Question Analysis

DeviceProcessEvents | where ProcessCommandLine contains 'powershell' and ProcessCommandLine contains ' -encodedcommand' | project InitiatingProcessFileName

DeviceProcessEvents | where ProcessCommandLine has_any ('-EncodedCommand', 'eN') and InitiatingProcessFileName =~ 'powershell.exe' | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessId | distinct TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessId

DeviceProcessEvents | where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe" | where ProcessCommandLine has_any ("-enc ", "-encodedcommand ") | project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, AccountDomain | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine matches regex ".* -e.*([A-Za-z0-9+/=]){10,}.*" | summarize count() by InitiatingProcessFileName, bin(Timestamp, 5m) | sort by count_ desc

DeviceProcessEvents | where FileName == "powershell.exe" or FileName == "pwsh.exe" | where ProcessCommandLine has "-EncodedCommand" or ProcessCommandLine has "-e " | project TimeGenerated, DeviceName, FileName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc

let EncodedCmdRegex = @"(?i)\s-?(?:e|enc|encodedcommand)\b"; let EncodedArgRegex = @"(?i)-(?:e|enc|encodedcommand)\s+['\""]?([A-Za-z0-9+/=]{20,})"; let EncPSEvents = DeviceProcessEvents | where FileName matches regex @"(?i)^(?:powershell(?:\.exe)?|pwsh(?:\.exe)?|powershell_ise(?:\.exe)?)$" | where ProcessCommandLine matches regex EncodedCmdRegex or tolower(ProcessCommandLine) has "[convert]::frombase64string(" or tolower(ProcessCommandLine) has "frombase64string(" | extend EncodedArg = extract(EncodedArgRegex, 1, ProcessCommandLine); EncPSEvents | summarize executions=count(), firstSeen=min(TimeGenerated), lastSeen=max(TimeGenerated) by DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessSHA256 | order by lastSeen desc

let ps_regex = @"(?i)(?:-encodedcommand|-e)\s+([A-Za-z0-9+/=]+)"; // looks for -EncodedCommand or -e with base64 let dotnet_regex = @"(?i)(?:Convert::FromBase64String|Convert\.FromBase64String|FromBase64String|System\.Text\.Encoding|Text\.Encoding)"; DeviceProcessEvents | where Timestamp between (startofday(ago(7d)) .. now()) | where FileName has_any ('powershell.exe','pwsh.exe','powershell_ise.exe') or ProcessCommandLine has_any('-encodedcommand','-e','FromBase64String','Convert.FromBase64String','FromBase64String') | extend Cmd = tostring(ProcessCommandLine), InitiatingCmd = tostring(InitiatingProcessCommandLine) | where Cmd has '-EncodedCommand' or Cmd has ' -e ' or Cmd has 'FromBase64String' or InitiatingCmd has '-EncodedCommand' or InitiatingCmd has '-e' or InitiatingCmd has 'FromBase64String' | extend EncodedMatch = extract(ps_regex, 1, Cmd), EncodedInInitiator = extract(ps_regex, 1, InitiatingCmd) | extend HasDotNetDecode = iff(Cmd matches regex dotnet_regex or InitiatingCmd matches regex dotnet_regex, 1, 0) | project Timestamp, DeviceName, DeviceId, AccountName, AccountDomain, FileName, ProcessId, ProcessCreationTime, ProcessCommandLine=Cmd, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessCommandLine=InitiatingCmd, EncodedMatch, EncodedInInitiator, HasDotNetDecode | where isnotempty(EncodedMatch) or isnotempty(EncodedInInitiator) or HasDotNetDecode==1 | summarize FirstSeen = min(Timestamp), LastSeen = max(Timestamp), count() by DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, FileName, ProcessId, ProcessCommandLine, AccountName | order by FirstSeen desc

union DeviceProcessEvents, DeviceEvents | where isnotempty(ProcessCommandLine) | where tolower(ProcessCommandLine) has_any ("powershell","pwsh") // Match common encoded-argument forms and a sufficiently long Base64-like token to reduce false positives | where ProcessCommandLine matches regex @"(?i)(?:-enc(?:odedcommand)?|-e)\s+([A-Za-z0-9+/=]{40,})" | extend EncodedPayload = extract(@"(?i)(?:-enc(?:odedcommand)?|-e)\s+([A-Za-z0-9+/=]{40,})", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, FileName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessAccountName, EncodedPayload | summarize Count = count(), SampleCommands = make_list(ProcessCommandLine, 5), EncodedSamples = make_list(EncodedPayload, 5), Devices = make_list(DeviceName, 5) by InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessAccountName | order by Count desc

DeviceProcessEvents | where FileName in ("powershell.exe","pwsh.exe") | where ProcessCommandLine contains "-EncodedCommand" | extend LauncherExecutable = InitiatingProcessFileName | project TimeGenerated, DeviceName, LauncherExecutable, LauncherCommandLine = InitiatingProcessCommandLine, EncodedProcess = FileName, EncodedCommandLine = ProcessCommandLine | summarize Launches = count() by LauncherExecutable, LauncherCommandLine, EncodedProcess, EncodedCommandLine | order by Launches desc

DeviceProcessEvents | where FileName contains "powershell.exe" | where ProcessCommandLine contains "encodedcommand" or ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}" | summarize Count = count() by InitiatingProcessFileName, DeviceName | order by Count desc

DeviceProcessEvents | where FileName startswith 'powershell' | where ProcessCommandLine contains '-EncodedCommand' | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName

DeviceProcessEvents | where Timestamp >= ago(7d) | where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe") | where ProcessCommandLine has_any ("-enc ", "-EncodedCommand") | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where FileName in~ ("powershell.exe", "powershell_ise.exe", "pwsh.exe") | where ProcessCommandLine has_any ("-enc", "-encodedCommand") | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine

DeviceProcessEvents // === Time range is supplied by the calling UI / hunting blade === | where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe") // Look for typical switches that precede a Base-64 payload (case-insensitive) | where tolower(ProcessCommandLine) has_any (" -enc", " -e ", " -encodedcommand", " -ec") // Pull out the first plausible Base-64 string that follows the switch | extend EncodedPayload = extract(@"(?i)(?:-e|-enc|-encodedcommand|/e|/enc|/encodedcommand)\s+([A-Za-z0-9+/]{20,}={0,2})", 1, ProcessCommandLine) | where isnotempty(EncodedPayload) // === ANSWER THE QUESTION === // Which executable launched the encoded-command PowerShell? | summarize EncodedExecCount = count(), ExampleDevices = make_set(DeviceName, 5) by LaunchingExecutable = InitiatingProcessFileName, LaunchingExecutablePath = InitiatingProcessFolderPath | sort by EncodedExecCount desc // ===== Raw event details (uncomment if needed) ===== // | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, EncodedPayload, // LaunchingExecutable = InitiatingProcessFileName, // LaunchingExecutablePath = InitiatingProcessFolderPath, // LaunchingProcessCommandLine = InitiatingProcessCommandLine, // InitiatingProcessCreationTime

DeviceProcessEvents | where tolower(InitiatingProcessCommandLine) contains "-encodedcommand" or tolower(InitiatingProcessCommandLine) contains "-enc" | summarize Count = count() by InitiatingProcessFileName | order by Count desc

DeviceProcessEvents | where ProcessCommandLine contains "-EncodedCommand" | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | extend ParentExecutable = coalesce(InitiatingProcessFileName, "N/A") | order by TimeGenerated desc

DeviceProcessEvents | where FileName in~ ("powershell.exe", "pwsh.exe") // Match –EncodedCommand or –enc followed by a Base64‐style string | where tolower(ProcessCommandLine) matches regex @"-enc(odedcommand)?\s+[A-Za-z0-9+/=]{20,}" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc