' -W Hidden ' # Often used in malicious PowerShell commands ' -decode ' # Used with certutil ' /decode ' # Used with certutil ' /urlcache ' # Used with certutil ' -urlcache ' # Used with certutil ' -e* JAB' # PowerShell encoded commands ' -e* SUVYI' # PowerShell encoded commands ' -e* SQBFAFgA' # PowerShell encoded commands ' -e* aWV4I' # PowerShell encoded commands ' -e* IAB' # PowerShell encoded commands ' -e* PAA' # PowerShell encoded commands ' -e* aQBlAHgA' # PowerShell encoded commands 'vssadmin delete shadows' # Ransomware 'reg SAVE HKLM' # save registry SAM - syskey extraction ' -ma ' # ProcDump 'Microsoft\Windows\CurrentVersion\Run' # Run key in command line - often in combination with REG ADD '.downloadstring(' # PowerShell download command '.downloadfile(' # PowerShell download command ' /ticket:' # Rubeus 'dpapi::' # Mimikatz 'event::clear' # Mimikatz 'event::drop' # Mimikatz 'id::modify' # Mimikatz 'kerberos::' # Mimikatz 'lsadump::' # Mimikatz 'misc::' # Mimikatz 'privilege::' # Mimikatz 'rpc::' # Mimikatz 'sekurlsa::' # Mimikatz 'sid::' # Mimikatz 'token::' # Mimikatz 'vault::cred' # Mimikatz 'vault::list' # Mimikatz ' p::d ' # Mimikatz ';iex(' # PowerShell IEX 'MiniDump' # Process dumping method apart from procdump 'net user ' |