PowerShell introduction
Powershell is an early alternative scripting language for VBScript, and it is also a shell command line execution window. The reason why Microsoft initially went out with PowerShell was to provide automated management tools for administrators. In mid-2016, Microsoft took a step that it would never have thought of before, and completely open sourced Windows PowerShell.
Why pay attention to Powershell?
1. GUI cannot bring efficiency improvement.
2. Other scripting languages always have various shortcomings.
3. More and more products and components in Windows systems have adopted PowerShell
Today's anti-virus products are quite good at detecting malicious files on disk; however, if they want to detect malicious code that only exists in memory, they often get half the effort. The volatile and dynamic nature of memory makes it easy for malware to change its form; at the same time, it can run freely without any anti-malware technology detection. Powershell because of its powerful functions and no files to execute in the memory, so inFileless attackThe attack method in Powershell is very popular. For example: PowerGhost, it was discovered in 2018 that it used the Powershell fileless method to attack the infected mining and DDOS virus. In November this year, Sangfor revealed the mining virus organized by MSASCMiner and so on.
PowerShell parameters
Use in Windows cmd command windowpowershell -hCommand can easily view the usefulness of the parameters.
Parameters often used in Powershell script attacks:
Nologo means to hide the copyright mark at
startup NoProfile does not use the user profile
NonInteractive does not display interactive prompts to the user
ExceptionPolicy execution strategy is generally bypass
WindowsStyle is generally Hidden
enc is the host of encode The default refers to base64 encoding and encryption.
Deobfuscation and decryption of PowerShell
The logic of de-obfuscation and beautification : When
encountering "$;", a new line is required.
If the variable name after $ only appears once, then delete and change the line (to obfuscate useless variable names) When
encountering {and }, new line encounters the second { Indented by 2 spaces and
finally converted to lowercase letters (part of the code may be affected and cannot be executed, but it is convenient to observe)
This can make messy powershell scripts beautiful and easy to review. You can also write a python.
The most commonly used powershell is base64 encoding and decryption, BASE64 encryption and decryption.
This website is more suitable for encrypting and decrypting the base64 encoding and decoding of powershell.
PowerShell debugging
You need to turn off the execution policy restriction before debugging:
set-executionpolicy remotesigned
or
set-executionpolicy unrestricted
Windows Defender needs to be turned off after Win10
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender” /v “DisableAntiSpyware” /d 1 /t REG_DWORD /f
There are two debugging methods: ISE debugging and VSCode debugging. In contrast, VScode debugging is more flexible because it canAdd code when debugging, the displayed variables are more convenient.
Mastering some of the syntax of powershell will be very helpful when encountering some complicated script-like viruses. I recommend a "Windows PowerShell Practical Guide 2nd Edition"
Use VSCode to debug powershell can refer to
https://blog.csdn.net/m0_37552052/article/details/108978935
Decryption of PowerShell
1. Join usage
Here are three examples of string concatenation using -join:
PS C:> -join ("Windows","Powershell","5.0")
WindowsPowershell5.0
PS C:> "Windows","Powershell ","5.0" -join ""
Windows Powershell 5.0
PS C:> $x = "Wind","sP","ershell"
PS C:> $x -join "ow"
WindowsPowershell
2. The deformation of IEX
((GV ' mDR ').nAMe[3,11,2]-jOin'') is iex
3. Directly output to txt in powershell command
[System.IO.File]::WriteAllBytes("C:\OUT", $var_code)
output the powershell running result to txt
references
https://blog.csdn.net/m0_37552052/article/details/108978935