Decoding Base64 Encoded PowerShell Commands with KQL

By /

Listen to this Post

Featured Image
PowerShell is a common tool for attackers, often using Base64 encoding to obfuscate malicious commands. If you’re using Microsoft Defender XDR, you can leverage KQL (Kusto Query Language) to detect and decode these encoded PowerShell commands for better threat hunting and detection engineering.

KQL Query to Decode Base64 PowerShell Commands

// From InitiatingProcessCommandLine/ProcessCommandLine in DeviceEvents, DeviceProcessEvents tables 
| extend DecodedPS = extract(@'(?i)[-]e(ncodedcommand)\s+([a-z0-9+/=]{20,})', 2, CommandLine) 
| extend DecodedPS = iff(isnotempty(DecodedPS), base64_decode_tostring(DecodedPS), DecodedPS)

This query:

1. Extracts Base64-encoded strings from PowerShell command lines.

2. Decodes them into readable text for analysis.

You Should Know:

1. How Attackers Use Base64 in PowerShell

Attackers often run encoded commands to evade detection:

powershell -e JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASQBoAGIAaQBoACIAKQApAA==

Decoding reveals:

$s=New-Object IO.MemoryStream(,[bash]::FromBase64String("Ihbih"))

2. Manual Decoding in Linux & Windows

Linux (Bash)

echo "JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASQBoAGIAaQBoACIAKQApAA==" | base64 -d

Windows (PowerShell)



 3. Detecting Malicious PowerShell in Logs


Check for:


    

  • -e, -EncodedCommand, `-enc` arguments. 
    • 

  • Long Base64 strings (20+ chars). 
    • 

  • Obfuscated commands (iex, Invoke-Expression). 
    • 



 Sigma Rule Example


title: Suspicious PowerShell Base64 Execution 
description: Detects Base64-encoded PowerShell commands 
tags: 
- attack.execution 
- attack.t1059.001 
detection: 
selection: 
CommandLine|contains: 
- '-e ' 
- '-EncodedCommand ' 
- '-enc ' 
condition: selection 



 What Undercode Say


Base64 encoding in PowerShell is a favorite among attackers, but KQL and manual decoding techniques can expose hidden threats. Always:

– Monitor PowerShell logs.

– Use KQL for automated detection in Defender XDR.

– Decode suspicious commands manually when needed.


 Expected Output:


$s=New-Object IO.MemoryStream(,[bash]::FromBase64String("Ihbih"))



 Prediction


As attackers evolve, expect more advanced obfuscation (like multi-layer encoding). Detection engineers must adapt by refining KQL queries and integrating behavioral analysis.


Relevant URL: Detect.FYI


IT/Security Reporter URL:


Reported By: Inode Powershell – Hackers Feeds

Extra Hub: Undercode MoN

Basic Verification: Pass ✅


Join Our Cyber World:


💬 Whatsapp | 💬 Telegram


		
		
			




	




 
 Related Posts: