[Osquery_manager] Powershell history artifact saved query #16079

tomsonpl · 2025-11-21T14:10:40Z

PowerShell History Artifact

The PowerShell History artifact provides comprehensive forensic visibility into PowerShell execution activity by capturing module logging (Event ID 4103), script block logging (Event ID 4104), and process creation with command line auditing (Event ID 4688). This multi-layered approach enables detection of obfuscated commands, full script execution analysis, and parent/child process relationship tracking for fileless malware investigations.

Core Forensic Artifacts Coverage

#	Artifact	✓	OS	Query	File	Description
1	PowerShell History	✅	Windows	powershell_history_windows_elastic	a1b2c3d4	Comprehensive PowerShell forensic monitoring capturing module logging, script block logging, and process creation events

Queries by Platform

🪟 Windows - PowerShell Execution & Fileless Malware Detection

Description

Comprehensive PowerShell forensic monitoring query that captures three critical event types from Windows Event Logs to detect suspicious PowerShell activity and fileless malware execution. The query correlates module logging (Event ID 4103) for obfuscated command detection, script block logging (Event ID 4104) for full script content analysis, and process creation events (Event ID 4688) for command line auditing and process relationship tracking. This multi-layered approach provides complete visibility into PowerShell-based attacks aligned with MITRE ATT&CK technique T1059.001.

Detection Focus:

Obfuscated PowerShell commands through module logging context analysis
Full script execution content via script block logging capture
Command line parameters and encoded commands through process creation auditing
Parent/child process relationships for detecting PowerShell spawned from suspicious processes
Fileless malware execution patterns and in-memory script execution
Script block IDs for tracking multi-part PowerShell script execution
PowerShell provider activity and context information for attack chain analysis

Result

Query results provide three distinct data sets:

Event ID 4103: Provider name, context information, and payload data showing obfuscated command execution
Event ID 4104: Script block IDs, full script text, and script paths revealing complete PowerShell code execution
Event ID 4688: Command line arguments, process names, and parent process names for process creation correlation

This comprehensive approach enables security analysts to reconstruct complete PowerShell attack chains, from initial execution to payload delivery.

Platform

windows

Interval

300 seconds (5 minutes)

Query ID

powershell_history_windows_elastic

ECS Field Mappings

event.created → datetime
event.code → eventid
event.provider → provider_name
log.level → level
host.name → computer_name
process.pid → pid
process.thread.id → tid
event.action → task
powershell.provider.name → ProviderName
powershell.context_info → ContextInfo
powershell.payload → Payload
powershell.file.script_block_id → ScriptBlockId
powershell.file.script_block_text → ScriptBlockText
file.path → ScriptPath
process.command_line → CommandLine
process.name → ProcessName
process.parent.name → ParentProcessName

SQL Query

-- Comprehensive PowerShell Forensic Monitoring Query
-- Captures Event IDs 4103 (Module Logging), 4104 (Script Block Logging), 4688 (Process Creation)
-- Source: windows_eventlog table - Windows Event Logs (Historical)
-- Focus: Fileless malware detection, obfuscated command tracking, command line auditing
-- MITRE ATT&CK: T1059.001 (PowerShell)
-- Last updated: 2025-11-21

-- Query PowerShell Operational logs for Event IDs 4103 and 4104
SELECT
    datetime,
    eventid,
    provider_name,
    level,
    task,
    computer_name,
    channel,
    pid,
    tid,
    data,
    -- Event ID 4103: Module Logging - Extract obfuscated command context
    CASE
        WHEN eventid = 4103 THEN json_extract(data, '$.EventData.ProviderName')
        ELSE NULL
    END AS ProviderName,
    CASE
        WHEN eventid = 4103 THEN json_extract(data, '$.EventData.ContextInfo')
        ELSE NULL
    END AS ContextInfo,
    CASE
        WHEN eventid = 4103 THEN json_extract(data, '$.EventData.Payload')
        ELSE NULL
    END AS Payload,
    -- Event ID 4104: Script Block Logging - Extract full script content
    CASE
        WHEN eventid = 4104 THEN json_extract(data, '$.EventData.ScriptBlockId')
        ELSE NULL
    END AS ScriptBlockId,
    CASE
        WHEN eventid = 4104 THEN json_extract(data, '$.EventData.ScriptBlockText')
        ELSE NULL
    END AS ScriptBlockText,
    CASE
        WHEN eventid = 4104 THEN json_extract(data, '$.EventData.Path')
        ELSE NULL
    END AS ScriptPath,
    NULL AS CommandLine,
    NULL AS ProcessName,
    NULL AS ParentProcessName
FROM windows_eventlog
WHERE
    channel = 'Microsoft-Windows-PowerShell/Operational'
    AND eventid IN (4103, 4104)
UNION ALL
-- Query Security logs for Event ID 4688 (Process Creation)
SELECT
    datetime,
    eventid,
    provider_name,
    level,
    task,
    computer_name,
    channel,
    pid,
    tid,
    data,
    NULL AS ProviderName,
    NULL AS ContextInfo,
    NULL AS Payload,
    NULL AS ScriptBlockId,
    NULL AS ScriptBlockText,
    NULL AS ScriptPath,
    -- Event ID 4688: Process Creation - Extract command line and process hierarchy
    json_extract(data, '$.EventData.CommandLine') AS CommandLine,
    json_extract(data, '$.EventData.NewProcessName') AS ProcessName,
    json_extract(data, '$.EventData.ParentProcessName') AS ParentProcessName
FROM windows_eventlog
WHERE
    channel = 'Security'
    AND eventid = 4688
    AND data LIKE '%powershell%'
ORDER BY datetime DESC;

This PR was AI assisted by Claude Code

elasticmachine · 2025-11-21T15:00:59Z

💚 Build Succeeded

Buildkite Build
Commit: 00dad67

History

💔 Build #34480 failed da4e383

raqueltabuyo · 2025-11-24T15:10:31Z

What it is difference with powershell_events table? I am not sure if the data retrieved from this query will be parsed properly and if the whole powershell block is reconstructed to show the full content. https://osquery.io/schema/5.20.0/#powershell_events

tomsonpl added 3 commits November 21, 2025 14:56

powershell history artifact

6e195c3

fix

af21bcd

fix version

da4e383

tomsonpl added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager labels Nov 21, 2025

tomsonpl marked this pull request as ready for review November 21, 2025 14:11

tomsonpl requested a review from a team as a code owner November 21, 2025 14:11

tomsonpl requested review from joeypoon and pzl November 21, 2025 14:11

fix version

00dad67

tomsonpl changed the base branch from main to temporary-osquery-artifacts-branch November 21, 2025 16:27

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Osquery_manager] Powershell history artifact saved query #16079

[Osquery_manager] Powershell history artifact saved query #16079

tomsonpl commented Nov 21, 2025

Uh oh!

elasticmachine commented Nov 21, 2025

Uh oh!

raqueltabuyo commented Nov 24, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

[Osquery_manager] Powershell history artifact saved query #16079

Are you sure you want to change the base?

[Osquery_manager] Powershell history artifact saved query #16079

Conversation

tomsonpl commented Nov 21, 2025

PowerShell History Artifact

Core Forensic Artifacts Coverage

Queries by Platform

Description

Result

Platform

Interval

Query ID

ECS Field Mappings

SQL Query

Uh oh!

elasticmachine commented Nov 21, 2025

💚 Build Succeeded

History

Uh oh!

raqueltabuyo commented Nov 24, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants