PowerShell with Base64-Encoded Commands (FDR)
Detects PowerShell executions using the EncodedCommand parameter, a basic LOTL technique used to obfuscate malicious payloads and evade command-line detection
EDRpowershellencoded-commandobfuscationlotlfdrT1059.001T1027
FDR Beginnerby CQL Hub 2 min read
Query
#repo="base_sensor" #event_simpleName=ProcessRollup2
| regex(field=ImageFileName, regex="(?i)(powershell|pwsh)\.exe$")
| regex(field=CommandLine, regex="(?i)(-EncodedCommand|-enc\s|-e\s+[A-Za-z0-9+/]{20,}|FromBase64String)")
| groupBy([ComputerName, UserName, CommandLine], function=count(as=cnt))
| sort(cnt, order=desc, limit=30)Explanation
| Pipe | Description | |
|---|---|---|
#repo="base_sensor" #event_simpleName=ProcessRollup2 | Process creation events in FDR | |
| `regex(field=ImageFileName, regex=...powershell\ | pwsh...)` | Filters executions of classic PowerShell and PowerShell Core (pwsh) |
| `regex(field=CommandLine, regex=...-EncodedCommand\ | -enc...)` | Detects the -EncodedCommand flag (and shortened variants) or long base64 strings directly in the command line |
groupBy([ComputerName, UserName, CommandLine], function=count(as=cnt)) | Groups by host, user, and exact command to identify repetitive patterns | |
sort(cnt, order=desc, limit=30) | Shows the 30 most frequent cases for quick triage |
Adjustable Variables
To reduce false positives from legitimate tools, add | not UserName=/svc-|deploy-|ansible/i. Change limit=30 to adjust result volume. In environments with heavy automated scripting, add exclusions by ParentBaseFileName for known schedulers.