To illustrate some of the difficulties involved with this, back in 2012 Matthew Graeber published a blog post about a PowerShell script he put together that could load shellcode into memory and execute it.
Powershell cmd c code#
To try and perform analysis on the data then, I needed to try and identify the code and attempt to determine what generated the code, or at minimum, attempt to cluster the code into like-buckets.
Powershell cmd c download#
This is evidenced by the fact that the underlying code is almost identical with just slight adjustments to download locations and the like. Now, it’s no surprise but the majority of the encoded data is clearly generated from templates and public tools - attackers aren’t re-inventing the wheel every time they need to run shellcode or download another malicious file. Keeping that in mind, I came up with the below regex that gave decent coverage to the possible variants and could easily be applied to a huge corpus of dynamic analysis reports.ĪagBwAGcAIABzAGMAcgBvAGIAagAuAGQAbABsAAoA There are well over 100,000 variations possible by using combinations of these methods for the “EncodedCommand” parameter alone. Powershell.exe –^e^C^ ZQBjAGgAbwAgACIAVwBpAHQAYwBoACIA
![powershell cmd c powershell cmd c](https://www.itechguides.com/wp-content/uploads/2019/07/powershell.exe-encodedCommand-1024x799.png)
Because PowerShell gives you a lot of flexibility when it comes to calling different parameters, identifying samples isn’t as straightforward as one might expect.īelow are three examples of different ways the EncodedCommand parameter can be called: To perform this analysis, I needed to first identify samples that were using this technique. Second, I will be using this blog to catalog the PowerShell code with examples of each decoded sample to aide in future identification or research.
![powershell cmd c powershell cmd c](https://i1.wp.com/ridicurious.com/wp-content/uploads/2018/08/Chapter4-PSPY.jpg)
![powershell cmd c powershell cmd c](https://blog.itpro.tv/wp-content/uploads/2020/08/Get-Command5-1024x532.jpg)
First, in the “Analysis Overview”, I will be analyzing 4,100 recent samples identified within Palo Alto Networks AutoFocus that employ this EncodedCommand technique to see how PowerShell is being used and what techniques are being used in the wild for PowerShell attacks. The purpose of this blog will be two-fold. By masking the “malicious” part of your command from prying eyes you can avoid strings that may tip-off the defense. As shown above from the PowerShell Help output, it’s a command intended to take complex strings that may otherwise cause issues for the command-line and wrap them up for PowerShell to execute.