updated again after review

2021-05-13 12:45:55 -04:00 · 2021-05-13 12:45:55 -04:00 · ef66396943
--- a/Campaigns/snip3-encoded-powershell-structure.md
+++ b/Campaigns/snip3-encoded-powershell-structure.md
@ -10,8 +10,8 @@ At present, this method of encoding is much more rare, being seen largely with l

 ```kusto
 DeviceFileEvents
-| where InitiatingProcessFileName == "powershell.exe"
-| where InitiatingProcessCommandLine has_all ("IEX","System.Text.Encoding","::UTF8.GetString(@")
+| where InitiatingProcessFileName =~ "powershell.exe"
+| where InitiatingProcessCommandLine has_all ("IEX","Text.Encoding","UTF8.GetString(@")
 | where InitiatingProcessCommandLine has_any ("Unrestricted","Hidden")
 ```