Skip to main content

Posts

Showing posts from July, 2018

Analyzing obfuscated powershell with shellcode

Recently, a PowerShell script came across my lab and I thought it might be worthwhile showing others how to handle this type of payload. Many PowerShell frameworks exist that allow pen-testers and attackers alike to build payloads with ease. The two I see most often are:
Cobalt Strike - https://www.cobaltstrike.com/PowerShell Empire - https://github.com/EmpireProject/EmpireThe ScriptSo let's just dive right in. What does a Powershell payload look like? Figure 1: Original PowerShell script
When starting any malware analysis, I tend to look for low hanging fruit. In this case, I see a few things that interest me:
"[Byte[]]$mK = [System.Convert]::FromBase64String” followed by a Base64 encoded text."kernel32.dll VirtualAlloc" followed by: "$mK.Length,0x3000, 0x40""kernel32.dll CreateThread""kernel32.dll WaitForSingleObject"What's happening here is that the Base64 encoded payload is being decoded and converted into a byte array and later as…