# Logging Powershell activities
**Hunting Fileless Malware & Powershell Activities:**
* **Event ID 4103** – Module logging – Attackers uses several obfuscated commands and calls self-defined variables and system commands. Hunting these EventIDs provide SOC operations to record all the obfuscated commands as pipeline execution details under EventID 4103. It should be enabled to process and get the malicious commands.
* **Event ID 4104** – Powershell Script Block Logging – Captures the entire scripts that are executed by remote machines. For example, obfuscated scripts that are decoded and executed at run time.
* If an event exceeds the maximum event log message size, script block logging will split the logged events into multiple events and suspicious commands can be observed at the logging level of “warning”.
Above figure shows script block ID is generated for the remote command execution from the computer “MSEDGEWIN10” and the security user ID **S-1-5-21-3461203602-4096304019-2269080069-1000** and commands are fully encoded.
Enabling the Event ID 4104 as an added benefit as run time obfuscated commands will be processed to decode and all decoded scripts will be logged into this event ID 4104.
Above figure shows encoded commands are decoded at run time and above malicious code is trying to get the user's network credentials.
**Event ID 4688** – Audit Process Creation with Command Line Process Auditing – Enabling this Event ID provides the source process names which is executing the malicious commands that is processed in audit mode and logged. Command line arguments are commonly leveraged in fileless based attacks.
This provides insights on Parent and child process names which is initiating the Powershell commands or command line arguments.
### **Configuring PowerShell Event ID 4103/4104**:
Group Policy for logging configuration:
1. Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell.
2. Select: Turn on Module Logging, and Select: Enabled, Select: OK
3. Select: Turn on PowerShell Script Block Logging, and Select: Enabled, Select: Log script block invocation start /stop events:
### **Configuring Event ID 4688**:
Group Policy for logging configuration:
1. Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Detailed Tracking
2. Select: Audit Process Creation, Select: Success + Failure, Select: OK
3. Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation
4. Select: Include command line in process creation events, Select: Enabled, Select: OK
Source:
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://www.iblue.team/incident-response-1/logging-powershell-activities.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.