/en/tags/powershell/Recent content in Powershell on Suspicious BytesHugoen-USTue, 12 May 2026 00:00:00 +0000/en/posts/triaging-suspicious-powershell/Tue, 12 May 2026 00:00:00 +0000/en/posts/triaging-suspicious-powershell/<p>An encoded PowerShell command in your process logs is not automatically malicious, but it always deserves a closer look. Here is how to triage one calmly.</p> <h2 id="what-raises-the-flag">What raises the flag</h2> <p>Certain flag combinations are unusual for a legitimate script and common for tradecraft:</p> <ul> <li><code>-EncodedCommand</code> (base64 payloads)</li> <li><code>-WindowStyle Hidden</code> and <code>-NonInteractive</code></li> <li><code>-ExecutionPolicy Bypass</code></li> </ul> <blockquote> <p>Decoding a payload is reading, not running. Decode in an isolated environment and never paste an unknown command back into a live shell.</p>