change scope of detectedMessage and ruleName on WELA-Rule(DeepBlueCLI…

…) and SIGMA #28 WELA-Rule:All Completed SIGMA :20 Completed
Yamato-Security · Sep 20, 2021 · 5099064 · 5099064
1 parent 77fb2a3
commit 5099064
Show file tree

Hide file tree

Showing 41 changed files with 106 additions and 17 deletions.
diff --git a/Rules/SIGMA/builtin/win_account_backdoor_dcsync_rights.ps1 b/Rules/SIGMA/builtin/win_account_backdoor_dcsync_rights.ps1
@@ -12,6 +12,8 @@ function Add-Rule {
                 $event
             )
 
+            $ruleName = "win_account_backdoor_dcsync_rights";
+            $detectedMessage = "backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using PowerviewAdd-DomainObjectAcl DCSync";
             $result = $event |  where { ($_.ID -eq "5136" -and $_.message -match "AttributeLDAPDisplayName.*ntSecurityDescriptor" -and ($_.message -match "AttributeValue.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "AttributeValue.*.*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "AttributeValue.*.*89e95b76-444d-4c62-991a-0facbeda640c.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
             if ($result.Count -ne 0) {
                 Write-Host

diff --git a/Rules/SIGMA/builtin/win_account_discovery.ps1 b/Rules/SIGMA/builtin/win_account_discovery.ps1
@@ -12,6 +12,8 @@ function Add-Rule {
                 $event
             )
 
+            $ruleName = "win_account_discovery";
+            $detectedMessage = "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs";
             $result = $event |  where { (($_.ID -eq "4661" -and ($_.message -match "SAM_USER" -or $_.message -match "SAM_GROUP")) -and (($_.message -match "ObjectName.*.*-512" -or $_.message -match "ObjectName.*.*-502" -or $_.message -match "ObjectName.*.*-500" -or $_.message -match "ObjectName.*.*-505" -or $_.message -match "ObjectName.*.*-519" -or $_.message -match "ObjectName.*.*-520" -or $_.message -match "ObjectName.*.*-544" -or $_.message -match "ObjectName.*.*-551" -or $_.message -match "ObjectName.*.*-555") -or ($_.message -match "ObjectName.*.*admin.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
             if ($result.Count -ne 0) {
                 Write-Host

diff --git a/Rules/SIGMA/builtin/win_ad_object_writedac_access.ps1 b/Rules/SIGMA/builtin/win_ad_object_writedac_access.ps1
@@ -12,7 +12,9 @@ function Add-Rule {
                 $event
             )
 
-            $result = $event |  where {($_.ID -eq "4662" -and $_.message -match "ObjectServer.*DS" -and $_.message -match "AccessMask.*0x40000" -and ($_.message -match "19195a5b-6da0-11d0-afd3-00c04fd930c9" -or $_.message -match "domainDNS")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message;
+            $ruleName = "win_ad_object_writedac_access";
+            $detectedMessage = "Detects WRITE_DAC access to a domain object";
+            $result = $event |  where { ($_.ID -eq "4662" -and $_.message -match "ObjectServer.*DS" -and $_.message -match "AccessMask.*0x40000" -and ($_.message -match "19195a5b-6da0-11d0-afd3-00c04fd930c9" -or $_.message -match "domainDNS")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
             if ($result.Count -ne 0) {
                 Write-Host
                 Write-Host "Detected! RuleName:$ruleName";

diff --git a/Rules/SIGMA/builtin/win_ad_replication_non_machine_account.ps1 b/Rules/SIGMA/builtin/win_ad_replication_non_machine_account.ps1
@@ -12,6 +12,8 @@ function Add-Rule {
                 $event
             )
 
+            $ruleName = "win_ad_replication_non_machine_account";
+            $detectedMessage = "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.";
             $result = $event |  where { (($_.ID -eq "4662" -and $_.message -match "AccessMask.*0x100" -and ($_.message -match "Properties.*.*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "Properties.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "Properties.*.*89e95b76-444d-4c62-991a-0facbeda640c.*")) -and -not ($_.message -match "SubjectUserName.*.*$" -or $_.message -match "SubjectUserName.*MSOL_.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
             if ($result.Count -ne 0) {
                 Write-Host

diff --git a/Rules/SIGMA/builtin/win_ad_user_enumeration.ps1 b/Rules/SIGMA/builtin/win_ad_user_enumeration.ps1
@@ -12,6 +12,8 @@ function Add-Rule {
                 $event
             )
 
+            $ruleName = "win_ad_user_enumeration";
+            $detectedMessage = "Detects access to a domain user from a non-machine account";
             $result = $event |  where { (($_.ID -eq "4662" -and ($_.message -match "ObjectType.*.*bf967aba-0de6-11d0-a285-00aa003049e2.*")) -and -not ($_.message -match "SubjectUserName.*.*$" -or $_.message -match "SubjectUserName.*MSOL_.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
             if ($result.Count -ne 0) {
                 Write-Host

diff --git a/Rules/SIGMA/builtin/win_admin_rdp_login.ps1 b/Rules/SIGMA/builtin/win_admin_rdp_login.ps1
@@ -12,7 +12,9 @@ function Add-Rule {
                 $event
             )
 
-            $result = $event |  where {($_.ID -eq "4624" -and $_.message -match "LogonType.*10" -and $_.message -match "AuthenticationPackageName.*Negotiate" -and $_.message -match "TargetUserName.*Admin.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message;
+            $ruleName = "win_admin_rdp_login";
+            $detectedMessage = "Detect remote login by Administrator user (depending on internal pattern).";
+            $result = $event |  where { ($_.ID -eq "4624" -and $_.message -match "LogonType.*10" -and $_.message -match "AuthenticationPackageName.*Negotiate" -and $_.message -match "TargetUserName.*Admin.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
             if ($result.Count -ne 0) {
                 Write-Host
                 Write-Host "Detected! RuleName:$ruleName";

diff --git a/Rules/SIGMA/builtin/win_admin_share_access.ps1 b/Rules/SIGMA/builtin/win_admin_share_access.ps1
@@ -12,7 +12,9 @@ function Add-Rule {
                 $event
             )
 
-            $result = $event |  where {(($_.ID -eq "5140" -and $_.message -match "ShareName.*Admin$") -and -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message;
+            $ruleName = "win_admin_share_access";
+            $detectedMessage = "Detects access to $ADMIN share";
+            $result = $event |  where { (($_.ID -eq "5140" -and $_.message -match "ShareName.*Admin$") -and -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
             if ($result.Count -ne 0) {
                 Write-Host
                 Write-Host "Detected! RuleName:$ruleName";

diff --git a/Rules/SIGMA/builtin/win_alert_active_directory_user_control.ps1 b/Rules/SIGMA/builtin/win_alert_active_directory_user_control.ps1
@@ -12,6 +12,8 @@ function Add-Rule {
                 $event
             )
 
+            $ruleName = "win_alert_active_directory_user_control";
+            $detectedMessage = "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.";
             $result = $event |  where { ($_.ID -eq "4704" -and ($_.message -match ".*SeEnableDelegationPrivilege.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
             if ($result.Count -ne 0) {
                 Write-Host

diff --git a/Rules/SIGMA/builtin/win_alert_ad_user_backdoors.ps1 b/Rules/SIGMA/builtin/win_alert_ad_user_backdoors.ps1
@@ -12,6 +12,8 @@ function Add-Rule {
                 $event
             )
 
+            $ruleName = "win_alert_ad_user_backdoors";
+            $detectedMessage = "Detects scenarios where one can control another users or computers account without having to use their credentials.";
             $result = $event |  where { (((((($_.ID -eq "4738" -and -not ($_.message -match "AllowedToDelegateTo.*-")) ) -or ($_.ID -eq "5136" -and $_.message -match "AttributeLDAPDisplayName.*msDS-AllowedToDelegateTo")) -or ($_.ID -eq "5136" -and $_.message -match "ObjectClass.*user" -and $_.message -match "AttributeLDAPDisplayName.*servicePrincipalName")) -or ($_.ID -eq "5136" -and $_.message -match "AttributeLDAPDisplayName.*msDS-AllowedToActOnBehalfOfOtherIdentity"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
             if ($result.Count -ne 0) {
                 Write-Host

diff --git a/Rules/SIGMA/builtin/win_alert_enable_weak_encryption.ps1 b/Rules/SIGMA/builtin/win_alert_enable_weak_encryption.ps1
@@ -12,6 +12,8 @@ function Add-Rule {
                 $event
             )
 
+            $ruleName = "win_alert_enable_weak_encryption";
+            $detectedMessage = "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.";
             $result = $event |  where { ($_.ID -eq "4738" -and ($_.message -match ".*DES.*" -or $_.message -match ".*Preauth.*" -or $_.message -match ".*Encrypted.*") -and ($_.message -match ".*Enabled.*")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
             if ($result.Count -ne 0) {
                 Write-Host

diff --git a/Rules/SIGMA/builtin/win_alert_lsass_access.ps1 b/Rules/SIGMA/builtin/win_alert_lsass_access.ps1
@@ -12,6 +12,8 @@ function Add-Rule {
                 $event
             )
 
+            $ruleName = "win_alert_lsass_access";
+            $detectedMessage = "Detects Access to LSASS Process";
             $result = $event |  where { ($_.ID -eq "1121" -and $_.message -match "Path.*.*\\lsass.exe") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
             if ($result.Count -ne 0) {
                 Write-Host

diff --git a/Rules/SIGMA/builtin/win_alert_mimikatz_keywords.ps1 b/Rules/SIGMA/builtin/win_alert_mimikatz_keywords.ps1
@@ -12,7 +12,9 @@ function Add-Rule {
                 $event
             )
 
-            $result = $event |  where {($_.message -match ".*mimikatz.*" -or $_.message -match ".*mimilib.*" -or $_.message -match ".*<3 eo.oe.*" -or $_.message -match ".*eo.oe.kiwi.*" -or $_.message -match ".*privilege::debug.*" -or $_.message -match ".*sekurlsa::logonpasswords.*" -or $_.message -match ".*lsadump::sam.*" -or $_.message -match ".*mimidrv.sys.*" -or $_.message -match ".* p::d .*" -or $_.message -match ".* s::l .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message;
+            $ruleName = "win_alert_mimikatz_keywords";
+            $detectedMessage = "This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)";
+            $result = $event |  where { ($_.message -match ".*mimikatz.*" -or $_.message -match ".*mimilib.*" -or $_.message -match ".*<3 eo.oe.*" -or $_.message -match ".*eo.oe.kiwi.*" -or $_.message -match ".*privilege::debug.*" -or $_.message -match ".*sekurlsa::logonpasswords.*" -or $_.message -match ".*lsadump::sam.*" -or $_.message -match ".*mimidrv.sys.*" -or $_.message -match ".* p::d .*" -or $_.message -match ".* s::l .*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
             if ($result.Count -ne 0) {
                 Write-Host
                 Write-Host "Detected! RuleName:$ruleName";

diff --git a/Rules/SIGMA/builtin/win_alert_ruler.ps1 b/Rules/SIGMA/builtin/win_alert_ruler.ps1
@@ -12,7 +12,9 @@ function Add-Rule {
                 $event
             )
 
-            $result = $event |  where {(((($_.ID -eq "4776") -and $_.message -match "Workstation.*RULER") -or (($_.ID -eq "4624" -or $_.ID -eq "4625") -and $_.message -match "WorkstationName.*RULER"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message;
+            $ruleName = "win_alert_ruler";
+            $detectedMessage = "This events that are generated when using the hacktool Ruler by Sensepost";
+            $result = $event |  where { (((($_.ID -eq "4776") -and $_.message -match "Workstation.*RULER") -or (($_.ID -eq "4624" -or $_.ID -eq "4625") -and $_.message -match "WorkstationName.*RULER"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
             if ($result.Count -ne 0) {
                 Write-Host
                 Write-Host "Detected! RuleName:$ruleName";

diff --git a/Rules/SIGMA/builtin/win_applocker_file_was_not_allowed_to_run.ps1 b/Rules/SIGMA/builtin/win_applocker_file_was_not_allowed_to_run.ps1
@@ -12,6 +12,8 @@ function Add-Rule {
                 $event
             )
 
+            $ruleName = "win_applocker_file_was_not_allowed_to_run";
+            $detectedMessage = "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.";
             $result = $event | where { (($_.message -match "Microsoft-Windows-AppLocker/MSI and Script" -or $_.message -match "Microsoft-Windows-AppLocker/EXE and DLL" -or $_.message -match "Microsoft-Windows-AppLocker/Packaged app-Deployment" -or $_.message -match "Microsoft-Windows-AppLocker/Packaged app-Execution") -and ($_.ID -eq "8004" -or $_.ID -eq "8007")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
             if ($result.Count -ne 0) {
                 Write-Host

diff --git a/Rules/SIGMA/builtin/win_apt_carbonpaper_turla.ps1 b/Rules/SIGMA/builtin/win_apt_carbonpaper_turla.ps1
@@ -12,7 +12,9 @@ function Add-Rule {
                 $event
             )
 
-            $result = $event |  where {($_.ID -eq "7045" -and ($_.message -match "srservice" -or $_.message -match "ipvpn" -or $_.message -match "hkmsvc")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message;
+            $ruleName = "win_apt_carbonpaper_turla";
+            $detectedMessage = "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET";
+            $result = $event |  where { ($_.ID -eq "7045" -and ($_.message -match "srservice" -or $_.message -match "ipvpn" -or $_.message -match "hkmsvc")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
             if ($result.Count -ne 0) {
                 Write-Host
                 Write-Host "Detected! RuleName:$ruleName";

diff --git a/Rules/SIGMA/builtin/win_apt_stonedrill.ps1 b/Rules/SIGMA/builtin/win_apt_stonedrill.ps1
@@ -12,7 +12,9 @@ function Add-Rule {
                 $event
             )
 
-            $result = $event |  where {($_.ID -eq "7045" -and $_.message -match "ServiceName.*NtsSrv" -and $_.message -Like "* LocalService") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message;
+            $ruleName = "win_apt_stonedrill";
+            $detectedMessage = "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky";
+            $result = $event |  where { ($_.ID -eq "7045" -and $_.message -match "ServiceName.*NtsSrv" -and $_.message -Like "* LocalService") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
             if ($result.Count -ne 0) {
                 Write-Host
                 Write-Host "Detected! RuleName:$ruleName";

diff --git a/Rules/SIGMA/builtin/win_apt_turla_service_png.ps1 b/Rules/SIGMA/builtin/win_apt_turla_service_png.ps1
@@ -12,7 +12,9 @@ function Add-Rule {
                 $event
             )
 
-            $result = $event |  where {($_.ID -eq "7045" -and $_.message -match "ServiceName.*WerFaultSvc") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message;
+            $ruleName = "win_apt_turla_service_png";
+            $detectedMessage = "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018";
+            $result = $event |  where { ($_.ID -eq "7045" -and $_.message -match "ServiceName.*WerFaultSvc") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
             if ($result.Count -ne 0) {
                 Write-Host
                 Write-Host "Detected! RuleName:$ruleName";

diff --git a/Rules/SIGMA/builtin/win_arbitrary_shell_execution_via_settingcontent.ps1 b/Rules/SIGMA/builtin/win_arbitrary_shell_execution_via_settingcontent.ps1
@@ -12,6 +12,8 @@ function Add-Rule {
                 $event
             )
 
+            $ruleName = "win_arbitrary_shell_execution_via_settingcontent";
+            $detectedMessage = "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create ""shortcuts"" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.";
             $result = $event |  where { ($_.message -match "CommandLine.*.*.SettingContent-ms.*" -and -not (($_.message -match "FilePath.*.*immersivecontrolpanel.*"))) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
             if ($result.Count -ne 0) {
                 Write-Host

diff --git a/Rules/SIGMA/builtin/win_atsvc_task.ps1 b/Rules/SIGMA/builtin/win_atsvc_task.ps1
@@ -12,6 +12,8 @@ function Add-Rule {
                 $event
             )
 
+            $ruleName = "win_atsvc_task";
+            $detectedMessage = "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe";
             $result = $event |  where { ($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and $_.message -match "RelativeTargetName.*atsvc" -and $_.message -match "Accesses.*.*WriteData.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
             if ($result.Count -ne 0) {
                 Write-Host

diff --git a/Rules/SIGMA/builtin/win_audit_cve.ps1 b/Rules/SIGMA/builtin/win_audit_cve.ps1
@@ -12,7 +12,9 @@ function Add-Rule {
                 $event
             )
 
-            $result = $event |  where {($_.message -match "Source.*Microsoft-Windows-Audit-CVE") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message;
+            $ruleName = "win_audit_cve";
+            $detectedMessage = "Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)";
+            $result = $event |  where { ($_.message -match "Source.*Microsoft-Windows-Audit-CVE") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
             if ($result.Count -ne 0) {
                 Write-Host
                 Write-Host "Detected! RuleName:$ruleName";

diff --git a/Rules/WELA-Rules/Application/2-EMETBlocked.ps1 b/Rules/WELA-Rules/Application/2-EMETBlocked.ps1
@@ -10,7 +10,8 @@ function Add-Rule {
                 $event
             )
             $target = $event | where { $_.ID -eq 2 -and $_.LogName -eq "Application" }
-
+            $ruleName = "2-EMETBlocked";
+            $detectedMessage = "detected EMET blocked on DeepBlueCLI Rule";
             foreach ($record in $target) {
                 if ($record.message) {
                     $array = $event.message -split '\n' # Split each line of the message into an array
@@ -19,7 +20,7 @@ function Add-Rule {
                     $command = $application -Replace "^Application: ", ""
                     $username = Remove-Spaces($array[4])
                     $result = "$text`n"
-                    $reuslt += "command: $command`n"
+                    $result += "command: $command`n"
                     $result += "$username`n" 
                     Write-Host
                     Write-Host "Detected! RuleName:$ruleName";

diff --git a/Rules/WELA-Rules/Applocker/8003-ApplockerWarning.ps1 b/Rules/WELA-Rules/Applocker/8003-ApplockerWarning.ps1
@@ -9,6 +9,8 @@ function Add-Rule {
             param (
                 $event
             )
+            $ruleName = "8003-ApplockerWarning";
+            $detectedMessage = "detected Applocker warning on DeepBlueCLI Rule";
             $target = $event | where { $_.ID -eq 8003 -and $_.LogName -eq "Microsoft-Windows-AppLocker/EXE and DLL" }
 
             if ($target) {
@@ -17,7 +19,6 @@ function Add-Rule {
                 Write-Host $detectedMessage;
             }
             foreach ($record in $target) {
-                $result = $record.message
                 Write-host $result
             }
         };

diff --git a/Rules/WELA-Rules/Applocker/8004-ApplockerBlock.ps1 b/Rules/WELA-Rules/Applocker/8004-ApplockerBlock.ps1
@@ -9,6 +9,8 @@ function Add-Rule {
             param (
                 $event
             )
+            $ruleName = "8004-ApplockerBlock";
+            $detectedMessage = "detected Applocker block on DeepBlueCLI Rule";
             $target = $event | where { $_.ID -eq 8004 -and $_.LogName -eq "Microsoft-Windows-AppLocker/EXE and DLL" }
 
             if ($target) {
@@ -17,7 +19,6 @@ function Add-Rule {
                 Write-Host $detectedMessage;
             }
             foreach ($record in $target) {
-                $result = $record.message
                 Write-host $result
             }
         };

diff --git a/Rules/WELA-Rules/PowerShell/4103-PowerShellExecute.ps1 b/Rules/WELA-Rules/PowerShell/4103-PowerShellExecute.ps1
@@ -9,6 +9,8 @@ function Add-Rule {
             param (
                 $event
             )
+            $ruleName = "4103-PowerShellExecute";
+            $detectedMessage = "detected PowerShell execute on DeepBlueCLI Rule";
             $target = $event | where { $_.ID -eq 4103 -and $_.LogName -eq "Microsoft-Windows-PowerShell" }
 
             foreach ($record in $target) {
@@ -20,7 +22,7 @@ function Add-Rule {
                     # Remove every line after the "Host Application = " line.
                     $commandline = $commandline -Replace "(?ms)`n.*$", ""
                     if ($commandline) {
-                        $obj = Create-Obj -event $record
+                        $obj = Create-Obj -event $record                            
                         $result = Check-Command -EventID 4103 -commandline $commandline -obj $obj
                         Write-Host
                         Write-Host "Detected! RuleName:$ruleName";

diff --git a/Rules/WELA-Rules/PowerShell/4104-PowerShellScriptBlockCreate.ps1 b/Rules/WELA-Rules/PowerShell/4104-PowerShellScriptBlockCreate.ps1
@@ -9,6 +9,8 @@ function Add-Rule {
             param (
                 $event
             )
+            $ruleName = "4104-PowerShellScriptBlockCreate";
+            $detectedMessage = "detected PowerShell script block created on DeepBlueCLI Rule";
             $target = $event | where { $_.ID -eq 4104 -and $_.LogName -eq "Microsoft-Windows-PowerShell" }
 
             foreach ($record in $target) {