Cynet's 24/7 MDR with the latest security updates and reportsDownload the Cyops Solution Brief
Written by: Max Malyutin
In this series of blogs, we’ll deep dive into various Powershell obfuscation and de-obfuscation techniques. Our aim is to provide analysts and malware researchers with hands-on actionable knowledge to add to their toolbox. As an increasingly common and rapidly evolving attack vector, understanding Powershell is as close as it gets to required learning in the domain of attack understanding and analysis. In this first blog, we’ll start with a high-level overview for those who are completely new to Powershell.
Powershell was initially created by Microsoft as a powerful task-based command-line shell and scripting language built on .NET. PowerShell helps system administrators and power-users rapidly automate tasks that manage operating systems (Linux, macOS, and Windows) and processes.
However, the same properties that made Powershell the tool of choice for system administrators, makes it also a lethal weapon in the hands of malware writers. Powershell can easily import modules, access core Windows APIs, execute remote commands, start a process cmdlet which can be used to run an executable and the Invoke-Command which runs a command locally or on a remote computer. All these can be utilized both in the process of compromising an endpoint as part of a file-less malicious execution or following an initial compromise to expand a foothold in the attacked environment. It’s easy to see why Powershell can be regarded as the ultimate two-edged sword when it comes to cybersecurity.
Let’s look at some basic Powershell building blocks that are often found in malicious scripts samples. This script opens an external connection in order to download and execute a malicious binary file from a specific URL:
While in this example, a file is downloaded and then executed, the most common use of Powershell is for File-less Malware – i.e. malware that does not involve files and hence cannot be detected by standard signature-based technology. These attacks have been growing steadily in recent years and make up 70% of detected attacks in the wild. The two most common Windows tools used in file-less attacks are PowerShell and WMI due to their ability to be executed natively on Windows without writing data to disk.
The script is not saved on the disk but is rather loaded directly to memory by the IEX cmdlet (Invoke-Expression). The bypass parameter instructs the PowerShell command to ignore (bypass) the execution policies in order to allow the command to be executed remotely. By default, PowerShell is configured to prevent the execution of PowerShell scripts on Windows system.
Attackers often use various obfuscation techniques to hide most of the command and slow down analyst investigation. Obfuscation is the default way to make malicious code unreadable, not only to the human researcher but also to the various antimalware products that can hardly afford themselves the downtime that’s entailed in real time deobfuscation to reveal a payload’s actual intent.
Powershell can be executed in either one of the following ways:
An attacker typically uses obfuscation commands for the following reasons:
The most common PowerShell obfuscation techniques are:
In future blogs, we’ll go in detail over each technique describing both the obfuscation and related deobfuscation methods.