PowerShell is the tool attackers reach for first. Learn the three Windows logs that expose fileless attacks -- and how Texas IT teams turn them into detections.
PowerShell is the most powerful tool on every Windows network in Texas -- and it is also the tool attackers reach for first. It ships on every endpoint, it is trusted by default, and it can download, decode, and execute a payload entirely in memory without ever writing a file to disk. For a lean Texas IT team, the uncomfortable truth is this: if you cannot see what PowerShell is doing, you cannot see what an intruder is doing. This guide walks through the logging that turns PowerShell from a blind spot into your best source of detection.
Living-off-the-land is the dominant intrusion style in 2026, and PowerShell is the flagship of the technique. Instead of dropping a custom malware binary that endpoint protection might flag, an attacker abuses a signed, whitelisted Microsoft interpreter that is already present and already trusted. The appeal is obvious:
That same reach is exactly why disciplined logging matters. The goal is not to block PowerShell -- your own admins depend on it -- but to record enough detail that malicious use stands out from legitimate use.
Windows offers three distinct PowerShell logging capabilities, and each answers a different question. Turn on all three; they complement rather than replace one another.
Module logging records pipeline execution events -- which cmdlets ran and with what parameters. It writes Event ID 4103 to the Microsoft-Windows-PowerShell/Operational log. It is the lightest of the three and gives you a coarse activity trail, but on its own it can miss the obfuscated substance of what a script actually did.
Script block logging is the single most valuable setting. It captures the full, de-obfuscated text of every script block PowerShell compiles, logged as Event ID 4104. Because the engine records the code after it has been decoded, Base64 and string-concatenation tricks are unwound for you -- you see the real intent. Enable it via Group Policy under Administrative Templates > Windows Components > Windows PowerShell > Turn on PowerShell Script Block Logging. This is the log that turns a fileless attack into a readable transcript.
Over-the-shoulder transcription writes a plain-text record of everything typed and returned in a session to a file. Point it at a protected, write-only network share so an attacker on the endpoint cannot simply delete the evidence. Transcripts are gold during incident response because they capture output, not just input.
All of the logging above lives in modern PowerShell. The legacy Windows PowerShell 2.0 engine predates script block logging entirely, and attackers deliberately invoke it with powershell.exe -version 2 to downgrade around your visibility. If the v2 engine is still installed, your careful logging has a trapdoor under it. Remove the optional feature everywhere, and alert on any process that requests version 2 -- there is almost never a legitimate reason for it in a 2026 environment.
Local logs protect nothing if the machine they live on is compromised. The first thing a competent intruder does is clear event logs. Centralize aggressively:
Log forwarding should be one of the first things a managed IT services provider stands up, because it is the foundation every later detection depends on.
Once the logs are flowing, you need to know what to hunt for. High-signal indicators in Event ID 4104 include:
-EncodedCommand or -enc flag carrying a Base64 blob is a classic obfuscation tell.-WindowStyle Hidden, -NonInteractive, and -ExecutionPolicy Bypass together signal automation meant to stay unseen.IEX (New-Object Net.WebClient).DownloadString(...) and Invoke-WebRequest piped straight into execution.Get-ADUser, Get-ADComputer, or calls into Mimikatz-style functions.-version 2 request, as noted above.None of these is malicious in isolation -- your backup scripts and onboarding automation use some of them daily. Detection is about context: an encoded, hidden command spawned by a Word document at 2 a.m. from a user who never scripts is a very different event from your scheduled maintenance job.
Detection tells you what happened; hardening reduces what can happen. Two native controls pair well with logging:
Collecting 4104 events is necessary but not sufficient -- someone has to look. Build a small set of high-confidence detections first, then expand:
This tuning loop is exactly the work that continuous attack surface management and a mature insider threat program depend on. PowerShell telemetry also feeds the network-layer picture your NAC deployment and SASE architecture build out.
If you do only one thing this week, enable PowerShell Script Block Logging via Group Policy across every endpoint and confirm the 4104 events are forwarding to a central collector. That single change gives you a de-obfuscated record of code execution on every Windows machine -- the difference between finding out about an intrusion in minutes versus months. From there, remove PowerShell v2, stand up transcription to a protected share, and write your first three detection rules. If your team does not have the bandwidth to build and tune this, a co-managed or fully outsourced IT partner can deploy the whole pipeline in a matter of days.
LayerLogix helps IT and security teams across Texas turn PowerShell from a liability into a detection advantage. We support businesses in Houston, The Woodlands, Austin, Dallas, and San Antonio with logging deployment, SIEM onboarding, and 24/7 automated monitoring. Talk to our team about hardening your Windows fleet.
LayerLogix provides expert cybersecurity solutions for businesses across Houston and nationwide.
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.