title: DN_0037_4103_windows_powershell_executing_pipeline description: > TODO loggingpolicy: - TODO references: - https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-4103.md category: OS Logs platform: Windows type: Applications and Services Logs channel: Microsoft-Windows-PowerShell/Operational provider: Microsoft-Windows-PowerShell fields: - EventID - Computer - Hostname # redundant - ContextInfo - UserData - Payload sample: | - - 4103 1 4 106 20 0x0 75824 Microsoft-Windows-PowerShell/Operational atc-win-10.atc.local - Severity = Informational Host Name = ConsoleHost Host Version = 5.1.17134.407 Host ID = 3ff2018b-ab29-4049-a62d-851e5ca931ed Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Engine Version = 5.1.17134.407 Runspace ID = 52c750e1-1c34-4244-a6eb-feadfd70a959 Pipeline ID = 90 Command Name = New-CimInstance Command Type = Cmdlet Script Name = Command Path = Sequence Number = 329 User = atc-win-10\user1 Connected User = Shell ID = Microsoft.PowerShell CommandInvocation(New-CimInstance): "New-CimInstance" ParameterBinding(New-CimInstance): name="Namespace"; value="root/subscription" ParameterBinding(New-CimInstance): name="ClassName"; value="__EventFilter" ParameterBinding(New-CimInstance): name="Property"; value="System.Collections.Hashtable"