Basic Detection: PowerShell Executed with EncodedCommand Parameter
Fundamental detection query that identifies PowerShell executions with the -EncodedCommand parameter or its abbreviation -enc. A basic but consistent indicator of malicious obfuscation present in most modern ransomware campaigns (LeakNet/ClickFix) and in post-exploitation stages of critical 2025 vulnerabilities. Ideal as a first query for analysts new to CrowdStrike LogScale.
EDRpowershellencoded-commandobfuscationbase64beginner-huntT1059.001T1027
FDR Beginnerby darkreitor 3 min read
Query
#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)powershell(\.exe)?$/
| CommandLine=/(?i)(-EncodedCommand|-enc\b)/
| groupBy([ComputerName, UserName, CommandLine], function=count())
| sort(_count, order=desc, limit=25)Explanation
| Pipe | Description | |
|---|---|---|
#repo="base_sensor" #event_simpleName=ProcessRollup2 | Selects all process creation events in the FDR repository. The most fundamental event for process activity detection in CrowdStrike. | |
FileName=/(?i)powershell(\.exe)?$/ | Filters only PowerShell executions. The (?i) modifier is case-insensitive. The $ anchors to the end of the name, avoiding false positives from other processes containing 'powershell' in the middle of the name. | |
| `CommandLine=/(?i)(-EncodedCommand\ | -enc\b)/` | Detects -EncodedCommand and its abbreviation -enc. The \b is a word boundary that avoids false positives like '-encrypt'. Any Base64-encoded command passed to PowerShell in production warrants immediate investigation. |
groupBy([ComputerName, UserName, CommandLine], function=count()) | Groups by hostname, user, and full command line. Including CommandLine is key: it contains the Base64 payload that can be decoded during forensic analysis. | |
sort(_count, order=desc, limit=25) | Sorts from highest to lowest frequency. A high _count from the same user may indicate malicious automation or active persistence on the host. |
Adjustable Variables
To reduce false positives from legitimate automation: | not UserName=/(?i)(svc_|service|automation|sccm)/. To exclude installers: | not ParentBaseFileName=/(?i)(msiexec\.exe|setup\.exe)/. For greater specificity, add a minimum Base64 length: | CommandLine=/(?i)-enc\s+[A-Za-z0-9+\/]{40,}/.