powershell_events ================= Powershell script blocks reconstructed to their full script content, this table requires script block logging to be enabled. Platform support ---------------- Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. **Running a query against an unsupported platform will result in the following error:** ``no such table: powershell_events`` - Windows Table schema ------------ ================== ======= =============================================================================== Name Type Description ================== ======= =============================================================================== time BIGINT Timestamp the event was received by the osquery event publisher datetime TEXT System time at which the Powershell script event occurred script_block_id TEXT The unique GUID of the powershell script to which this block belongs script_block_count INTEGER The total number of script blocks for this script script_text TEXT The text content of the Powershell script script_name TEXT The name of the Powershell script script_path TEXT The path for the Powershell script cosine_similarity DOUBLE How similar the Powershell script is to a provided 'normal' character frequency ================== ======= =============================================================================== Query examples -------------- .. code-block:: sql select * from powershell_events; .. code-block:: sql select * from powershell_events where script_text like '%Invoke-Mimikatz%'; .. code-block:: sql select * from powershell_events where cosine_similarity < 0.25;