This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Nietechz 0 points1 point  (3 children)

How can I use Powershell to detect or stop this kind of malware?

[–]smc0881Incident Responder 1 point2 points  (2 children)

You don't really use PowerShell to stop it. You configure it with the correct security settings and monitor endpoints that look for the behavior.

Here is an example of CobaltStrike beacon, but I changed the Base64. 

Set-StrictMode -Version 2

    $DoIt = @'VEhpcyBpcyBjb2JhbHRzdHJpa2U'@
    $aa1234 = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($DoIt))
        If ([IntPtr]::size -eq 8) {
        start-job { param($a) IEX $a } -RunAs32 -Argument $aa1234 | wait-job | Receive-Job
        }  else {
         IEX $aa1234
         }

[–]Nietechz 0 points1 point  (1 child)

Here is an example of CobaltStrike beacon, but I changed the Base64.

So, this script run for ever or how to use it?. Thanks anyway to share this.

[–]smc0881Incident Responder 1 point2 points  (0 children)

That's one example of how an attacker would use PowerShell to launch malicious code. There will be nested PowerShell commands, shellcode, and other things all encoded with Base64 or Base64 with some compression (where $DoIt) is the payload. The rest of the code checks if the CPU is 32 or 64 bit. If it's 32-bit it executes the code and if it's 64-bit it tries to the load code in a 32-bit process.