| Invoke-Interceptor
| EXEonRemote
| NetworkRelay
| PowerShelludp
| PowerShellIcmp
| CreateShortcut
| copy-vss
| invoke-dll
| invoke-mass
| out-shortcut
| Invoke-ShellCommand"),1,0)
| eval base64 = if(match(lower(ScriptBlockText),"frombase64"), "4", 0)
| eval empire=if(match(lower(ScriptBlockText),"system.net.webclient") AND match(lower(ScriptBlockText), "frombase64string") ,5,0)
| eval mimikatz=if(match(lower(ScriptBlockText),"mimikatz") OR match(lower(ScriptBlockText), "-dumpcr") OR match(lower(ScriptBlockText), "SEKURLSA::Pth") OR match(lower(ScriptBlockText), "kerberos::ptt") OR match(lower(ScriptBlockText), "kerberos::golden") ,5,0)
| eval iex=if(match(ScriptBlockText, "(?i)iex
| invoke-expression"),2,0)
| eval webclient=if(match(lower(ScriptBlockText),"http") OR match(lower(ScriptBlockText),"web(client
| request)") OR match(lower(ScriptBlockText),"socket") OR match(lower(ScriptBlockText),"download(file
| string)") OR match(lower(ScriptBlockText),"bitstransfer") OR match(lower(ScriptBlockText),"internetexplorer.application") OR match(lower(ScriptBlockText),"xmlhttp"),5,0)
| eval get = if(match(lower(ScriptBlockText),"get-"), "1", 0)
| eval rundll32 = if(match(lower(ScriptBlockText),"rundll32"), "4", 0)
| eval suspkeywrd=if(match(ScriptBlockText, "(?i)(bitstransfer
| mimik
| metasp
| AssemblyBuilderAccess
| Reflection\.Assembly
| shellcode
| injection
| cnvert
| shell\.application
| start-process
| Rc4ByteStream
| System\.Security\.Cryptography
| lsass\.exe
| localadmin
| LastLoggedOn
| hijack
| BackupPrivilege
| ngrok
| comsvcs
| backdoor
| brute.?force
| Port.?Scan
| Exfiltration
| exploit
| DisableRealtimeMonitoring
| beacon)"),1,0)
| eval syswow64 = if(match(lower(ScriptBlockText),"syswow64"), "3", 0)
| eval httplocal = if(match(lower(ScriptBlockText),"http://127.0.0.1"), "4", 0)
| eval reflection = if(match(lower(ScriptBlockText),"reflection"), "1", 0)
| eval invokewmi=if(match(lower(ScriptBlockText), "(?i)(wmiobject
| WMIMethod
| RemoteWMI
| PowerShellWmi
| wmicommand)"),5,0)
| eval downgrade=if(match(ScriptBlockText, "(?i)([-]ve*r*s*i*o*n*\s+2)") OR match(lower(ScriptBlockText),"powershell -version"),3,0)
| eval compressed=if(match(ScriptBlockText, "(?i)GZipStream
| ::Decompress
| IO.Compression
| write-zip
| (expand
| compress)-Archive"),5,0)
| eval invokecmd = if(match(lower(ScriptBlockText),"invoke-command"), "4", 0)
| addtotals fieldname=Score DoIt, enccom, suspcmdlet, suspkeywrd, compressed, downgrade, mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get
| stats values(Score)
BY UserID, Computer, DoIt,
enccom, compressed, downgrade,
iex, mimikatz, rundll32,
empire, webclient, syswow64,
httplocal, reflection, invokewmi,
invokecmd, base64, get,
suspcmdlet, suspkeywrd
| rename Computer as dest, UserID as user
| `powershell_4104_hunting_filter`Author
Michael Haag, Splunk
Created
2026-03-31
Data Sources
Powershell Script Block Logging 4104
References
- https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/powershell_qualifiers.md
- https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba
- https://github.com/marcurdy/dfir-toolset/blob/master/Powershell%20Blueteam.txt
- https://devblogs.microsoft.com/powershell/powershell-the-blue-team/
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging?view=powershell-5.1
- https://www.mandiant.com/resources/greater-visibilityt
- https://hurricanelabs.com/splunk-tutorials/how-to-use-powershell-transcription-logs-in-splunk/
- https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html
- https://adlumin.com/post/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry/
Tags
Braodo StealerCactus RansomwareChina-Nexus Threat ActivityCISA AA23-347ACISA AA24-241ACleo File Transfer SoftwareDarkGate MalwareData DestructionFlax TyphoonHermetic WiperLumma StealerMalicious PowerShellMedusa RansomwareRhysida RansomwareSalt TyphoonSystemBCPHP-CGI RCE Attack on Japanese OrganizationsWater GamayunXWormScattered SpiderInterlock Ransomware0bj3ctivity StealerAPT37 Rustonotto and FadeStealerGhostRedirector IIS Module and Rungan BackdoorHellcat RansomwareMicrosoft WSUS CVE-2025-59287MuddyWaterAxios Supply Chain Post Compromise
Raw Content
name: PowerShell 4104 Hunting
id: d6f2b006-0041-11ec-8885-acde48001122
version: 24
date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Hunting
description: The following analytic identifies suspicious PowerShell execution using Script Block Logging (EventCode 4104). It leverages specific patterns and keywords within the ScriptBlockText field to detect potentially malicious activities. This detection is significant for SOC analysts as PowerShell is commonly used by attackers for various malicious purposes, including code execution, privilege escalation, and persistence. If confirmed malicious, this activity could allow attackers to execute arbitrary commands, exfiltrate data, or maintain long-term access to the compromised system, posing a severe threat to the organization's security.
data_source:
- Powershell Script Block Logging 4104
search: |-
`powershell` EventCode=4104
| eval DoIt = if(match(ScriptBlockText,"(?i)(\$doit)"), "4", 0)
| eval enccom=if(match(ScriptBlockText,"[A-Za-z0-9+\/]{44,}([A-Za-z0-9+\/]{4}
| [A-Za-z0-9+\/]{3}=
| [A-Za-z0-9+\/]{2}==)") OR match(ScriptBlockText, "(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\s+[^-]"),4,0)
| eval suspcmdlet=if(match(ScriptBlockText, "(?i)Add-Exfiltration
| Add-Persistence
| Add-RegBackdoor
| Add-ScrnSaveBackdoor
| Check-VM
| Do-Exfiltration
| Enabled-DuplicateToken
| Exploit-Jboss
| Find-Fruit
| Find-GPOLocation
| Find-TrustedDocuments
| Get-ApplicationHost
| Get-ChromeDump
| Get-ClipboardContents
| Get-FoxDump
| Get-GPPPassword
| Get-IndexedItem
| Get-Keystrokes
| LSASecret
| Get-PassHash
| Get-RegAlwaysInstallElevated
| Get-RegAutoLogon
| Get-RickAstley
| Get-Screenshot
| Get-SecurityPackages
| Get-ServiceFilePermission
| Get-ServicePermission
| Get-ServiceUnquoted
| Get-SiteListPassword
| Get-System
| Get-TimedScreenshot
| Get-UnattendedInstallFile
| Get-Unconstrained
| Get-VaultCredential
| Get-VulnAutoRun
| Get-VulnSchTask
| Gupt-Backdoor
| HTTP-Login
| Install-SSP
| Install-ServiceBinary
| Invoke-ACLScanner
| Invoke-ADSBackdoor
| Invoke-ARPScan
| Invoke-AllChecks
| Invoke-BackdoorLNK
| Invoke-BypassUAC
| Invoke-CredentialInjection
| Invoke-DCSync
| Invoke-DllInjection
| Invoke-DowngradeAccount
| Invoke-EgressCheck
| Invoke-Inveigh
| Invoke-InveighRelay
| Invoke-Mimikittenz
| Invoke-NetRipper
| Invoke-NinjaCopy
| Invoke-PSInject
| Invoke-Paranoia
| Invoke-PortScan
| Invoke-PoshRat
| Invoke-PostExfil
| Invoke-PowerDump
| Invoke-PowerShellTCP
| Invoke-PsExec
| Invoke-PsUaCme
| Invoke-ReflectivePEInjection
| Invoke-ReverseDNSLookup
| Invoke-RunAs
| Invoke-SMBScanner
| Invoke-SSHCommand
| Invoke-Service
| Invoke-Shellcode
| Invoke-Tater
| Invoke-ThunderStruck
| Invoke-Token
| Invoke-UserHunter
| Invoke-VoiceTroll
| Invoke-WScriptBypassUAC
| Invoke-WinEnum
| MailRaider
| New-HoneyHash
| Out-Minidump
| Port-Scan
| PowerBreach
| PowerUp
| PowerView
| Remove-Update
| Set-MacAttribute
| Set-Wallpaper
| Show-TargetScreen
| Start-CaptureServer
| VolumeShadowCopyTools
| NEEEEWWW
| (Computer
| User)Property
| CachedRDPConnection
| get-net\S+
| invoke-\S+hunter
| Install-Service
| get-\S+(credent
| password)
| remoteps
| Kerberos.*(policy
| ticket)
| netfirewall
| Uninstall-Windows
| Verb\s+Runas
| AmsiBypass
| nishang
| Invoke-Interceptor
| EXEonRemote
| NetworkRelay
| PowerShelludp
| PowerShellIcmp
| CreateShortcut
| copy-vss
| invoke-dll
| invoke-mass
| out-shortcut
| Invoke-ShellCommand"),1,0)
| eval base64 = if(match(lower(ScriptBlockText),"frombase64"), "4", 0)
| eval empire=if(match(lower(ScriptBlockText),"system.net.webclient") AND match(lower(ScriptBlockText), "frombase64string") ,5,0)
| eval mimikatz=if(match(lower(ScriptBlockText),"mimikatz") OR match(lower(ScriptBlockText), "-dumpcr") OR match(lower(ScriptBlockText), "SEKURLSA::Pth") OR match(lower(ScriptBlockText), "kerberos::ptt") OR match(lower(ScriptBlockText), "kerberos::golden") ,5,0)
| eval iex=if(match(ScriptBlockText, "(?i)iex
| invoke-expression"),2,0)
| eval webclient=if(match(lower(ScriptBlockText),"http") OR match(lower(ScriptBlockText),"web(client
| request)") OR match(lower(ScriptBlockText),"socket") OR match(lower(ScriptBlockText),"download(file
| string)") OR match(lower(ScriptBlockText),"bitstransfer") OR match(lower(ScriptBlockText),"internetexplorer.application") OR match(lower(ScriptBlockText),"xmlhttp"),5,0)
| eval get = if(match(lower(ScriptBlockText),"get-"), "1", 0)
| eval rundll32 = if(match(lower(ScriptBlockText),"rundll32"), "4", 0)
| eval suspkeywrd=if(match(ScriptBlockText, "(?i)(bitstransfer
| mimik
| metasp
| AssemblyBuilderAccess
| Reflection\.Assembly
| shellcode
| injection
| cnvert
| shell\.application
| start-process
| Rc4ByteStream
| System\.Security\.Cryptography
| lsass\.exe
| localadmin
| LastLoggedOn
| hijack
| BackupPrivilege
| ngrok
| comsvcs
| backdoor
| brute.?force
| Port.?Scan
| Exfiltration
| exploit
| DisableRealtimeMonitoring
| beacon)"),1,0)
| eval syswow64 = if(match(lower(ScriptBlockText),"syswow64"), "3", 0)
| eval httplocal = if(match(lower(ScriptBlockText),"http://127.0.0.1"), "4", 0)
| eval reflection = if(match(lower(ScriptBlockText),"reflection"), "1", 0)
| eval invokewmi=if(match(lower(ScriptBlockText), "(?i)(wmiobject
| WMIMethod
| RemoteWMI
| PowerShellWmi
| wmicommand)"),5,0)
| eval downgrade=if(match(ScriptBlockText, "(?i)([-]ve*r*s*i*o*n*\s+2)") OR match(lower(ScriptBlockText),"powershell -version"),3,0)
| eval compressed=if(match(ScriptBlockText, "(?i)GZipStream
| ::Decompress
| IO.Compression
| write-zip
| (expand
| compress)-Archive"),5,0)
| eval invokecmd = if(match(lower(ScriptBlockText),"invoke-command"), "4", 0)
| addtotals fieldname=Score DoIt, enccom, suspcmdlet, suspkeywrd, compressed, downgrade, mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get
| stats values(Score)
BY UserID, Computer, DoIt,
enccom, compressed, downgrade,
iex, mimikatz, rundll32,
empire, webclient, syswow64,
httplocal, reflection, invokewmi,
invokecmd, base64, get,
suspcmdlet, suspkeywrd
| rename Computer as dest, UserID as user
| `powershell_4104_hunting_filter`
how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.
known_false_positives: Limited false positives. May filter as needed.
references:
- https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/powershell_qualifiers.md
- https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba
- https://github.com/marcurdy/dfir-toolset/blob/master/Powershell%20Blueteam.txt
- https://devblogs.microsoft.com/powershell/powershell-the-blue-team/
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging?view=powershell-5.1
- https://www.mandiant.com/resources/greater-visibilityt
- https://hurricanelabs.com/splunk-tutorials/how-to-use-powershell-transcription-logs-in-splunk/
- https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html
- https://adlumin.com/post/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry/
tags:
analytic_story:
- Braodo Stealer
- Cactus Ransomware
- China-Nexus Threat Activity
- CISA AA23-347A
- CISA AA24-241A
- Cleo File Transfer Software
- DarkGate Malware
- Data Destruction
- Flax Typhoon
- Hermetic Wiper
- Lumma Stealer
- Malicious PowerShell
- Medusa Ransomware
- Rhysida Ransomware
- Salt Typhoon
- SystemBC
- PHP-CGI RCE Attack on Japanese Organizations
- Water Gamayun
- XWorm
- Scattered Spider
- Interlock Ransomware
- 0bj3ctivity Stealer
- APT37 Rustonotto and FadeStealer
- GhostRedirector IIS Module and Rungan Backdoor
- Hellcat Ransomware
- Microsoft WSUS CVE-2025-59287
- MuddyWater
- Axios Supply Chain Post Compromise
asset_type: Endpoint
mitre_attack_id:
- T1059.001
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: XmlWinEventLog