KQL_win_powershell_suspicious_parameter_variation.txt

SecurityEvent | where EventID == "4688" | where (Image endswith "\\Powershell.exe" and CommandLine == " -windowstyle h " or CommandLine == " -windowstyl h" or CommandLine == " -windowsty h" or CommandLine == " -windowst h" or CommandLine == " -windows h" or CommandLine == " -windo h" or CommandLine == " -wind h" or CommandLine == " -win h" or CommandLine == " -wi h" or CommandLine == " -win h " or CommandLine == " -win hi " or CommandLine == " -win hid " or CommandLine == " -win hidd " or CommandLine == " -win hidde " or CommandLine == " -NoPr " or CommandLine == " -NoPro " or CommandLine == " -NoProf " or CommandLine == " -NoProfi " or CommandLine == " -NoProfil " or CommandLine == " -nonin " or CommandLine == " -nonint " or CommandLine == " -noninte " or CommandLine == " -noninter " or CommandLine == " -nonintera " or CommandLine == " -noninterac " or CommandLine == " -noninteract " or CommandLine == " -noninteracti " or CommandLine == " -noninteractiv " or CommandLine == " -ec " or CommandLine == " -encodedComman " or CommandLine == " -encodedComma " or CommandLine == " -encodedComm " or CommandLine == " -encodedCom " or CommandLine == " -encodedCo " or CommandLine == " -encodedC " or CommandLine == " -encoded " or CommandLine == " -encode " or CommandLine == " -encod " or CommandLine == " -enco " or CommandLine == " -en ")