DuckIntel / Security Tools
Decode and analyze PowerShell, CMD, and Linux/Bash commands. Detects credentials, API keys, attack patterns, and maps to MITRE ATT&CK. Free, no login.
The Command Analyzer decodes and explains PowerShell, CMD, and Linux/Bash commands with automatic shell type detection. Paste a suspicious command from a SIEM alert, an EDR finding, or a threat report and get a plain-English explanation of what it does, along with flagged risks and MITRE ATT&CK technique mappings.
Obfuscated PowerShell is one of the most common techniques used by attackers to evade detection. Commands are often encoded with Base64, broken into string fragments and concatenated at runtime, or disguised with unusual casing, backticks, and format operators. The Command Analyzer automatically decodes these layers and reveals the underlying command so analysts can understand the attacker's intent without manually deobfuscating each piece.
The tool flags specific high-risk patterns: downloading files from the internet (Invoke-WebRequest, curl, wget), disabling security controls (Set-MpPreference, netsh advfirewall), credential dumping patterns (Mimikatz indicators, LSASS access), lateral movement (PsExec, WMI remote execution), and persistence mechanisms (scheduled tasks, registry run keys). Each finding is mapped to a specific MITRE ATT&CK technique ID.
Related tools
Duck DecoderEncoder / DecoderWindows Event IDsSIEM Query Builder
Part of DuckIntel.io — 59 free browser-based security tools for SOC analysts. No login. No tracking. 100% client-side.