If you compare the two samples, you’ll see that SET uses “$c” whereas Magic Unicorn uses “$nLR” for the initial variable. This script has been the cornerstone template for this technique, being used in most public tools that seek to use this functionality.įollowing are two iterations of the technique from TrustedSec tools Social-Engineer Toolkit (SET) and Magic Unicorn. To illustrate some of the difficulties involved with this, back in 2012 Matthew Graeber published a blog post about a PowerShell script he put together that could load shellcode into memory and execute it. Bulk image downloader invalid variant code#To try and perform analysis on the data then, I needed to try and identify the code and attempt to determine what generated the code, or at minimum, attempt to cluster the code into like-buckets. Bulk image downloader invalid variant download#This is evidenced by the fact that the underlying code is almost identical with just slight adjustments to download locations and the like. Now, it’s no surprise but the majority of the encoded data is clearly generated from templates and public tools - attackers aren’t re-inventing the wheel every time they need to run shellcode or download another malicious file. Keeping that in mind, I came up with the below regex that gave decent coverage to the possible variants and could easily be applied to a huge corpus of dynamic analysis reports.ĪagBwAGcAIABzAGMAcgBvAGIAagAuAGQAbABsAAoA There are well over 100,000 variations possible by using combinations of these methods for the “EncodedCommand” parameter alone. Powershell.exe –^e^C^ ZQBjAGgAbwAgACIAVwBpAHQAYwBoACIA
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |