Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, September 27, 2016 7:40 PM
I've set up powershell scriptblock logging. Many of the events have a Task Category of "Execute a Remote Command." When I look at the event, it wasn't started from a remote computer and it isn't doing any powershell remoting to another machine. So what does that Task Category of "Execute a Remote Command" mean?
Thanks!
All replies (1)
Thursday, September 29, 2016 7:20 AM ✅Answered
Hi,
Don't worry. When script block logging is enabled, PowerShell will log the following events to the Microsoft-Windows-PowerShell/Operational log:
EventId |
4104 / 0x1008 |
Channel |
Operational |
Level |
Verbose |
Opcode |
Create |
Task |
CommandStart |
Keyword |
Runspace |
Message |
Creating Scriptblock text (%1 of %2): %3 ScriptBlock ID: %4 |
The text embedded in the message is the text of the script block compiled. The ScriptBlock ID is a GUID retained for the life of the script block.
Note: Some script block texts (i.e.: Get-ChildItem) might not truly be representative of its underlying functionality if that command was generated through PowerShell’s dynamic keyword mechanism or an overridden function. For both of these situations, the original dynamic keyword definition (or malicious function definition) will be logged
More information, please read this blog:
https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/
Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].