Agent Foskett Investigation • Microsoft Defender XDR • PowerShell
The PowerShell Command Was Base64 Encoded
Everything looked normal at first.
There was no obvious malware name. No dramatic ransomware alert. No strange executable sitting on the desktop.
Just PowerShell, a long command line and a string of characters that looked meaningless.
But meaningless-looking command lines can still tell a very clear story.
In this Agent Foskett investigation, we look at how a Base64 encoded PowerShell command can hide activity from casual review, and how Microsoft Defender XDR with KQL can help defenders find the evidence.
Investigation focus
Learn how encoded PowerShell activity can be hunted through command-line evidence, parent processes and endpoint telemetry.
PowerShell encoded commands
DeviceProcessEvents hunting
Process tree investigation
The suspicious detail
The command line contained PowerShell with an encoded command argument.
That does not automatically prove malicious activity. Administrators and scripts can use encoding for legitimate reasons.
But in an investigation, encoded PowerShell deserves attention because it can hide download commands, credential access attempts, payload staging, persistence logic or suspicious execution chains.
That does not automatically prove malicious activity. Administrators and scripts can use encoding for legitimate reasons.
But in an investigation, encoded PowerShell deserves attention because it can hide download commands, credential access attempts, payload staging, persistence logic or suspicious execution chains.
Long command line
A large encoded string can make the real command difficult to understand at a glance.
Process context matters
The parent process can reveal whether PowerShell was launched by a user, script, Office document or another process.
Follow-on activity
The important evidence may be the network connection, child process or file activity that follows the encoded command.
First hunt: find encoded PowerShell
Start by looking for PowerShell executions where the command line contains common encoded command switches.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
DeviceProcessEvents | where Timestamp > ago(7d) | where FileName in~ ("powershell.exe", "pwsh.exe") | where ProcessCommandLine has_any ("-EncodedCommand", "-enc", "/enc") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName | order by Timestamp desc
Plain-English translation:
Show me recent PowerShell executions where the command line appears to use an encoded command.
Show me recent PowerShell executions where the command line appears to use an encoded command.
What Agent Foskett checks next
Finding encoded PowerShell is only the start. The next step is to understand context.
Who ran it?Check AccountName and whether the account normally runs PowerShell on that device.
Where did it run?Check DeviceName, device role and whether the activity occurred on a workstation, server or admin machine.
What launched it?Check InitiatingProcessFileName and the parent process command line to understand how execution started.
Second hunt: suspicious parent processes
Encoded PowerShell launched from an unusual parent process can be more suspicious than PowerShell launched from an admin console.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
DeviceProcessEvents | where Timestamp > ago(7d) | where FileName in~ ("powershell.exe", "pwsh.exe") | where ProcessCommandLine has_any ("-EncodedCommand", "-enc", "/enc") | where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "outlook.exe", "wscript.exe", "mshta.exe") | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine | order by Timestamp desc
Third hunt: look for network activity after execution
Encoded PowerShell may be used to download content or connect to infrastructure. After finding the process event, pivot to network activity around the same device and time period.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
DeviceNetworkEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe") | project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessCommandLine | order by Timestamp desc
The investigation lesson
Base64 encoding does not make an attack invisible. It only makes the command harder to read quickly.
A strong Defender XDR investigation does not stop at the encoded string. It follows the process, the parent process, the user, the device, the command line and the network activity that followed.
A strong Defender XDR investigation does not stop at the encoded string. It follows the process, the parent process, the user, the device, the command line and the network activity that followed.
Encoded is a clueEncoding is not automatically malicious, but it is an investigation signal worth checking.
Context decides riskThe same command can mean different things depending on the device, user, parent process and timing.
Pivot quicklyUse the command-line event to pivot into process trees, network events and file activity.
Common mistakes
Only searching one switchAttackers and scripts may use different forms such as -EncodedCommand, -enc or /enc.
Ignoring parent processPowerShell launched by Office, script hosts or unusual processes should be reviewed carefully.
Stopping at the command lineThe real story may appear in child processes, files created or outbound connections after execution.
Related Agent Foskett investigations and KQL guides
The PowerShell Never Triggered An Alert
Review another Agent Foskett investigation where PowerShell activity needed deeper analysis.
The Process Tree Told The Real Story
Learn why parent and child process relationships matter during endpoint investigations.
Continue with Rundll32 Looked Legitimate, The Process Was Signed By Microsoft, KQL Threat Hunting Guide, Agent Foskett Academy, Microsoft Security and the GEMXIT Security Review.
Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD