Phase 3·T1027·Advanced
Obfuscation Scoring of PowerShell Script Blocks
Score script blocks for obfuscation heuristics (backticks, char arrays, splatting).
#PowerShell#Analytics
Detection Objective
Generate a composite obfuscation score and alert above a threshold.
Real-World Attack Scenario
Adversary uses Invoke-Obfuscation to evade signature rules.
Why This Detection Matters
Catches what regex cannot.
ATT&CK Mapping
T1027 · Obfuscated Files or Information
Tactic: Defense Evasion
Required Telemetry
- PowerShell4104
Windows Event IDs
4104
Sysmon Event IDs
—
Wazuh Log Source
PowerShell/Operational
Setup Steps
- 4104 enabled; analytic runs in Wazuh integration or downstream.
Safe Validation Command
Run a benign script with deliberate noise characters.
powershell.exe -c "& { $a='det'+'ect'+'ion-test'; Write-Host $a }"⚠ lab use only · this project does not execute real malware
Expected Log Output
4104 ScriptBlockText with high concat / backtick densityDetection Logic (Wazuh rule concept)
Score = w1*backtick_count + w2*concat_count + w3*char_array_count + w4*entropy. Alert if score > T.False Positives
- Heavily templated config scripts
Tuning Recommendations
- Calibrate weights per environment.
Analyst Triage Notes
- Pretty-print and deobfuscate for review.
Detection Improvement Ideas
- Train a small classifier on labeled scripts.
log analysis layer
Detection is not complete until the logs prove what happened. The sections below show the telemetry produced by the validation above, how to read it like an analyst, and why this pattern matters.
siem · log evidence
rule 100283
Obfuscation Scoring of PowerShell Script Blocks
PowerShell/Operational
Event ID
Windows EID 4104
Image
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent
C:\Windows\explorer.exe
CommandLine
powershell.exe -c "& { $a='det'+'ect'+'ion-test'; Write-Host $a }"
User
CORP\j.doe
Agent
WIN10-LAB-01
Timestamp
2026-05-26T14:32:11Z
analyst note
Pretty-print and deobfuscate for review.
Parent → Child Analysis
explorer.exe → powershell.exe — review whether this lineage is expected for WIN10-LAB-01 and user CORP\j.doe.
Command-Line Flags Observed
- (no high-risk flags in this test)Signal value comes from context (parent, network, persistence) rather than flags.
Parsed Fields the Analyst Reads
- Image — Process binary that executed — confirms PowerShell.C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- ParentImage — Who launched it — context for legitimacy.C:\Windows\explorer.exe
- CommandLine — Arguments — where attacker intent shows up.powershell.exe -c "& { $a='det'+'ect'+'ion-test'; Write-Host $a }"
- User — Account context — service vs interactive vs SYSTEM.CORP\j.doe
- EventID — Telemetry channel and event type.Windows EID 4104
- Wazuh Rule ID — Rule that matched and produced this alert.100283
- Agent — Endpoint that produced the telemetry.WIN10-LAB-01
- Timestamp — When it happened — anchor for correlation.2026-05-26T14:32:11Z
Malicious Pattern
pattern
Obfuscation Scoring of PowerShell Script Blocks
description
Adversary uses Invoke-Obfuscation to evade signature rules.
analyst takeaway
Catches what regex cannot. Treat this signal as higher-risk when combined with suspicious parents, hidden windows, download cradles, or unusual user context.
proof the detection worked
test command
powershell.exe -c "& { $a='det'+'ect'+'ion-test'; Write-Host $a }"expected event
Windows EID 4104 on WIN10-LAB-01 with Image=powershell.exe and the validation command above in CommandLine.
expected wazuh alert
Wazuh rule 100283 — "Obfuscation Scoring of PowerShell Script Blocks" fires at a level matching severity=medium.
confirming log fields
ImageParentImageCommandLineUserEventID
analyst interpretation
The recorded fields satisfy every clause of the detection logic. Parent process, user context, and command-line arguments together prove the behavior was observed end to end.
conclusion
Detection succeeded: telemetry was captured, the rule matched, and the alert reached the analyst with enough context to triage.