none
Viewing commands from Base64 encoded and obfuscated Powershell script RRS feed

  • Question

  • Hi,

    In the course of my work, I frequently come across Base64 encoded powershell scripts embedded in malicious Word documents.  When I decode these scripts to see what they do, they are usually obfuscated using various techniques.   While decoding the Base64 string is easy enough, deobfuscating it takes more time.

    Is there a way that I can run the powershell script (in a sandbox or course) without decoding or manually deobfuscating and see the final commands that are eventually executed ?

    Thanks

    ChuckyGC

    Example of encoded script:

          powershell -e JAB7AFcAYABzAEMAcgBgAEk........

    The decoded (but obfuscated) string:

         $ { W ' s C r ' I P t } = . ( "  { 0} { 2 } {1} ' -f ' n e w - o ' , ' t ' , ' b j e c t '  ...........

     

    The resulting commands after manually deobfuscating:

         ${wscript} = .newobject -ComObject WScript.Shell...........

    Wednesday, September 27, 2017 3:07 PM

Answers

  • Hi Chucky,

    yes you can.

    • Create a sandboxed Windows 10 machine.
    • Disable the PowerShell v2 feature.
    • Enable Scriptblock logging
    • Run malicious code
    • Check eventlog for scriptcode

    Cheers,
    Fred


    There's no place like 127.0.0.1

    • Marked as answer by ChuckyGC Wednesday, September 27, 2017 5:29 PM
    Wednesday, September 27, 2017 3:36 PM

All replies

  • Hi Chucky,

    yes you can.

    • Create a sandboxed Windows 10 machine.
    • Disable the PowerShell v2 feature.
    • Enable Scriptblock logging
    • Run malicious code
    • Check eventlog for scriptcode

    Cheers,
    Fred


    There's no place like 127.0.0.1

    • Marked as answer by ChuckyGC Wednesday, September 27, 2017 5:29 PM
    Wednesday, September 27, 2017 3:36 PM
  • Depending on the format of the string used when encoding, you should be able to write something like:


    [Text.Encoding]::stringtype.GetString([Convert]::FromBase64String('base64encodedvalue'))


    Where stringtype is one of the string type values (run [Text.Encoding] | Get-Member -MemberType Property -Static to see a list), and base64encodedvalue is the Base64-encoded string. I believe stringtype should be either UTF8 or ASCII. See here for more information:

    https://stackoverflow.com/questions/15414678/


    -- Bill Stewart [Bill_Stewart]




    Wednesday, September 27, 2017 3:41 PM
    Moderator
  • Yes, this command I already use to decode the Base64 string.  The harder part is deobfuscating the decoded string that I get.  
    Wednesday, September 27, 2017 3:55 PM
  • thank you, I willl give this a try.
    Wednesday, September 27, 2017 3:59 PM
  • If the command is obfuscated before being encoded: There's no magic "deobfuscate this obfuscated code" command. (Otherwise what would be the point of obfuscating it in the first place?)

    -- Bill Stewart [Bill_Stewart]

    Wednesday, September 27, 2017 4:21 PM
    Moderator
  • Hi Chucky,

    yes you can.

    • Create a sandboxed Windows 10 machine.
    • Disable the PowerShell v2 feature.
    • Enable Scriptblock logging
    • Run malicious code
    • Check eventlog for scriptcode

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Scriptblock logging gives me exactly what I was looking for.  Thank you Fred!

    Chucky

    Wednesday, September 27, 2017 5:31 PM