Wazuh Powershell 4104
36 views
Skip to first unread message
никита какдела
Mar 31, 2026, 8:03:47 AM (7 days ago) Mar 31
to Wazuh | Mailing List
Hello guys, are you planning to fix 4104 eventid events? Now it didnt include any info of initiator.
So are you planning to enrich this events? Thanks!
Example:
"Создание текста Scriptblock (1 из 1): { # Проверяем размер (1MB = 1048576 байт) if ($_.Length -gt $MaxSizeMB * 1MB) { try { $Date = Get-Date -Format "yyyy-MM-dd_HH-mm" # Формируем имя: base_2023-10-27_10-00.log $NewName = "{0}_{1}{2}" -f $_.BaseName, $Date, $_.Extension $DestPath = Join-Path $ArchivePath $NewName # Копируем в архив Copy-Item $_.FullName -Destination $DestPath -Force # Очищаем оригинал (чтобы приложение продолжило писать в тот же файл) Clear-Content $_.FullName -Force Write-Host "Rotated: $($_.Name) -> $NewName" } catch { Write-Warning "Failed to rotate $($_.FullName): $_" } } } ИД ScriptBlock: 4738b5f0-0ad3-428d-8cf4-77423db026ca Путь: C:\distr\WinSCP-6.3.4-Automation\Rotate-Logs.ps1"
So are you planning to enrich this events? Thanks!
Example:
"Создание текста Scriptblock (1 из 1): { # Проверяем размер (1MB = 1048576 байт) if ($_.Length -gt $MaxSizeMB * 1MB) { try { $Date = Get-Date -Format "yyyy-MM-dd_HH-mm" # Формируем имя: base_2023-10-27_10-00.log $NewName = "{0}_{1}{2}" -f $_.BaseName, $Date, $_.Extension $DestPath = Join-Path $ArchivePath $NewName # Копируем в архив Copy-Item $_.FullName -Destination $DestPath -Force # Очищаем оригинал (чтобы приложение продолжило писать в тот же файл) Clear-Content $_.FullName -Force Write-Host "Rotated: $($_.Name) -> $NewName" } catch { Write-Warning "Failed to rotate $($_.FullName): $_" } } } ИД ScriptBlock: 4738b5f0-0ad3-428d-8cf4-77423db026ca Путь: C:\distr\WinSCP-6.3.4-Automation\Rotate-Logs.ps1"
Javier Medeot
Mar 31, 2026, 9:29:19 AM (6 days ago) Mar 31
to Wazuh | Mailing List
Hi. I'm not aware of any plans concerning Event ID 4104. But in any case, what you are seeing is a limitation of Windows event ID 4104 itself. It is designed to log the script content, it tells you what was executed, not the context of the execution. So, there's nothing to 'fix' here from Wazuh side since the information is not there. The missing initiator is a Windows limitation, it's not in the Wazuh integration.
However, you can correlate with other Windows events such as event ID 4688 "new process created" or using Sysmon. You would be looking for timestamp proximity for both events and the same ProcessID to get who executed the script. In addition, you can create custom Wazuh rules to be alerted about specific conditions you need to monitor. Maybe you can provide further details of what you need and we can try to come with further ideas.
Let me know if this is what you need to know here. Thank you.
никита какдела
Apr 1, 2026, 7:42:42 AM (6 days ago) Apr 1
to Wazuh | Mailing List
In such a scenario, it is impossible to enrich the alert with sufficient information. Now you can only see the script running or the command executing, but not the initiator. As far as I know, the 4104 event gives the SID, but it does not reach Wazuh. Will it be fixed? Or how is it possible to set up correlation and enrich events using Wazuh?
вторник, 31 марта 2026 г. в 16:29:19 UTC+3, Javier Medeot:
Javier Medeot
Apr 1, 2026, 5:07:04 PM (5 days ago) Apr 1
to Wazuh | Mailing List
I see what you mean.
Ok, it's true, event ID 4104 does include a SID but it is located in the System/Security/UserID field of the XML. Currently, this is not parsed by Wazuh as you can see raised here already in this issue:
So, you've found an architectural limitation of the Wazuh agent.
You can subscribe to that issue, comment on it, or even create a new one for your case. However, if I'm interpreting your needs correctly, even if that Security UserID attribute were extracted, you would still need to correlate with another event such as event ID 4688 (process creation) or such as Sysmon event ID 1 as mentioned before to get a better context.
To correlate alerts, you can create a custom rule that triggers if both event ID 4104 and event ID 4688 (or the Sysmon event) have triggered within a given period of time. You'll be using this rule parameters in your custom rule for this.
And it could look something similar to this (an untested example, just for your reference):
<group name="windows,">
<rule id="100100" level="5">
<if_sid>91801</if_sid>
<field name="win.system.eventID">4104</field>
<description>PowerShell ScriptBlock executed</description>
</rule>
<if_sid>91801</if_sid>
<field name="win.system.eventID">4104</field>
<description>PowerShell ScriptBlock executed</description>
</rule>
<rule id="100101" level="5">
<if_sid>6001</if_sid>
<field name="win.system.eventID">4688</field>
<description>Process created by user $(win.eventdata.subjectUserName)</description>
</rule>
<field name="win.system.eventID">4688</field>
<description>Process created by user $(win.eventdata.subjectUserName)</description>
</rule>
<rule id="100102" level="10" frequency="1" timeframe="10">
<if_sid>100101</if_sid>
<if_matched_sid>100100</if_matched_sid>
<same_field>win.system.processID</same_field>
<description>Correlated: PowerShell script execution with process creation $(win.system.processID) by user $(win.eventdata.subjectUserName)</description>
</rule>
</group>
<same_field>win.system.processID</same_field>
<description>Correlated: PowerShell script execution with process creation $(win.system.processID) by user $(win.eventdata.subjectUserName)</description>
</rule>
</group>
But the events triggering order does matter and the user details might be available on alert 100101 only.
Let me know if this kind of approach could work for you. Thanks.
Reply all
Reply to author
Forward
0 new messages