Suspicious CLI Obfuscation
Query
// Goal is to catch powershell and bash obfuscation techniques. Mostly powershell.
// If the intention is to use this as a detection, it will most likely need tuned to your environment but it has been succesful in mine though multiple tests.
// If you have questions or reccomendations, please email me at [email protected]
DeviceProcessEvents
| where ProcessCommandLine matches regex @"'[^']+'\s*\+\s*'[^']+'" or //Checking for 'A'+'B' style obfuscation
ProcessCommandLine matches regex @'"[^"]+"\s*\+\s*"[^"]+"' or //Checking for "A"+"B" style obfuscation
ProcessCommandLine matches regex @".Replace\s*\(" // Checking for .replace obfuscation
| project Timestamp, AccountName, InitiatingProcessFileName, ProcessCommandLine, DeviceId, ReportId
| sort by Timestamp descExplanation
This KQL (Kusto Query Language) query is designed to detect potential obfuscation techniques used in PowerShell and Bash scripts, with a primary focus on PowerShell. Here's a simplified breakdown of what the query does:
-
Source Table: It starts by looking at the
DeviceProcessEventstable, which contains information about processes running on devices. -
Obfuscation Detection: The query filters for specific patterns in the
ProcessCommandLinefield that are indicative of obfuscation techniques:- It checks for concatenation patterns like
'A'+'B'or"A"+"B", where strings are split and joined together, which is a common obfuscation method. - It also looks for the use of the
.Replacemethod, which can be used to alter strings in a way that hides the true intent of the script.
- It checks for concatenation patterns like
-
Data Projection: After identifying potential obfuscation, the query selects specific columns to display:
Timestamp,AccountName,InitiatingProcessFileName,ProcessCommandLine,DeviceId, andReportId. -
Sorting: Finally, the results are sorted by
Timestampin descending order, so the most recent events appear first.
The query is intended to be a starting point for detecting obfuscation and may need to be adjusted to fit specific environments. The author also invites feedback or questions via email.
Details

Steven Lim
Released: June 25, 2025
Tables
Keywords
Operators