Blog:

Powershell Obfuscation Techniques with Bernard Mott

Jul 07, 2017

Hacking with PowerShell?? Are you kidding me? 

I thought PowerShell was just a fancy command prompt. But hackers have learned that the quickest way into a system is to just use the built-in tools that Microsoft already provides. With just a little help from Kali Linux and the PowerSploit tools (https://github.com/PowerShellMafia/PowerSploit), the hacker can create and execute malicious scripts on a host computer.

But what about my antivirus?

Antivirus systems can look for specific commands in scripts and trigger alerts for them. For example, your antivirus could look for some PowerShell cmdlets or strings, such as:

• Invoke-Expression
  
• New-object
  
• System.Net.Webclient
  
• Download.string
  

But what if the antivirus sees:

&("{1}{0}{3}{2}{4}" -f'nvok','i','expre','e-','ssion')

The expression above is the Invoke-expression cmdlet, but it has been re-ordered using the PowerShell format command. There is almost no possibility that the antivirus engine will be able to detect the obfuscated command.

The key to bypassing your AV filter is obfuscation. Hmm, there’s that word again. Google, help.

Obfuscation

 the action of making something obscure, unclear, or unintelligible.

"when confronted with sharp questions they resort to obfuscation"

Fortunately, my good friend Danny, at http://danielbohannon.com, has made it possible to obfuscate with ease. He built the PowerShell tool Invoke-Obfuscation, available at https://github.com/danielbohannon/Invoke-Obfuscation.

Here’s how it works, with screenshots.

The first step is to download the tool from github. Then run the Import-Module .\invoke-obfuscation.psd1 command in PowerShell.

You can see the script execute in the picture below.  

The next step is to use the SET SCRIPTBLOCK command to insert the malicious code into the obfuscation engine. In this case, I'm using that very malicious command, lpconfig.    

You can see various options for the encoding. I will use the "token" command to restructure the lpconfig command. 

You can see the result of the Ipconfig command after modification. 

.("{2}{1}{0}"-f 'onfig','pc','i')

I copied this string into another PowerShell window and ran it. The code executed and returned my ip address. (No applause, please. Just throw money!)

For more information on these hacking tools and techniques, and many others, please contact your account executive to schedule the Windows PowerShell class and EC-Council’s Certified Ethical Hacker class.  

 

---