bf6eccdaafaace175f812183c11bc38af8d94bc6dadee4e83dcfd56ea6677f50
Source: Wild
Threat: LOLBin
Summary
Powershell is a Windows native command line interpreter. It is very commonly executed across most environments and a popular tool for both administrators as well as attackers.
EchoTrail Prevalence Score (EPS)
81.23
Rank Analysis
Host Prevalence
88.8%
Execution Rank
34,594th
Behavioral Analysis
Top Filenames
Top Paths
C:\Windows\System32\WindowsPowerShell\v1.0
98.99 %
loading...
Top Network Ports
80
47.88 %
loading...
Ancestry Analysis
Top GrandParents
Top Parents
loading...
Top Children
Security Analysis
Intel
Powershell.exe is one of the most commonly used utilities built into Windows. Its uses are too numerous to capture here. With powershell behavior it can be difficult to distinguish between admin and attacker behavior. Attackers often use this tool because it is so powerful, but also because it is so common. Some of the indicators of attacker use are command line switches like –enc or HiddenWindow. While these are also used in legitimate cases, they are of typically of sufficient interest to look deeper at the surrounding context of powershell's use. Powershell Obfuscation: https://www.trustedsec.com/blog/circumventing-encodedcommand-detection-powershell/ e.g: powershell -window hidden -C "set-variable -name "LB" -value "-"; set-variable -name "I" -value "e"; set-variable -name "V" -value "c"; set-variable -name "wP" -value ((get-variable LB).value.toString()+(get-variable I).value.toString()+(get-variable V).value.toString()) ; powershell (get-variable wP).value.toString() <base64_string> Powershell Execution Policy Bypass Techniques https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ Powershell alternatives to the traditional host info e.g. whoami: http://www.blackhillsinfosec.com/?p=5824 Base64 Decode To decode a base64 string on Mac: echo [base64string without brackets] | base64 –D To decode a base64 string on Windows: echo [base64string without brackets] > encoded.txt certutil -decode encoded.txt decoded.txt type decoded.txt Decode base64 in Powershell: PS > [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("encoded stuff goes here "))