Share this page!

Maybe Scrolly?
Paul Melson Profile picture
Twitter logo
20 Oct, 5 tweets, 2 min read
THREAD
Found an interesting #PowerShell dropper today that uses multiple rounds of complex obfuscation, even actual encryption. And I reversed the whole things using one stupid trick: Replace 'Invoke-Expression' with 'Write-Host' Wanna see? Image
The initial script has two lines: the first writes obfuscated code to the string variable0 $dz61UV and the second executes the contents of that string with Invoke-Expression after first reversing the order of bytes and stripping out unneeded spaces. Image
Invoke-Expression is first replaced with its shorthand 'IEX' and then in the next round reconstructed to 'ieX' from characters in the Windows $ShellId global environment variable. In both cases, replacing with Write-Host works just fine. ImageImage
The next block of code is encrypted as a SecureString. In this case, 'IEX' is reconstructed using Get-Variable ('gV') to get the name of $MaximumDriveCount using a wildcard match. Clever. But, who cares? Write-Host FTW! Image
Finally, here is our fully decoded and decrypted dropper code.

Everybody say, "Hi!" to Red Team and their C2 domain, gov145news[.]com. 👋🤣 Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Paul Melson

Paul Melson Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @pmelson

Paul Melson Profile picture
24 Aug
THREAD
Prompted by a thread earlier today, I've compiled a few presentations that Target's cybersecurity team members have given over the years that I think are particularly interesting or novel, mostly aligned to the themes of maturity and innovation.
Target alumni @jshlbrd presenting on file analysis with Strelka* at @BSidesSF 2019:
Target team members @malz_intel and Paul Hutelmeyer talking about detection with Strelka* and introducing some new scanning modules at FIRSTCon 2021:
Read 9 tweets
Paul Melson Profile picture
23 Aug
THREAD:
If you work in cyber, you should understand the basic mechanics of risk. I don’t mean RISK = IMPACT * LIKELIHOOD. I mean, what can you do about a risk once you know about it? There are 4 basic strategies:
1. Avoid - Don’t do the thing that introduces the risk in the first place. In cyber, this requires being part of purchasing and/or design decisions *with* *decision* *authority*. This is the rarest, but also the most effective risk management strategy.
2. Transfer - Make it someone else’s problem. This is cyber insurance and outsourcing. Thing is, it only works for monetary or legal liabilities. It doesn’t do diddly for reputation or disruption. It’s naive to think you can buy your way out of risk in cyber.
Read 5 tweets
Paul Melson Profile picture
30 Mar
THREAD
Let's analyze a malicious VBA macro payload. On visual inspection, we can easily see that the macro performs string concatenation and then uses Shell() to execute a PowerShell script. It declares AutoOpen() & Workbook_Open() in order to execute when the document is opened.
Once we decode the base64 script from the macro, we can see that it further obfuscates its intention with more base64 encoding and gzip compression.
When we decode & decompress the long string, we get the final PowerShell payload. This script creates a byte array containing shellcode from another base64 encoded string, which it will then reflectively load into kernel32.dll running in memory.
Read 6 tweets
Paul Melson Profile picture
16 Jan
THREAD
Let's talk about detection philosophy a little bit. There are 2 main competing approaches; 1) Define Normal, Detect Abnormal, and 2) Find Evil. 1/7
First, let's acknowledge this is a false choice. You can do both. The key is to know which approach is superior in which context. In general, I prefer Find Evil. Let me tell you why. 2/7
To make Find Evil work, you need to think of attackers as groups with motivations and goals, then frame that in the context of a process, lifecycle, or even a cyber kill chain. Seriously, this is key. 3/7
Read 7 tweets
Paul Melson Profile picture
21 May 20
THREAD for beginning malware/SOC analysts
When analyzing interpreted languages like PowerShell, JavaScript, VBA/VBS, there are some handy shortcuts to dealing with obfuscated code. (NOTE: Always do this kind of analysis in a sandbox VM off of your corporate network.)
Let's use this PowerShell script as an example (raw code on the right). The code is triggered with an obfuscated 'IEX' command that is reconstructed from a predictable PowerShell environment variable, $PSHome.
To de-obfuscate the rest of of the script, replace 'IEX' with 'Write-Host'. This general approach, replacing an execution command with a print/write command, works in basically all interpreted languages. In this case, the output is more obfuscated PowerShell.
Read 7 tweets
Paul Melson Profile picture
21 Aug 18
THREAD
A quick walk-through of analyzing a PowerShell backdoor using Python.
Here's the backdoor if you want to play along at home: pastebin.com/JbYwq9WJ
1. Looking at the raw payload, we can see powershell.exe is invoked and a base64-encoded script is passed for execution.
2. Open Python, import the base64 module, create a string of the original encoded script, and another string (step1) of the decoded script.
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @pmelson has new unrolls!

Check out other threads from @pmelson!

Read all threads by @pmelson

:(