Home Intel Hub T01 - SANS Internet Storm Center, InfoCON: green Decrypting PowerShell Payloads (video), (Mon, Nov 30th)

Decrypting PowerShell Payloads (video), (Mon, Nov 30th)

SANS Internet Storm Center, InfoCON: green 2020-11-30

PowerShell scripts are often used to deliver malicious payloads: shellcode, another PowerShell script, reflective DLL, …

And you've probably encountered malicious scripts with an encrypted payload, for example encrypted with AES.

In a video I created, I show how to decrypt a typical encrypted payload with my tools base64dump and translate.

The command I use in the video is:

base64dump.py -n 20 -s 2 -d example.ps1.vir | translate.py -e "keybase64 = b'zDYGjpptXWqJootb7OdcR/JaGJswRA3EywKlPTHHZMQ='" -s decrypt.py -f "Decrypt" | translate.py -f "GzipD"

The content of decrypt.py I use in the video is here:

from Crypto.Cipher import AES from Crypto.Util import Padding

def Decrypt(data):     iv = data[0:16]     ciphertext = data[16:]     key = binascii.a2b_base64(keybase64)     oAES = AES.new(key, AES.MODE_CBC, iv)     return Padding.unpad(oAES.decrypt(ciphertext), 16)

This small script uses crypto functions from pycryptodome.

If you want to try for yourself, I shared the example PowerShell script on pastebin.

 

Didier Stevens Senior handler Microsoft MVP blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.