PowerShell LOTL with Base64-Encoded Payload (-EncodedCommand)

Detects PowerShell executions using the -EncodedCommand parameter to conceal the actual payload, a primary LOTL technique documented by CISA where adversaries abuse native PowerShell to evade signature-based detection. Critical for detecting post-initial infection stages in ransomware and APT campaigns that prefer LOTL over custom binaries.