Malicious Powershell Deobfuscation Using CyberChef
This is a hands on tutorial for malicious powershell deobfuscation using CyberChef. This is part of CTF Exercise from SANS ICS CTF feat Dragos. They provided the Windows Event Log (.evtx files) and we should analyze the abnormality in that .evtx files. The objective is find out the IP address of CNC Server.
I won’t use that question as our discussion in this blog post. I have some other examples that pretty much the same like the CTF question. I got that from Sophos Blog. In the end of the blog post they have the powershell log need to be solved. Let’s get our hands dirty guys :
Please go to this link : https://community.sophos.com/sophos-labs/b/blog/posts/decoding-malicious-powershell and scroll down until you see this column :
That is the exercise that we will use in this post. It started with this line :
%COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand <-redacted base64 ->
Before we get started, i want to revisited a lil bit about Base64. Florian Roth in his tweet gave a cheat sheet about Base64 :
You can take a look from Florian’s Cheat Sheet from here : https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Another cheat sheet that can help you to understand Base64 (especially malicious encoded Base64 powershell script like our example above) : https://threat.tevora.com/5-minute-forensics-decoding-powershell-payloads/
First thing first, we need to be comfortable with CyberChef. We will use CyberChef to decode the malicious powershell command, turning it into human readable command.
The 1st recipe of CyberChef is : From Base64 and Decode Text UTF-16LE(1200) then place the input as the powershell encoded command and CyberChef will decode it for you in the Output column.
As you can see, now you can read some piece of the powershell command there. But you still need to perform another decode since the attacker still hide the command in Base64 encoding.
Focus on the output result and scroll it until near the end. There is some clue for you for the next step what you should do after this one. Take a look at this line :
After the end of line Base64 code, you can see the option of the powershell command compression gzip. Let’s decode this using CyberChef.
2nd Powershell decode recipe from CyberChef is : From Base64 and Gunzip. Place in input the base64 encoded snippet code and you can see the result in the output of CyberChef.
Note : You should be very aware and understand what the code will do. That is the key for the 3rd deobfuscation phase from CyberChef. If you missed this one, you won’t be able to decode it and make it an endless encoded Base64.
Here we have a function which will create a function signature dynamically. In short, it will create an empty delegation method. The method will be used to help instantiate shellcode later.
I tried to look some reference from Google based on the piece of code after the 2nd decode result. It has some similarity with the code of Powersploit Invoke-Dllinjection from here https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1
From the Powersploit Dll-injection documentation : “Invoke-DllInjection injects a Dll into an arbitrary process. It does this by using VirtualAllocEx to allocate memory the size of the DLL in the remote process, writing the names of the DLL to load into the remote process spacing using WriteProcessMemory, and then using RtlCreateUserThread to invoke LoadLibraryA in the context of the remote process.”
If you want to enhance your detection capability, you can take a look here about alerting and monitoring dll injection : https://systemcenter.wiki/?GetElement=Security.Monitoring.ForwardedEvents.InvokeDLLInjection&Type=Rule&ManagementPack=Security.Monitoring&Version=1.0.4.272
Speaking of shellcode, it was encoded in base64 (again). However, this time we need extra step to obtain it as it was encrypted. So, XOR them with one-byte key 35, decrypt byte-by-byte.
Once the shellcode is decrypted, it will be injected into memory. That’s why you won’t find any artifact on the disk. We can categorize this as fileless attack.
The step is quite simple. We use API VirtualAlloc() to allocate 0x3000 bytes buffer. We then copy our shellcode to this memory (see the red box). We then execute it (see the blue box).
OK, let’s decode the 3rd encoded scipt using CyberChef :
3rd Powershell decode recipe from CyberChef is : From Base64 and XOR 35 Decimal.
From the 3rd deobfuscation using CyberChef we can see the IP Address of Command and Control Server. From this point, we have accomplished our objective. We got the IP address of the command and control server.
For further analysis, we can save the shellcode as binary file.
One thing we can do with the shellcode is analyzing its runtime behavior. We can use shellcode debugger like scdbg.exe (http://sandsprite.com/blogs/index.php?uid=7&pid=152) or shcode2exe (https://github.com/accidentalrebel/shcode2exe) from your REMnux VM.
From http://sandsprite.com/blogs/index.php?uid=7&pid=152 :
“scdbg is a shellcode analysis application built around the libemu emulation library. When run it will display to the user all of the Windows API the shellcode attempts to call.”
We can see from scdbg.exe there is a Windows Library Function of InternetOpenA and InternetConnectA to IP address of Command and Control Server. If you want to take a look deeper from Wininet Header, you can read the documentation from Microsoft here : https://docs.microsoft.com/en-us/windows/win32/api/wininet/
As an alternative, you can leverage Unicorn Engine to emulate the execution.
Another technique to get the IP address of CNC from the malicious powershell script by executing it in safe environment. If you got similar obfuscation method, or maybe harder method than explained above, and you only have a little time, you can try to execute the powershell in your lab. Remember, it will automatically executed in your environment, make sure that you already understand the consequences. I suggest you also setup FakeDNS in order to get the details what it is actually happened in the background when the script try to communicate with CNC Server.
That’s all from my blog post. Thanks for reading.
Happy Hunting! Long Live Cyber Defender!
