Powershell Script Block Logging
Description
Manual and Atomic Red Team testing to generate script block logging data.
MITRE ATT&CK Techniques
| ID | Technique | Tactic |
|---|---|---|
| T1059.001 | PowerShell | Execution |
Environment Details
| Field | Value |
|---|---|
| Environment | attack_range |
| Directory | powershell_script_block_logging |
| Test Date | 2021-06-09 |
Datasets
The following datasets were collected during this attack simulation:
Windows-Powershell-Xml
- Path:
/datasets/attack_techniques/T1059.001/powershell_script_block_logging/windows-powershell-xml.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Windows-Sysmon
- Path:
/datasets/attack_techniques/T1059.001/powershell_script_block_logging/windows-sysmon.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Credaccess-Powershell
- Path:
/datasets/attack_techniques/T1059.001/powershell_script_block_logging/credaccess-powershell.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Related Detections
The following detections in our security content repository use this attack data for testing:
| Detection Name | Type | Source | MITRE ATT&CK | Analytic Story |
|---|---|---|---|---|
| PowerShell 4104 Hunting | Hunting |
Endpoint | T1059.001 | Braodo Stealer, Cactus Ransomware, China-Nexus Threat Activity, CISA AA23-347A, CISA AA24-241A, Cleo File Transfer Software, DarkGate Malware, Data Destruction, Flax Typhoon, Hermetic Wiper, Lumma Stealer, Malicious PowerShell, Medusa Ransomware, Rhysida Ransomware, Salt Typhoon, SystemBC, PHP-CGI RCE Attack on Japanese Organizations, Water Gamayun, XWorm, Scattered Spider, Interlock Ransomware, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, Microsoft WSUS CVE-2025-59287 |
| GetWmiObject Ds Group with PowerShell Script Block | TTP |
Endpoint | T1069.002 | Active Directory Discovery |
| Mailsniper Invoke functions | TTP |
Endpoint | T1114.001 | Data Exfiltration |
| GetWmiObject DS User with PowerShell Script Block | TTP |
Endpoint | T1087.002 | Active Directory Discovery |
| Powershell Enable SMB1Protocol Feature | TTP |
Endpoint | T1027.005 | Ransomware, Malicious PowerShell, Hermetic Wiper, Data Destruction |
| Powershell Fileless Process Injection via GetProcAddress | TTP |
Endpoint | T1055, T1059.001 | Hellcat Ransomware, Malicious PowerShell, Hermetic Wiper, Data Destruction |
| Get ADUserResultantPasswordPolicy with Powershell Script Block | TTP |
Endpoint | T1201 | Active Directory Discovery, CISA AA23-347A |
| Powershell Remove Windows Defender Directory | TTP |
Endpoint | T1562.001 | Data Destruction, WhisperGate |
| ServicePrincipalNames Discovery with PowerShell | TTP |
Endpoint | T1558.003 | Hellcat Ransomware, Active Directory Discovery, Active Directory Kerberos Attacks, Malicious PowerShell, Active Directory Privilege Escalation |
| GetAdComputer with PowerShell Script Block | Hunting |
Endpoint | T1018 | Active Directory Discovery, CISA AA22-320A, Medusa Ransomware, Gozi Malware |
| GetWmiObject Ds Computer with PowerShell Script Block | TTP |
Endpoint | T1018 | Active Directory Discovery |
| GetDomainComputer with PowerShell Script Block | TTP |
Endpoint | T1018 | Active Directory Discovery |
| GetWmiObject User Account with PowerShell Script Block | Hunting |
Endpoint | T1059.001, T1087.001 | Winter Vivern, Active Directory Discovery, Malicious PowerShell |
| Powershell Creating Thread Mutex | TTP |
Endpoint | T1027.005, T1059.001 | Malicious PowerShell, Water Gamayun |
| Detect Empire with PowerShell Script Block Logging | TTP |
Endpoint | T1059.001 | Hellcat Ransomware, Malicious PowerShell, Hermetic Wiper, Data Destruction |
| Powershell Processing Stream Of Data | TTP |
Endpoint | T1059.001 | Hellcat Ransomware, Malicious PowerShell, Medusa Ransomware, PXA Stealer, Data Destruction, Braodo Stealer, AsyncRAT, Hermetic Wiper, IcedID, XWorm, MoonPeak |
| Recon Using WMI Class | Anomaly |
Endpoint | T1592, T1059.001 | Hermetic Wiper, Quasar RAT, Malicious PowerShell, Data Destruction, AsyncRAT, MoonPeak, LockBit Ransomware, Malicious Inno Setup Loader, Qakbot, Industroyer2, Scattered Spider |
| Disabled Kerberos Pre-Authentication Discovery With PowerView | TTP |
Endpoint | T1558.004 | Active Directory Kerberos Attacks, Interlock Ransomware |
| Powershell Get LocalGroup Discovery with Script Block Logging | Hunting |
Endpoint | T1069.001 | Active Directory Discovery |
| Get DomainPolicy with Powershell Script Block | TTP |
Endpoint | T1201 | Active Directory Discovery |
| Get-DomainTrust with PowerShell Script Block | TTP |
Endpoint | T1482 | Active Directory Discovery |
| Delete ShadowCopy With PowerShell | TTP |
Endpoint | T1490 | DarkSide Ransomware, Ransomware, Revil Ransomware, DarkGate Malware, Cactus Ransomware, VanHelsing Ransomware |
| Windows Enable PowerShell Web Access | TTP |
Endpoint | T1059.001 | CISA AA24-241A, Malicious PowerShell |
| WMI Recon Running Process Or Services | Anomaly |
Endpoint | T1592 | Malicious PowerShell, Hermetic Wiper, Data Destruction |
| GetDomainGroup with PowerShell Script Block | TTP |
Endpoint | T1069.002 | Active Directory Discovery |
| Unloading AMSI via Reflection | TTP |
Endpoint | T1059.001, T1562 | Malicious PowerShell, Hermetic Wiper, Data Destruction |
| GetNetTcpconnection with PowerShell Script Block | Hunting |
Endpoint | T1049 | Active Directory Discovery |
| Detect Mimikatz With PowerShell Script Block Logging | TTP |
Endpoint | T1003, T1059.001 | Hellcat Ransomware, Malicious PowerShell, Hermetic Wiper, Sandworm Tools, CISA AA22-264A, CISA AA22-320A, CISA AA23-347A, Data Destruction, Scattered Spider |
| GetDomainController with PowerShell Script Block | TTP |
Endpoint | T1018 | Active Directory Discovery |
| PowerShell Loading DotNET into Memory via Reflection | Anomaly |
Endpoint | T1059.001 | Winter Vivern, AgentTesla, AsyncRAT, Hermetic Wiper, Malicious PowerShell, Data Destruction, 0bj3ctivity Stealer, Hellcat Ransomware |
| Powershell Fileless Script Contains Base64 Encoded Content | TTP |
Endpoint | T1027, T1059.001 | Winter Vivern, Malicious PowerShell, Medusa Ransomware, Data Destruction, NjRAT, AsyncRAT, Hermetic Wiper, IcedID, XWorm, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, Microsoft WSUS CVE-2025-59287 |
| PowerShell Domain Enumeration | TTP |
Endpoint | T1059.001 | Hermetic Wiper, Malicious PowerShell, CISA AA23-347A, Data Destruction, Interlock Ransomware, Microsoft WSUS CVE-2025-59287 |
Usage Instructions
Replay with Splunk Attack Data
Replay attack data with replay.py from Splunk Attack Data.
1python replay.py --dataset /datasets/attack_techniques/T1059.001/powershell_script_block_logging/windows-powershell-xml.log --index attack_data
Manual Import
- Download the dataset files from the paths listed above
- Configure your Splunk instance with the appropriate sourcetypes
- Import the logs using the Splunk Add Data wizard
Related Content
Find more detections and analytics for this attack technique in our security content repository.
Source: GitHub | Version: 1.0