Suspicious Encoded Powershell
Query
let EncodedList = dynamic(['-encodedcommand', '-enc']); // -e and -en can also be added, be aware of FPs
let ReconVariables = dynamic(['Get-ADGroupMember', 'Get-ADComputer', 'Get-ADUser', 'Get-NetGPOGroup', 'net user', 'whoami', 'net group', 'hostname', 'netsh firewall', 'tasklist', 'arp', 'systeminfo']);
let TimeFrame = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
| where TimeGenerated > ago(TimeFrame)
| where ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell"
| where ProcessCommandLine has_any (EncodedList) or InitiatingProcessCommandLine has_any (EncodedList)
| extend base64String = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, ProcessCommandLine)
| extend DecodedCommandLine = base64_decode_tostring(base64String)
| extend DecodedCommandLineReplaceEmptyPlaces = replace_string(DecodedCommandLine, '\u0000', '')
| where isnotempty(base64String) and isnotempty(DecodedCommandLineReplaceEmptyPlaces)
| where DecodedCommandLineReplaceEmptyPlaces has_any (ReconVariables)
| project
TimeGenerated,
ActionType,
DecodedCommandLineReplaceEmptyPlaces,
ProcessCommandLine,
InitiatingProcessCommandLine,
DeviceName,
AccountName,
AccountDomainAbout this query
Explanation
This query is designed to help identify and investigate suspicious use of encoded PowerShell commands on devices within a network. Here's a simple breakdown of what each step does:
Step 1: List Devices Executing Encoded PowerShell
- Purpose: Identify devices that run encoded PowerShell commands, which might indicate suspicious activity.
- How: The query checks for PowerShell commands that include specific encoding flags (like
-encodedcommandor-enc) within the last 48 hours. It counts how many encoded commands each device has executed and lists them, sorted by the number of executions.
Step 2: Investigate Encoded PowerShell Commands
- Purpose: Decode and examine the actual commands being run to determine if they are suspicious.
- How: The query decodes the base64-encoded PowerShell commands and lists the unique commands executed by each device. This helps in understanding what actions were performed on the devices.
Step 3: Reconnaissance Activities
- Purpose: Detect if any reconnaissance commands were executed in an encoded form.
- How: The query looks for decoded commands that match known reconnaissance activities (like
Get-ADUser,whoami, etc.). It lists details about these activities, such as the device name and account used.
Step 4: Encoded Downloads
- Purpose: Identify potential malicious downloads or command-and-control (C2) traffic initiated via encoded PowerShell commands.
- How: The query searches for decoded commands that involve downloading files or making web requests, which could indicate malicious activity. It provides details about these actions for further investigation.
Conclusion
If any suspicious or malicious activities are found, the query suggests using additional Digital Forensics and Incident Response (DFIR) queries to further investigate the incident.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
DeviceProcessEvents
Keywords
Devices
Operators
letdynamicagocontainsorhas_anyextendextractbase64_decode_tostringnotisemptysummarizecountbysortreplace_stringisnotemptymake_setarray_lengthproject