Windows Event ID 4103 — PowerShell Module Logging

Logged for each PowerShell pipeline execution, capturing the module and function called. Less detailed than Script Block Logging (4104) but lower overhead.

MITRE ATT&CK

Technique

T1059.001 · PowerShell

Tactic

Execution

View on attack.mitre.org →

Why It Matters

Module logging captures command invocations even when scripts are obfuscated or downloaded in-memory. Attackers using PowerShell for C2, lateral movement, or credential access will generate 4103 events.

Key Fields

PayloadThe command or module executed

UserThe account running PowerShell

Host Name / Host ApplicationWhere PowerShell is running — ConsoleHost is interactive; unexpected hosts may indicate process injection

Investigation Tips

1.Look for Invoke-Mimikatz, Invoke-ReflectivePEInjection, or other known offensive module names.
2.PowerShell running as SYSTEM in a non-interactive context is suspicious.
3.Correlate with 4688 to see what launched PowerShell.

Seeing Event ID 4103 in your own logs? Upload an .evtx file — EventPeeker flags powershell module logging automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4104PowerShell Script Block Logging — more detailed

4688Process creation for the PowerShell process

Go deeper: the full PowerShell Abuse — Living Off the Land guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the PowerShell Abuse — Living Off the Land guide →

See Event ID 4103 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects powershell module logging patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →

← All detection guides·Analyze EVTX Logs Free →