Phase 3·T1027·Advanced
Entropy Analysis on Decoded PowerShell Payloads
Flag high-entropy decoded blobs likely to be packed shellcode.
#Analytics#Advanced
Detection Objective
Compute Shannon entropy of base64-decoded payloads from EncodedCommand events.
Real-World Attack Scenario
An -enc payload decodes to high-entropy bytes — almost certainly compressed shellcode.
Why This Detection Matters
Bypasses string-based signatures.
ATT&CK Mapping
T1027 · Obfuscated Files or Information
Tactic: Defense Evasion
Required Telemetry
- PowerShell4104
Windows Event IDs
4104
Sysmon Event IDs
1
Wazuh Log Source
PowerShell/Operational
Setup Steps
- 4104 enabled; entropy computed in a Wazuh integration script.
Safe Validation Command
Encode a benign string; entropy will be low — verifying the pipeline runs.
powershell.exe -EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgACIAZABlAHQAZQBjAHQAaQBvAG4ALQB0AGUAcwB0ACIA⚠ lab use only · this project does not execute real malware
Expected Log Output
Wazuh enrichment field decoded_entropy = <float>Detection Logic (Wazuh rule concept)
Alert when decoded_entropy > 7.2 on payloads ≥ 1KB.False Positives
- Legitimate compressed configuration blobs
Tuning Recommendations
- Adjust threshold per environment.
Analyst Triage Notes
- Submit decoded bytes for static analysis.
Detection Improvement Ideas
- Combine entropy with byte-histogram fingerprinting.
log analysis layer
Detection is not complete until the logs prove what happened. The sections below show the telemetry produced by the validation above, how to read it like an analyst, and why this pattern matters.
siem · log evidence
rule 100898
Entropy Analysis on Decoded PowerShell Payloads
PowerShell/Operational
Event ID
Sysmon EID 1
Image
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent
C:\Windows\explorer.exe
CommandLine
powershell.exe -EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgACIAZABlAHQAZQBjAHQAaQBvAG4ALQB0AGUAcwB0ACIA
User
CORP\j.doe
Agent
WIN10-LAB-01
Timestamp
2026-05-26T14:32:11Z
analyst note
Submit decoded bytes for static analysis.
Parent → Child Analysis
explorer.exe → powershell.exe — review whether this lineage is expected for WIN10-LAB-01 and user CORP\j.doe.
Command-Line Flags Observed
- -EncodedCommandBase64-encoded script body — used to hide intent from simple inspection.
Parsed Fields the Analyst Reads
- Image — Process binary that executed — confirms PowerShell.C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- ParentImage — Who launched it — context for legitimacy.C:\Windows\explorer.exe
- CommandLine — Arguments — where attacker intent shows up.powershell.exe -EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgACIAZABlAHQAZQBjAHQAaQBvAG4ALQB0AGUAcwB0ACIA
- User — Account context — service vs interactive vs SYSTEM.CORP\j.doe
- EventID — Telemetry channel and event type.Sysmon EID 1
- Wazuh Rule ID — Rule that matched and produced this alert.100898
- Agent — Endpoint that produced the telemetry.WIN10-LAB-01
- Timestamp — When it happened — anchor for correlation.2026-05-26T14:32:11Z
Malicious Pattern
pattern
Entropy Analysis on Decoded PowerShell Payloads
description
An -enc payload decodes to high-entropy bytes — almost certainly compressed shellcode.
analyst takeaway
Bypasses string-based signatures. Treat this signal as higher-risk when combined with suspicious parents, hidden windows, download cradles, or unusual user context.
proof the detection worked
test command
powershell.exe -EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgACIAZABlAHQAZQBjAHQAaQBvAG4ALQB0AGUAcwB0ACIAexpected event
Sysmon EID 1 on WIN10-LAB-01 with Image=powershell.exe and the validation command above in CommandLine.
expected wazuh alert
Wazuh rule 100898 — "Entropy Analysis on Decoded PowerShell Payloads" fires at a level matching severity=medium.
confirming log fields
ImageParentImageCommandLineUserEventID
analyst interpretation
The recorded fields satisfy every clause of the detection logic. Parent process, user context, and command-line arguments together prove the behavior was observed end to end.
conclusion
Detection succeeded: telemetry was captured, the rule matched, and the alert reached the analyst with enough context to triage.