powershell_events

Powershell script blocks reconstructed to their full script content, this table requires script block logging to be enabled.

Platform support

Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: powershell_events

  • Windows

Table schema

Name

Type

Description

time

BIGINT

Timestamp the event was received by the osquery event publisher

datetime

TEXT

System time at which the Powershell script event occurred

script_block_id

TEXT

The unique GUID of the powershell script to which this block belongs

script_block_count

INTEGER

The total number of script blocks for this script

script_text

TEXT

The text content of the Powershell script

script_name

TEXT

The name of the Powershell script

script_path

TEXT

The path for the Powershell script

cosine_similarity

DOUBLE

How similar the Powershell script is to a provided ‘normal’ character frequency

Query examples

select * from powershell_events;
select * from powershell_events where script_text like '%Invoke-Mimikatz%';
select * from powershell_events where cosine_similarity < 0.25;