✄𐘗
text code block:
✄𐘗FROM logs-endpoint.events.process-* METADATA _id, _index, _version, _ignored
| MV_EXPAND _ignored
| WHERE _ignored == "process.command_line"
| WHERE event.category == "process" and event.type == "start"
| EVAL command_line = TO_LOWER(process.command_line.text), pname = TO_LOWER(process.name)
| WHERE 
(
    (
        /* Python: inline exec with base64 decode or -c flag with encoded payload */
        pname like "python*" and
        (
            command_line like "*b64decode*" or
            (command_line like "*-c*" and command_line like "*base64*")
        )
    ) or
    (
        /* PowerShell: encoded command flag — require trailing space to avoid matching
           -Encoding, -EncryptionType, -EncryptionProvider, etc. */
        (pname like "powershell*" or pname like "pwsh*") and
        (
            command_line rlike ".* -(e|en|enc|enco|encod|encode|encoded|encodedcommand) .+" or
            command_line like "*-encodedcommand*" or
            command_line like "*frombase64string*"
        )
    ) or
    (
        /* Node.js: buffer.from must be paired with base64 to avoid matching
           general Buffer usage; atob is always base64 */
        pname like "node*" and
        (
            (command_line like "*buffer.from*" and command_line like "*base64*") or
            command_line like "*atob(*"
        )
    ) or
    (
        /* Deno: eval( (not eval/evaluate/evaluation), atob, or buffer+base64 */
        pname like "deno*" and
        (
            command_line like "*atob(*" or
            (command_line like "*buffer.from*" and command_line like "*base64*") or
            command_line like "*eval(*"
        )
    )
)
| EVAL Esql.length_cmdline = LENGTH(command_line)
| WHERE Esql.length_cmdline >= 4000
| KEEP *