Reducing Binary Entropy

Introduction

Entry is the amount of randomness within a data set. As randomness increases, so does entropy. There are many type of entropy. In cybersecurity, we're focused on Shannon's entropy.

The image shows how to utilize entropy while threat hunting.

Measuring Entropy

def calc_entropy(buffer):
    if isinstance(buffer, str):
        buffer = buffer.encode()
    entropy = 0
    for x in range(256):
        p = (float(buffer.count(bytes([x])))) / len(buffer)
        if p > 0:
            entropy += - p * math.log(p, 2)
    return entropy

Choosing an Encryption Algorithm

When picking an encryption, encoding, or any other obfuscation algorithm. It's important to keep entropy in mind, that includes choosing the corrent algorithm but one that isn't too weak.

Another effective method to keeping entropy low is using the obfuscation algorithms.

IPv4fuscation, IPv6fuscation, Macfuscation, and UUIDfuscation** instead of using encryption algorithms**

Inserting English Strings

Another method we can use to reduce entropy is inserting english strings into the final implementation. It's recommended to use either all lower case or all upper case strings** to reduce the number of possibilities for every byte.**

Padding by Bytes

An easy way to reduce entropy is to pad the payloads ciphertext with the same byte repeatedly. Here is a MsfVenom payload before and after appending it with 285 bytes of 0xEA.

drastically dropping entropy from 5.88325 to 3.77597.

CRT Library Independant

The CRT, or C Runtime Library, is a standard interface for the C programming language. The CRT contains a collection of functions & macros. These functions are meant for managing memory, opening and manipulating files, etc. (memcpy, fopen, strcpy).

Removing CRT can drastically reduce the entropy of the final implementation.

Tool - EntropyReducer