Twitter | Search | |
Paul Melson
THREAD for beginning malware/SOC analysts When analyzing interpreted languages like PowerShell, JavaScript, VBA/VBS, there are some handy shortcuts to dealing with obfuscated code. (NOTE: Always do this kind of analysis in a sandbox VM off of your corporate network.)
Reply Retweet Like More
Paul Melson May 21
Replying to @pmelson
Let's use this PowerShell script as an example (raw code on the right). The code is triggered with an obfuscated 'IEX' command that is reconstructed from a predictable PowerShell environment variable, .
Reply Retweet Like
Paul Melson May 21
Replying to @pmelson
To de-obfuscate the rest of of the script, replace 'IEX' with 'Write-Host'. This general approach, replacing an execution command with a print/write command, works in basically all interpreted languages. In this case, the output is more obfuscated PowerShell.
Reply Retweet Like
Paul Melson May 21
Replying to @pmelson
It's the same obfuscation techniques used in the original PowerShell script, but this time 'IEX' is reconstructed from $ShellId instead of .
Reply Retweet Like
Paul Melson May 21
Replying to @pmelson
When we replace 'IEX' with 'Write-Host' and run the script this time, we get human-readable code that is the final payload.
Reply Retweet Like
Paul Melson May 21
Replying to @pmelson
Here is the de-obfuscated PowerShell beautified and marked up. It is a simple TCP reverse shell that executes any PowerShell provided by the attacker C2 server, the address and port of which is hardcoded in the Net.Sockets.TCPClient() call in the first line of the script.
Reply Retweet Like
Molley May 21
Replying to @pmelson
Is there any reason you'd do this over just running the script with full Power shell logging (all types)? It's been pretty good at "de-obs" in the past for me. But I get the need to be able to do this manually too!👍
Reply Retweet Like
Paul Melson May 21
Replying to @mrmolley
Yes, the reason is so that you don’t make network connections or system changes if and until you want to.
Reply Retweet Like
⛧ɉªɳ ҎʘΰⱠᶊᶓא⛧ May 21
Replying to @pmelson @fouroctets
Reply Retweet Like
TJR May 21
Replying to @pmelson
Great post as always, Paul. 👍👍A complimentary learning method to this is to seek out your IT admins and get all their ps code to learn what “normal” looks like, to learn how/where it’s legitimately executed from, and understanding what legit flag patterns they use most.
Reply Retweet Like
Jake May 21
Replying to @pmelson
Great post! I'd love a thread on attribution between malicious and benign payloads. Red team Vs Threat Actor!
Reply Retweet Like