locked
Security - Base64 decoding code in Powershell RRS feed

  • Question

  • Goal:

    My intention is to understand if there is any security risk of Base64 decoding malicious code in a PowerShell console that is using implicit remoting on a PowerShell Remote Server.

      $data = Read-Host
      $decode = [Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("$data"))
      $decode.ToString()
    Question: Does decoding malicious PowerShell scripts pose a security risk with this code?

    Tuesday, January 17, 2017 2:50 PM

Answers

  • Hi Alexander,

    while I always recommend using an isolated VM for anything related to malware, decoding its code from Base64 will not run it unless the .NET Framework has a major security issue (which I'd assume had been fixed). Can I guarantee 100% security? No. The only two things that are 100% sure are death and taxes.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Tuesday, January 17, 2017 2:56 PM

All replies

  • Hi Alexander,

    while I always recommend using an isolated VM for anything related to malware, decoding its code from Base64 will not run it unless the .NET Framework has a major security issue (which I'd assume had been fixed). Can I guarantee 100% security? No. The only two things that are 100% sure are death and taxes.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Tuesday, January 17, 2017 2:56 PM
  • Encoding is NOT an encryption method.  It just takes a string and replaces all characters with  encoded text which anyone can decode.

    For security with remoting or most of the time you should use signed scripts.  They cannot be altered successfully.

    If you write a script that decode and executes an anonymous encoded string then all bets are off.  You must control what is being sent.  If you use PowerShell remoting to send the encoded text then it cannot be altered in transit.


    \_(ツ)_/

    Tuesday, January 17, 2017 3:27 PM
  • The script is meant for decoding various scripts for network security analysis, and possibly malware analysis. Do you suggest I remove this feature for security purposes? 

    I went ahead and signed all of my scripts as well.

    Thanks again JRV

    Tuesday, January 17, 2017 3:51 PM
  • Why are you encoding your scripts?  It is not necessary under nearly any normal usage scenario,


    \_(ツ)_/

    Tuesday, January 17, 2017 3:55 PM
  • We are decoding scripts that we are analyzing. We aren't the ones ENCODING them this is for analysis. I am sorry for the ambiguity...
    • Edited by Alexander Sinno Tuesday, January 17, 2017 4:00 PM meant to say encoding not decoding
    Tuesday, January 17, 2017 3:57 PM
  • The question is "why are the scripts encoded to begin with?"


    \_(ツ)_/

    Tuesday, January 17, 2017 4:02 PM
  • I am guessing that attackers are encoding the scripts to avoid commandline formatting collisions or to avoid endpoint/av detection in some cases. 
    Tuesday, January 17, 2017 4:04 PM
  • I suggest that that is not possible.  How can attacker run a PowerShell script that is encoded.  There is no way.  WHat you are likely seeing is WinRM attempts where the payload is always encrypted.  It cannot be decoded.

    if you have people downloading things from the Internet then anything is possible.

    An encoded PowerShell script can only be executed at the command line:

    PowerShell -encodedCommand <string>

    How does your "attacker" get to run a command?


    \_(ツ)_/

    Tuesday, January 17, 2017 4:09 PM
  • Well, no attack starts with PowerShell. 

    A majority of the time we are seeing PowerShell scripts packed into executables. Or other variants such as Poweliks, Kovter etc. fileless types of malware that send base64 encoded phone home traffic. 

    No one is able to download strings from the internet on the remote server. I have yet to see WinRM type payloads. I would also be curious to looking into this.

    Tuesday, January 17, 2017 4:14 PM
  • Lots of baby hackers trying things that won't work without a human on the receiving end enabling them.

    I wouldn't worry about what they are sending but how to block the malware to begin with,

    Ransomware is especially bad if you are not patched to date and running a good AV both at the firewall and on all systems.

    PowerShell is very secure but can be circumvented with assistance from humans.

    Good luck.


    \_(ツ)_/


    • Edited by jrv Tuesday, January 17, 2017 4:30 PM
    Tuesday, January 17, 2017 4:30 PM