Powershell

Powershell commands obfuscation

Recently i have started a Security Course on edx.org, which, in one of its topics, was talking about Powershell commands obfuscation.

Now, in order to achieve this, take a look at the powershell help, right at the end.

# To use the -EncodedCommand parameter:
$command = ‘dir “c:\program files” ‘
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
powershell.exe -encodedCommand $encodedCommand

So for example if you would want to obfuscate the domain name i am using now, you would type the below command. The bolded part would be the result:

PS C:\Windows\system32> [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes(“‘virtualization.ro'”))
JwB2AGkAcgB0AHUAYQBsAGkAegBhAHQAaQBvAG4ALgByAG8AJwA=
PS C:\Windows\system32>

If you would like to use Powershell to de-obfuscate the command, you would use the following, entering as a parameter the encoded value obtained above.

PS C:\Windows\system32> [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(‘JwB2AGkAcgB0AHUAYQBsAGkAegBhAHQAaQBvAG4ALgByAG8AJwA=’))
‘virtualization.ro’
PS C:\Windows\system32>

Also, now in order to run the obfuscated command you would simply issue the below command, again using the encoded value as a parameter.

PS C:\Windows\system32> powershell.exe -ec JwB2AGkAcgB0AHUAYQBsAGkAegBhAHQAaQBvAG4ALgByAG8AJwA=
virtualization.ro
PS C:\Windows\system32>

Tagged ,