Phase 1·T1059.001·Easy

Detecting PowerShell EncodedCommand Abuse

Catch base64-encoded PowerShell payloads — a hallmark of loaders, droppers, and post-exploitation frameworks.

#Windows#Sysmon#Wazuh#PowerShell#ATT&CK

Detection Objective

Detect any PowerShell invocation that uses the -EncodedCommand / -enc / -e flag to execute base64-encoded script content.

Real-World Attack Scenario

An attacker delivers a phishing document. The macro spawns powershell.exe -nop -w hidden -enc <base64> to download a second-stage implant. Encoded commands let the adversary smuggle obfuscated payloads past naïve string-matching defenses.

Why This Detection Matters

EncodedCommand usage is rare in legitimate user workflows but ubiquitous in offensive tooling (Cobalt Strike, Empire, Sliver). It is a near-free, high-signal early indicator of compromise.

ATT&CK Mapping

T1059.001 · Command and Scripting Interpreter — PowerShell

Tactic: Execution

Required Telemetry

Windows SecurityProcess creation with command line auditing (4688)
SysmonEvent ID 1 — process creation
PowerShellScript Block Logging (4104) — decoded payload visibility

Windows Event IDs

4688

Sysmon Event IDs

Wazuh Log Source

Windows EventChannel (Microsoft-Windows-Sysmon/Operational, Security)

Setup Steps

Enable Audit Process Creation via Group Policy.
Enable 'Include command line in process creation events'.
Deploy Sysmon with a tuned config (e.g. SwiftOnSecurity baseline).
Enable PowerShell Script Block Logging via GPO.
Install Wazuh agent and subscribe to Sysmon + Security channels.

Safe Validation Command

Safe in-lab proof — prints 'detection-test' from a base64 payload.

powershell.exe -nop -w hidden -EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgACIAZABlAHQAZQBjAHQAaQBvAG4ALQB0AGUAcwB0ACIA

⚠ lab use only · this project does not execute real malware

Expected Log Output

Sysmon Event 1
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: powershell.exe -nop -w hidden -EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgACIAZABlAHQAZQBjAHQAaQBvAG4ALQB0AGUAcwB0ACIA
ParentImage: C:\Program Files\Microsoft Office\WINWORD.EXE

Detection Logic (Wazuh rule concept)

Match Sysmon EventID=1 OR Security 4688 where Image ends with powershell.exe (or pwsh.exe) AND CommandLine matches /\s-(e|en|enc|encode|encodedcommand)\s+[A-Za-z0-9+/=]{16,}/i

False Positives

Microsoft SCCM / Intune wrappers that legitimately use -enc
Some vendor uninstallers and printer drivers

Tuning Recommendations

Allowlist signed parents in C:\Windows\CCM\ and Intune Management Extension.
Raise severity when parent is Office, mshta, wscript, cscript, or rundll32.

Analyst Triage Notes

Decode the base64 — Wazuh decoders or a Python one-liner.
Pivot on ParentImage and User.
Correlate to subsequent network connections (Sysmon EID 3).

Detection Improvement Ideas

Stack-rank decoded payloads by Shannon entropy.
Auto-decode and run YARA against the script body.

log analysis layer

Detection is not complete until the logs prove what happened. The sections below show the telemetry produced by the validation above, how to read it like an analyst, and why this pattern matters.

siem · log evidence

rule 100330

Detecting PowerShell EncodedCommand Abuse

Windows EventChannel (Microsoft-Windows-Sysmon/Operational, Security)

Event ID

Sysmon EID 1

Image

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Parent

C:\Windows\explorer.exe

CommandLine

powershell.exe -nop -w hidden -EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgACIAZABlAHQAZQBjAHQAaQBvAG4ALQB0AGUAcwB0ACIA

User

CORP\j.doe

Agent

WIN10-LAB-01

Timestamp

2026-05-26T14:32:11Z

analyst note

Decode the base64 — Wazuh decoders or a Python one-liner.

Parent → Child Analysis

explorer.exe → powershell.exe — review whether this lineage is expected for WIN10-LAB-01 and user CORP\j.doe.

Command-Line Flags Observed

-EncodedCommand
Base64-encoded script body — used to hide intent from simple inspection.
-WindowStyle Hidden
Suppresses the console window — rare for legitimate user workflows.
-NoProfile / -nop
Skips profile scripts so attacker code runs in a clean, predictable environment.

Parsed Fields the Analyst Reads

Image — Process binary that executed — confirms PowerShell.
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentImage — Who launched it — context for legitimacy.
C:\Windows\explorer.exe
CommandLine — Arguments — where attacker intent shows up.
powershell.exe -nop -w hidden -EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgACIAZABlAHQAZQBjAHQAaQBvAG4ALQB0AGUAcwB0ACIA
User — Account context — service vs interactive vs SYSTEM.
CORP\j.doe
EventID — Telemetry channel and event type.
Sysmon EID 1
Wazuh Rule ID — Rule that matched and produced this alert.
100330
Agent — Endpoint that produced the telemetry.
WIN10-LAB-01
Timestamp — When it happened — anchor for correlation.
2026-05-26T14:32:11Z

Malicious Pattern

pattern

PowerShell EncodedCommand Abuse

description

analyst takeaway

EncodedCommand usage is rare in legitimate user workflows but ubiquitous in offensive tooling (Cobalt Strike, Empire, Sliver). It is a near-free, high-signal early indicator of compromise. Treat this signal as higher-risk when combined with suspicious parents, hidden windows, download cradles, or unusual user context.

proof the detection worked

test command

powershell.exe -nop -w hidden -EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgACIAZABlAHQAZQBjAHQAaQBvAG4ALQB0AGUAcwB0ACIA

expected event

Sysmon EID 1 on WIN10-LAB-01 with Image=powershell.exe and the validation command above in CommandLine.

expected wazuh alert

Wazuh rule 100330 — "Detecting PowerShell EncodedCommand Abuse" fires at a level matching severity=high.

confirming log fields

ImageParentImageCommandLineUserEventID

analyst interpretation

The recorded fields satisfy every clause of the detection logic. Parent process, user context, and command-line arguments together prove the behavior was observed end to end.

conclusion

Detection succeeded: telemetry was captured, the rule matched, and the alert reached the analyst with enough context to triage.