Now enabled by default, this event is logged whenever a script is run through PowerShell.
- Behavioral - Execution (TA0002)
- Execution - Process Tree
- Execution - First Executed
- File - Path
- Account - Security Identifier (SID)
- Windows 11
- Windows 10
- Windows 8
- Windows 7
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx
The Level field (available in PowerShell5.0) may indicate a suspicious script. If its value is Warning this indicates the script was flagged as suspicious based on its contents.
The ScriptBlock ID is used to uniquely identify a script across multiple 4104 events. Large scripts may be split across multiple events, to reconstruct the full script, concatenate all the events with this unique ID together.
The Path field indicates the full path to the executed script.
The ProcessID field indicates the parent process ID (PID) that executed the script.
The UserID field contains the SID of the user that executed the script.
The timestamp of the event indicates the time at which the script, identified by the field ScriptBlock ID was executed for the first time.
The Creator Process ID field may be cross-referenced with Security/4688: A new process has been created.
This event is only logged the first time that a script is executed.
This event will not capture the resultant output of an executed script as module logging does.