ID 2072: Suspicious PowerShell Encoded Command Detected 05/31/2026
Summary:
an alert was triggered on May 27, 2026 5:36 PM because of suspicious PowerShell command involving 4 users. looking through the logs we saw encoded PowerShell commands being executed. using CyberChef we were able to convert the string into human readable language, upon the investigation we saw these strings were writing messages to PowerShell tab. So the PowerShell commands were found to contain only write host statements referencing Manytek detection labels and hostnames so the decoded content we didn’t find any malicious encoded strings.
The activity on each endpoint device was investigated and Microsoft defender triggered an alert for manytekpc-ljoe, manytekpc-scotte, desktop-9nmra7j , manytekpc-hjohn which involved an encoded message for PowerShell script. In the process tree this is a part of much larger alert that is triggered because of registry and task modification.
so the investigation to not reveal any associated user for desktop-9nmra7j which was signed in using private IP. OSINT tools do not reveal any report on the IP because its private and this could suggest unauthorized login.
we recommend taking these devices off the network and logging them out because these can’t stay running. all these alerts were triggered from normal login so we believe that these are messages were ran internally to test our defender tools to make sure it flags encoded strings.
5Ws
who:
Joe Lartey, : May 27, 2026 6:21:29 PM
Emma Scott, : May 27, 2026 6:22:56 PM
desktop-9nmra7j : May 27, 2026 6:23:22 PM
John Hackman,: May 27, 2026 6:28:46 PM
what: PowerShell execution with encoded commands, hidden windows, bypass flags, or download cradles — T1059
when:
May 27, 2026 6:21:29 PM
May 27, 2026 6:22:56 PM
May 27, 2026 6:23:22 PM
May 27, 2026 6:28:46 PM
where: manytekpc-ljoe, manytekpc-scotte, desktop-9nmra7j , manytekpc-hjohn
why: The alert triggered because PowerShell executed encoded commands
Signinlogs:
desktop-9nmra7j had 0 users logged in for past 30 days, IP: 10.1.10.227
MITRE ATT&CK: T1059
Techniques: Command and Scripting Interpreter
Command Line:
“powershell.exe” -EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgACcATQBhAG4AeQBUAGUAawAtAFMATwBDAC0ARABlAHQAZQBjAHQAaQBvAG4ALQBUADEAMAA1ADkALQBNAEEATgBZAFQARQBLAFAAQwAtAFMAQwBPAFQAVAAnAA== -WindowStyle Hidden
commands String:
Write-Host ‘ManyTek-Detection-MANYTEKPC-LJOE’ first encoded string
Write-Host ‘ManyTek-SOC-Detection-T1059-MANYTEKPC-SCOTT’ 2nd encoded string
Write-Host ‘ManyTek-Detection-DESKTOP-9NMRA7J’ 3rd encoded string