WMIC spawning PowerShell with encoded command
TH Wmic PS Encoded
Query
DeviceProcessEvents
| where FileName == @"WMIC.exe"
| where ProcessCommandLine has_any ("EncodedCommand","Enc")
| project Timestamp, DeviceName, InitiatingProcessFileName,ActionType, AccountName, ProcessCommandLine
| extend Encoded = extract(@"-(?:EncodedCommand|enc)\s+([A-Za-z0-9+/=]+)", 1, ProcessCommandLine)
| where isnotempty(Encoded)
| extend Decoded = base64_decode_tostring(Encoded)About this query
Explanation
This query is designed to detect suspicious activity where the Windows Management Instrumentation Command-line (WMIC) tool is used to start a PowerShell process with an encoded command. This is often a technique used by attackers to obfuscate malicious commands.
Here's a simple breakdown of what the query does:
-
Data Source: It looks at events related to processes on devices (
DeviceProcessEvents). -
Filter for WMIC: It specifically filters for events where the process name is
WMIC.exe. -
Encoded Commands: It further filters these events to find instances where the command line includes "EncodedCommand" or "Enc". These are indicators that a PowerShell command is being run in an encoded form.
-
Extract and Decode: The query extracts the encoded command from the command line and decodes it from Base64 format to reveal the actual command being executed.
-
Output: It provides details such as the timestamp, device name, initiating process, action type, account name, and both the original and decoded command lines.
This query helps security analysts identify potentially malicious activities where attackers use WMIC to execute hidden PowerShell commands.
Details

Alex Verboon
Released: September 17, 2025
Tables
Keywords
Operators