When a PowerShell script is obfuscated, the deobfuscation process is, most of the time, performed through the Invoke-Expression cmdlet[1]. Invoke-Expression evaluates the string passed as an argument and returns the results of the commands inside the string. Example: PS C:\Users\xavier> $a="1+1" PS C:\Users\xavier> Invoke-Expression $a 2 PS C:\Users\xavier> $a="(Invoke-WebRequest 'https://isc.sans.edu/api/handler').Content" PS C:\Users\xavier> Invoke-Expression $a <?xml version="1.0" encoding="UTF-8"?> <handler> <name>Xavier Mertens</name> </handler> Here is another version of the previous example now obfuscated and handled via Invoke-Expression:` PS C:\Users\xavier> $a="(Invoke-WebRequest ('hXtXtXpXsX:X/X/XiXsXcX.XsXaXnXsX.XeXdXuX/XaXpXiX/XhXaXnXdXlXeXr'-replace([char]88,''))).Content" PS C:\Users\xavier> Invoke-Expression $a <?xml version="1.0" encoding="UTF-8"?> <handler> <name>Xavier Mertens</name> </handler> You understand now that the presence of Invoke-Expression in a PowerShell script can be an interesting indicator of malicious activity. You can roughly compare Invoke-Expression to eval() in JavaScript or exec() in Python and, as I like to say, eval() is evil. If Invoke-Expression is used to deobfuscate some code, it is a common string to search for. Guess what? Attackers are trying to hide the use of this cmdlet by implementing more obfuscation. Here is a list of common obfuscation tricks that I spotted while hunting for malicious PowerShell. One of the PowerShell features is the use of compressed or abbreviated cmdlet names. Instead of using the full name, 'Invoke-Expression' is most of the time replaced by 'IEX'. This three-characters string is then replaced by something more unreadable. Example 1: Some characters are replaced: 'DEX'.replace('D','I') Example 2: Concatenation of characters, some of them extracted from a specific position in another string. $PSHome = 'C:\Windows\System32\WindowsPowerShell\v1.0'. $PSHome[21]+$PSHOme[34]+'x'
Example 3: Back quote pollution (simply ignored by PowerShell) IE`x Example 4: Extraction of characters from a string with a 'join': ( $VERBOSePRefereNCe.toSTRiNG()[1,3]+'X'-join'') Example 5: More character extraction. $env:ComSpec = 'C:\WINDOWS\system32\cmd.exe' $ENV:COMsPEc[4,15,25] When having a look at the suspicious script, the first goal is to try to spot the presence of this Invoke-Expression. Once found, a quick and dirty debugging technique is to replace the 'iex' occurrence with a simple 'echo' to get access to the deobfuscated code! The number of combinations is almost infinite but that's the ones that I spot most frequently. Did you spot other techniques? Feel free to share them! Xavier Mertens (@xme) |
Xme 697 Posts ISC Handler Nov 5th 2020 |
Thread locked Subscribe |
Nov 5th 2020 1 year ago |
There are endless possibilities:
$cc = 'write-host "nice"' .('i'+'e'+'x') $cc &('i'+'e'+'x') $cc .(('{2}{1}{0}' -f 'x', 'e', 'i')) $cc $box = 'ëçú'.ToCharArray() for ($i=0; $i -lt $box.Length; $i++) {$box[$i] = $box[$i] -bxor 0x82 } .(-join($box)) $cc |
Anonymous |
Quote |
Nov 5th 2020 1 year ago |
Thanks for sharing, I like them!
|
Xme 697 Posts ISC Handler |
Quote |
Nov 5th 2020 1 year ago |
On more
$cc = 'Write-host "nice"' sal qwe iex $cc | qwe qwe $cc |
Anonymous |
Quote |
Nov 7th 2020 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!