Member-only story
Recently, a PowerShell script came across my lab and I thought it might be worthwhile showing others how to handle this type of payload. Many PowerShell frameworks exist that allow pen-testers and attackers alike to build payloads with ease. The two I see most often are:
- Cobalt Strike — https://www.cobaltstrike.com/
- PowerShell Empire — https://github.com/EmpireProject/Empire
The Script
So let’s just dive right in. What does a Powershell payload look like?
When starting any malware analysis, I tend to look for low hanging fruit. In this case, I see a few things that interest me:
- “[Byte[]]$mK = [System.Convert]::FromBase64String” followed by a Base64 encoded text.
- “kernel32.dll VirtualAlloc” followed by: “$mK.Length,0x3000, 0x40”
- “kernel32.dll CreateThread”
- “kernel32.dll WaitForSingleObject”
What’s happening here is that the Base64 encoded payload is being decoded and converted into a byte array and later assigned to the variable “$mk”. The script then calls the function “VirtualAlloc”, exported from “kernel32.dll”. If we take a look at the MSDN docs for this function, we can gain additional insight into its parameters:
