Encoded PowerShell execution is a common adversary technique used to bypass detection and execute malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise attempts that evade standard detection mechanisms.
KQL Query
DeviceProcessEvents
| where ProcessCommandLine matches regex @'(\s+-((?i)encod?e?d?c?o?m?m?a?n?d?|e|en|enc|ec)\s).*([A-Za-z0-9+/]{50,}[=]{0,2})'
| extend DecodedCommand = replace(@'\x00','', base64_decode_tostring(extract("[A-Za-z0-9+/]{50,}[=]{0,2}",0 , ProcessCommandLine)))
id: f58a7f64-acd3-4cf6-ab6d-be76130cf251
name: Detect Encoded Powershell
description: |
This query will detect encoded powershell based on the parameters passed during process creation. This query will also work if the PowerShell executable is renamed or tampered with since detection is based solely on a regex of the launch string.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
query: |
DeviceProcessEvents
| where ProcessCommandLine matches regex @'(\s+-((?i)encod?e?d?c?o?m?m?a?n?d?|e|en|enc|ec)\s).*([A-Za-z0-9+/]{50,}[=]{0,2})'
| extend DecodedCommand = replace(@'\x00','', base64_decode_tostring(extract("[A-Za-z0-9+/]{50,}[=]{0,2}",0 , ProcessCommandLine)))
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job Running Encoded PowerShell Script
Description: A legitimate scheduled job is configured to run a PowerShell script that is encoded for transport security (e.g., using ConvertTo-SecureString or Base64 encoding).
Filter/Exclusion: Check for CommandLine containing known secure string encoding methods or use a filter like ProcessCommandLine not like '%ConvertTo-SecureString%' or ProcessCommandLine not like '%Base64%'.
Scenario: Admin Task Using Encoded PowerShell for Automation
Description: An administrator uses a PowerShell script encoded for deployment (e.g., using Invoke-Command with encoded commands) to automate a system update or configuration task.
Filter/Exclusion: Exclude processes initiated by known administrative tools like Task Scheduler or PsExec using a filter like ProcessParentProcessName = 'schtasks.exe' or ProcessParentProcessName = 'psexec.exe'.
Scenario: PowerShell Script Encoded for Remote Execution
Description: A legitimate PowerShell script is encoded for remote execution via a remote management tool like WinRM or PSRemoting, which is common in enterprise environments.
Filter/Exclusion: Exclude processes where the parent process is a remote management tool using a filter like ProcessParentProcessName = 'winrm.exe' or ProcessParentProcessName = 'powershell.exe' with a known remote execution context.
Scenario: Encoded PowerShell Used in a Security Tool for Payload Delivery
Description: A security tool (e.g., Microsoft Defender ATP, CrowdStrike, or SentinelOne) uses encoded PowerShell scripts to deliver payloads or perform system diagnostics.
Filter/Exclusion: Exclude processes initiated by known security tools using a filter like ProcessParentProcessName = 'MsMpEng.exe' or