Windows PowerShell Activities

PowerShell events can be interesting as Powershell is included by default in modern Windows installations. If a PowerShell script is failing, it may indicate misconfiguration, missing files, or malicious activity. Use of the Get-MessageTrackingLog cmdlet can be used to enumerate Exchange Server mail metadata, returning detailed information about the history of each mail message traveling through the server.

Sections on this page

SIEM Events

Remote Connection

PowerShell remoting connection (legacy) Event Source - Microsoft-Windows-Powershell - Event Log - Powershell

Exception Raised

PowerShell exception raised. Event Source - Microsoft-Windows-Powershell - Event Log - Microsoft-Windows-Powershell/Operational

Script Block Contents

PowerShell script block contents. Event Source - Microsoft-Windows-Powershell - Event Log - Microsoft-Windows-Powershell/Operational

Script Block Start

PowerShell script block start. Event Source - Microsoft-Windows-Powershell - Event Log - Microsoft-Windows-Powershell/Operational

Script Block End

PowerShell script block end. Event Source - Microsoft-Windows-Powershell - Event Log - Microsoft-Windows-Powershell/Operational

AIS Managed SIEM

Last modified March 24, 2021