Friday, October 23, 2020

Another AV Bypass

I was going to release this in January 2020, but thought that I probably shouldn't.  I notified the vendor.  The AV vendor doesn't consider this a bypass.  But, that AV vendor is using signatures.  This might be able to bypass that for a while.

This AV vendor blocks execution of encoded powershell commands, or so they thought.  I used to see many powershell -e, -enc- or -encodedcommand attempts in my logs, but then I stopped seeing them as often as AV vendors got wise to this method of attack.  So, I thought, is there a way to run encoded commands without using -e, -enc, or -encodedcommand?

This isn't sophisticated by any means, but it works for now for this specific vendor

#runs whoami
$evilencodedcommand = "d2hvYW1p"
$evilcommand = [System.Convert]::FromBase64String($evilencodedcommand)
$decodedevilcommand = [System.Text.Encoding]::Ascii.GetString($evilcommand)
powershell.exe $decodedevilcommand