Skip to content

Instantly share code, notes, and snippets.

@r00t-3xp10it

r00t-3xp10it/identify_offensive_tools.ps1

Last active August 26, 2024 07:04
Show Gist options
  • Save r00t-3xp10it/510a59a4053d15e62b0023dc4a192842 to your computer and use it in GitHub Desktop.
Save r00t-3xp10it/510a59a4053d15e62b0023dc4a192842 to your computer and use it in GitHub Desktop.
Download ZIP
identify possible ams1 detection strings in files
Raw
identify_offensive_tools.ps1
<#
.SYNOPSIS
Identify possible ams1 strings inside scripts
Author: @r00t-3xp10it
Tested Under: Windows 10 (19044) x64 bits
Required Dependencies: none
Optional Dependencies: none
PS cmdlet Dev version: v2.2.18
.DESCRIPTION
This cmdlet was written to detect suspicious ams1 strings in .ps1 or .psm1
scripts, helping developers identify which line of the script the malicious
string is in and to take the necessary steps to prevent further detections.
.NOTES
When scanning its advice to disable windows defender RealTime Protection.
All the strings contained in this script were found in diferent web forums
since microssoft oficial ams1 documentation until free open sources. This
script it will not make any heuristic\memory scans just a string search.
This project detects suspicious strings, large $variable names and count
the amount of special characters present inside script compared with the
number of script max lines then cmdlet does the math [is_suspicious_?]
.Parameter FileToScan
Script to scan full path
.Parameter LogFile
Switch that creates report logfile
.Parameter RateHigh
Switch to only display 'rate High' results
.EXAMPLE
PS C:\> .\identify_offencive_tools.ps1 -filetoscan "$pwd\evil.ps1"
.EXAMPLE
PS C:\> .\identify_offencive_tools.ps1 -filetoscan "$pwd\evil.ps1" -logfile
.EXAMPLE
PS C:\> .\identify_offencive_tools.ps1 -filetoscan "$pwd\evil.ps1" -ratehigh
.INPUTS
None. You cannot pipe objects into identify_offencive_tools.ps1
.OUTPUTS
👁‍🗨 Detecting [ams1] malicious strings 👁‍🗨
File information
Total lines : 4183
File size : 277107
Current Time : 26/12/2023 04:15:54
Last access : 26/12/2023 04:15:51
File hash : 0E2044C484CD29FE8E16E15E4CD2D3765703BF7E042239D01E0C5C1B29DC6079
File to scan : C:\Users\pedro\Coding\meterpeter\meterpeter.ps1
🍳 Scanning file ..
Token : 1
DetectionRate : Critical
MaliciousString : IE`X
LineNumber : 4407
Token : 2
DetectionRate : Critical
MaliciousString : powershell -vers`ion 2
LineNumber : 3622 3632 3637 3654 3658 3664
Token : 3
DetectionRate : Critical
MaliciousString : ru`nas
LineNumber : 385 465 542 546 672 676 3343 3363 3458 3916
Token : 4
DetectionRate : Medium
MaliciousString : while($true)
LineNumber : 794 978 3103
🍳 File scanning report
=====================================================================================
Tokens found : 4
Urgent attention : 3
File total lines : 4183
Special characters : 9356 [`+&'] MaxAllowed:[7395]
Scan elapsed time : 00:02:06 ⏱️ 29 Friday 2023
File scanned : C:\Users\pedro\Coding\meterpeter\meterpeter.ps1
⚙️ recomendation
Its advice to obfuscate all high rate results found [3]
because System.Management.Automation.Amsi contains entry
http://bit.ly/System_Management_Automation_Engine_Runtime
⚙️ recomendation
Its advice to reduce the number of special characters
inside file like [`+&'] that reveal to forensics that
we are dealing with an heavily obfuscated file\script
URL:http://bit.ly/malicious-powershell-usage-detection
=====================================================================================
.LINK
https://github.com/r00t-3xp10it/redpill
http://bit.ly/malicious-powershell-usage-detection
http://bit.ly/System_Management_Automation_Engine_Runtime
https://docs.velociraptor.app/exchange/artifacts/pages/powershellmonitoring
https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
#>
[CmdletBinding(PositionalBinding=$false)] param(
[string]$FileToScan="$pwd\identify_offensive_tools.ps1",
[switch]$RateHigh,
[switch]$LogFile
)
$TotalTokens = "321"
## Global variable declarations
$ErrorActionPreference = "SilentlyContinue"
$host.UI.RawUI.WindowTitle = "Identify_Offensive_Tools (IOT)"
write-host "👁‍🗨 Detecting [ams1] malicious strings 👁‍🗨`n" -ForegroundColor Green
$ScriptSize = (Get-Content -Path "$FileToScan"|Measure-Object -Line).Lines
$MaliciousKeywordsList = @(
"I@E'X",
"-e@n'c",
"-n'o@p",
"am@si",
"vi'r@us",
"key@log",
"tr@ojan",
"t@r'y'{",
"cm'd /@c",
"mal@ware",
"payl@oad",
"-b@x'o@r",
"revsh@ell",
"mimi@katz",
"t'r@y '{'",
"[email protected]'l",
"hashd@ump",
"Ad@d-Ty'pe",
"phi@sh@ing",
"-@enc@od'ed",
"DllI@mport",
"obfu@sca@te",
"imp@ers@onate",
"rever@sesh@ell",
"Exc@lus'ion@Path",
"reve@rse sh@ell",
"re@verse-she@ll",
"s@y'st@'emi@n'f@o",
"Ams@iSca'n@Bu'ff@er",
"in@vok'e-mim@ik'atz",
"-e@nco@de'dcom@ma'nd",
"Excl'us@ionP@roc'ess",
"In@vo'ke-Exp@ress'ion",
"la@z'[email protected]'x'@e a'l@l",
":@:A'd@m'ini@s'tr@a'to@r",
"re@d team@ing",
"ams@iu'ti@ls",
"ams'iIn@itFa'il@ed",
"keys@troke",
"buff@er ove@rflow",
"bru@tefo@rce",
"redte@am",
"red te@am",
"she@llcode",
"file@less",
"prive@sc",
"esca@late pri@vileges",
"passwo@rd guess@ing",
"gue@ss log@in",
"crede@ntial du@mp",
"passw@ord spr@aying",
"passwo@rd spr@ay",
"clea@rte@xt pas@swo'rds",
"rem@ote execut@ion",
"cre@ds du@mp",
"cre@denti@als du@mp",
"pass th@e ha@sh",
"pa@ss-the-h@ash",
"gol@den tic@ket",
"dump@ing the lsa@ss",
"dumpi@ng lsa@ss",
"du@mp ls'as@s",
"cache@d crede@n'tials",
"l@s'a secr@ets",
"cry@pt'o:@:sc'a@u't@h",
"impe'rso@nat@ing user",
"imper@so'nate us@er",
"im@pa'ck@et",
"ls@as's du@mp",
"pro@cdu@m'p",
"obfu@scated",
"obfu@scat@ion",
"pw@du@m'p",
"comm@and a@nd con@t'rol",
"drop@per",
"web sh@ell",
"we@bsh@ell",
"kerb@er'os re@la'y",
"spo@ofing",
"ele@va@te pr'ivi@lege",
"ab@use ele'va@tion",
"b@ypas@s u@a'c",
"ua@c b'ypa@ss",
"acce@ss tok@en man'ip@ula@ti'on",
"to@ken imp'ers@onation",
"tok@en the@ft",
"ev@ade pro@c@ess-mon@i'to@ring",
"bypa@ss pa@ss'wo@rd",
"vi@ctim ip",
"snif@fing",
"poi@soning",
"elev@ate pr'oc@ess pr@ivi'leg@es",
"ele'v@ate its pr@ivi'leg@es",
"by@pa'ss us@er acc@ou'nt con'tr@ol",
"po'we@rsh'ell -e@p 'by@pa@ss",
"po'we@rsh'ell -@exe@cut'io@np@ol'ic@y by@pas@s",
"R'u@be'[email protected]'x@e du@m'p",
"expl@oit",
"key@log@ger",
"sn@if@fer",
"pas@sw'ord cr@ack",
"pass@wo'rd hac@king",
"pa@ss'wo@rd bre@ac'h",
"pa's@swor@d at@ta'ck",
"pass@wo'rd st@e'al@er",
"by@pa'ss ant@ivi'rus",
"b'ru@te fo@r'ce",
"re@mo'te acc@e'ss",
"pa'ss@wo'rd ha@sh'ing",
"co@d'e inje@ction",
"key@st'ro@ke log@gi'ng",
"keyl@ogg'ing",
"pas@swor'd sni@ff'ing",
"ciph@er",
"coo@kie steal@ing",
"pas'sw@ord crac@king",
"enc@rypt'ion",
"pr@iv'ile@ge @es'cala@ti'on",
"k'ey log@gi'ng",
"pa'ss@word ha@rves@ting",
"ea've@sdr@oppi@ng",
"bru@te-fo'rc@ing",
"coo@ki'e the@ft",
"ref'lec@tion atta@ck",
"cr@yp'to atta@ck",
"smu@rfing",
"pin@g o'f de@a'th",
"crede@n'tial @th'eft",
"ke'yl@ogg'e@r in@stall@at'ion",
"has@hing",
"file@le@ss at@ta@ck",
"imp@er'sonati@on",
"file@le'ss ma@lwa're",
"payl'oa@d deliv@ery",
"an@tivi'rus @ev'as@ion",
"dat@a obfus@cation",
"l@da'p in@je'ction",
"dec@ry'ption",
"Defi@neD@yn'ami@cAssembly",
"Defi@ne@Dy'nam@icMo'dule",
"Def@i'ne@Ty'pe",
"Def@in'eC@onst'r@uc@tor",
"Cre@at'eTy@pe",
"Defi'ne@Lite@ral",
"Def@in'eE@num",
"Defin@eF'ie@ld",
"ILG@en'er@ator",
"Em'i@t",
"Unv@e'rifi@abl'eC@ode@Att'rib@ute",
"Defi@nePI'nvok@eMe'th@od",
"G@e'tS@tr'e@am";
"@Get@Ty'pes",
"Get@Ass@em'blies",
"Met@ho'ds",
"Ge@tCon'stru@ct'or",
"GetC@ons'tru@cto'rs",
"Ge'tDef@ault'Me@mb'ers",
"Ge@tEve@nt",
"GetE@ve'nts",
"Get@Fie'ld",
"Ge@tFie'lds",
"@Ge@tInt@er'face",
"GetInt@erf'aceMap",
"Ge@tIn'terf@aces",
"GetM@em'be@r",
"G'etM@emb@ers",
"Get@Met'ho@d",
"Get@Met'ho@ds",
"Ge@tN'es@te'dType",
"Get@Ne'st@ed@Ty'pes",
"Ge@tPr'ope@rt'ies",
"Ge@tPro'pe@rt'y",
"@In'vok@eMe'mb@er",
"Ma@k'eAr@ra'yTy@pe",
"Mak@eB'yR@efT@yp'e",
"Ma@ke'Ge@ne'ric@Type",
"Mak'eP@oin'te@rTyp'e",
"De'cl@ari'ngM@et'hod",
"Decl'ar@ing@Ty'pe",
"Ref@lec'ted@Ty'pe",
"Typ@eHa@nd'le",
"T@ype'In@iti'al@izer",
"Un'de@rlyi'ng@Syst'em@Type",
"In@te'rop@Se@rv'ic@es",
"All@oc'HG@lo'ba@l",
"Pt'rT@oSt'ru@ct@u're",
"St@ru'ct@ur'eToP@t'r",
"Fr@eeHG'lo@bal",
"In'tPt@r",
"Mem@ory'Str'e@am",
"Def@lat'eSt@r'ea@m",
"From@Ba'se6@4S'trin@g",
"Enc'od@e'dCo@mm'and",
"Byp'a@ss",
"ToB@a'se6'4S@tri'n@g",
"Exp@an'dS@tr@ing",
"GetP'ow@erS'he@ll",
"Op@enPr'oc@ess",
"Vi@rtu'alAl@loc",
"V'ir@tu@alF'r@ee",
"Writ@ePro'cessMe@mory",
"Crea@teU'serTh@r'ead",
"Cl@ose'Ha@n'dle",
"GetDe@le'g@ateF'orFun'cti@onP'oi@n@ter",
"ke@rn'el3@2",
"Cr@eat'eThr@e'ad",
"me'mc@py",
"Loa'dL@ib'ra@ry",
"GetM@od'ul@eHa'nd@le",
"Ge@tPr'ocA@dd@r'ess",
"Vir'tu@al@Prot'ec't",
"Fre@eLib'ra@ry",
"Re'a@dPr'oc@ess@Mem'ory",
"Cre'a@teRe'm@ot@eThr'ea@d",
"Ad@justT'ok@enP@ri@vil'eges",
"Wri@te@B'yt'e",
"Wri@teI@nt'32",
"O'penTh're@adT'ok@en",
"Pt@rT'oS@tri@ng",
"Ze@roFr'eeGlob@alA'llo@cU'ni@code",
"Op@en@Pr'oce'ssT'ok@en",
"Get@Tok'e@nInf'or@matio'n",
"Se@tTh're@a'dTo@k'en",
"Im'per@son'a@teLogg'edO'nUs@er",
"Rev'er@tT'oSe@lf",
"Ge@tLo'go'nS@ess@i'o@nData",
"Crea't@e'Proc@es'sW@ithTo'ke@n",
"Du'pli@cat'eTok@en'Ex",
"Op@en@Wi'nd@owSt'ati'o@n",
"Ope@nDe@s'ktop",
"@Min'i'Du@mpWr@it'eD'ump",
"A@dd'Sec@uri'tyPa@ck'age",
"Enu@me'r@at@eSecu'ri@tyPa'ck@ages",
"Ge@tPr@oce'ss@Ha'ndle",
"Dange'ro@usG@etH'an@dle",
"Get@As'yn@cK'ey@State",
"'Key@bo'ar@dS'ta@te",
"G@etFo're@grou@nd'Wi@ndow",
"Bin'di@ngFl'ag@s",
"No'n@Pu'bl@ic",
"Scr'ip@tBl'oc@kLog'gi@ng",
"Lo'gPi2peli'neEx@e@cuti'onDe@tails",
"P'rot@ect'edEv@en'tLo@gg'ing",
"while.*true",
"pow@ers'hell -@ve'rsi@on '2",
"Se'tVa@lue.*nu@ll,",
".Wr'it@e.*st,0,`$st.Len@gt'h",
"sc@ht'ask@s '/cr@eat'e",
"Se@t-M'pPr@e'fer@en'ce",
"Alw@ay'sIns@t@al'lEle@vat'ed",
"ru'n@as",
"Ad'd-Exf@il'trati@on",
"Ad@d-Pe'rs@ist'en@ce",
"@Ad'd-@RegB'ack@do'or",
"Ad'd-Sc@r'nSav@eBa'ck@doo'r",
"E@nab'le@d-'Dup@li'cat@eTo'k@en",
"Ge@t'-Key@strok'e@s",
"LS'ASe@cr'e@t",
"Ge't-Pa's@sHa's@h",
"'G@et-Re@gAl'way@sI'nst@all'Ele'va@t@ed",
"Ge@t-S'cre@en'shot",
"G'e@t-Ser@vi'ceUn'qu@oted",
"Ge't-@Syst'em",
"Get'-V@@ed'en@tial",
"In@vo'ke-B@yp'assU'AC"
"Inv@ok@e-Dl@lI'nj@ecti'o@n",
"In'vo@ke-M@imi@ki'tt@e'nz",
"Inv'ok@e-PS'I'nj@ec't",
"I@nv'ok@e-P'sEx@ec",
"I@nv@ok@e-'Ru@nA's"
"In@vo'ke-W@Scr'iptB@yp@as'sU@A'C",
"O'u@t-@Mini'd@um'p",
"Am@siB'yp@as's",
"ni@sh'a@ng",
"Inv'ok@e-S@he'll@Co'mm@and",
"@-dum'pc@r",
"SeI@mp'erso@na'te",
"SeDe'bu@gPri'vi@leg'e",
"cra@ck'map@ex'e@c",
"ls@ad'ump:':s@a'm",
"SEK'UR@LS'A:@:Pt'h",
"ke'r@ber'os:':p@tt",
"k'erb@ero's::go@ld'en",
"s@eku'rl@sa:':mi@nid'u@mp",
"sek'u@rls'a:@:log@o'nPas@s'wor@ds",
"to'ke@n:':el'ev@at'e",
"in@vok'e-@com'ma@nd",
"ru'ndl@l3'2@",
"ce'r@tu'ti@l",
"m@sh't@a",
"we'v@[email protected]'x'e' c@l'",
"S@hel'lE'xec@ut@e",
"sc s@to'p @Win@Defe'nd",
"@Rem'ove-@MpT'h're@at",
"s@'c s@top 'Se@n'se",
"a@@ms'i_d'is@ab@l'e",
"@lsa's'@@'s.e'x'e",
"we@vtu't@il @c'l'",
"a'msi@co@@n'text",
"@/sav'ecr@e'd",
"n'c.e'x'e",
"-@Scr'i@ptBl@oc'k",
"@Du'm@pS'A@M",
"@Du'm@p-S'A@M",
"@S-'1'-5-3@'2-5@4@'4",
"imp@e'rso@na'te@us@e'r:",
".do@w'nl@oa'ds@tr'i@ng'",
"Ex@cl'usi@onEx'ten@si@@on",
"sek@ur'l@s'a:@:tic@ke't@s",
"sy'st@em.@net'.w@ebc@li'e@nt",
"Mi@niDu@mp'Wi@thHa@ndl'eD@ata",
"Re@alTi@me'Pr@ot@ec'ti@on'En@ab'le@d",
"Min@iD'u@mpWi@thP@ro'ces@sTh're@adDa@ta",
"'Sys@t'em.@Man'age@me'nt.'Au@tom'at@io'n.",
"@-Di@sa@bleI@OA'V'Pr@ote@c'ti@on @`$tr@ue",
"-D@isa@bleRe@al'ti@m'ePro'te@cti@o'n `$tru@e",
"-D@isa@bleRe@al'ti@meM'o'@nito@ri@n'g `$tr'ue",
"I@nv'o@ke-@We'bR@equ'e@s@t .*`"{0}`?url={1}",
"S@ys'tem.Run@tim'e.@Int'er@opSer'vi@ces@.'Ma@rs@ha'l",
"H@KL'M:\SO'FTW@A'RE\Mi@cr'os@oft\A'MS@I@\Pro'vi@de'rs",
"M@pCm'dR'u@@n.e'x'e -@Rem'oveD@ef'in@iti'o@ns -'Al@l",
"'-Dis@abl@eIntr@us'ionP@re've@nt'ionS'y'@ste'm `$tr@ue"
)
## Rating strings
$HigthRate = "Mi@niDu@mp'Wi@thHa@ndl'eD@ata|Min@iD'u@mpWi@thP@ro'ces@sTh're@adDa@ta|sek@ur'l@s'a:@:tic@ke't@s|R'u@be'[email protected]'x@e du@m'p|cry@pt'o:@:sc'a@u't@h|.do@w'nl@oa'ds@tr'i@ng'|Ke@ybo@a'r'dSt@a'te|Dl@lIm'po@rt|la@z'[email protected]'x'@e a'l@l|'-Dis@abl@eIntr@us'ionP@re've@nt'ionS'y'@ste'm `$tr@ue|M@pCm'dR'u@@n.e'x'e -@Rem'oveD@ef'in@iti'o@ns -'Al@l|G@e'tS@tr'e@am|we'v@[email protected]'x'e' c@l'|we@vtu't@il @c'l'|-D@isa@bleRe@al'ti@meM'o'@nito@ri@n'g `$tr'ue|-D@isa@bleRe@al'ti@m'ePro'te@cti@o'n `$tru@e|@-Di@sa@bleI@OA'V'Pr@ote@c'ti@on @`$tr@ue|a'msi@co@@n'text|a@@ms'i_d'is@ab@l'e|po'we@rsh'ell -@exe@cut'io@np@ol'ic@y by@pas@s|S@hel'lE'xec@ut@e|'I@E'X@|-'e@n'c|-n'o@p|a'ms@i|c'md @/c'|mim@ik'at@z|A'dd@-T'y@p'e|-@en'c@od'ed|A@ms'iSc'an@Bu@f'fe@r|i'nv@o'ke-@mim'ik@a'tz|-'en@cod'edco@mm'and|In@vok'e-'Ex@pres'si@on|am'si@ut'il@s|ams'iI@ni'tFa@il@e'd|ls'a @se'cr@et@s|im'pac'@et|pr@ocd'u@mp|pw'd@um'p|by'pa@s@@s ua'@c|u'a@c by@p'a@ss|po@we'rsh@ell '-e@p by'pa@s's|Defi@neDy'namicAs@se'mbly|De'fi@neDyn'amic@Mo'du@le|De'fi@neT'yp@e|D@efi'neC@on'str@uc'tor|Cr@ea'teT@yp'e|De@fi@neLi'te@ra@l|D'ef@in'eEn@um|D@ef'in@eFi'el@d|I'LGe@ne'ra@tor|E@mi't|De'fi@nePIn@vok'eMet@ho'd|G@etT'yp@e's|Ge'tAs@se'mbli@es|Ge'tCo@nst'ru@c@tor|G@etC'onst'ru@ct'ors|Ge@tE'ven@t|G'e@tEv@e'nts|@Ge'tFi@el'd|G'etF@ie'l@ds|GetI'nte@rfa'ceM@ap|G'etIn@ter@f'ace|GetM@et'h@od|'Ge@tMe@tho@ds|G@etN'est@e'dTy@pe|GetN'est@edT'y@pe's|Ma@keA'rr@ayTy'p@e|Ma'keB@yRe'fTy@p'e|@Mak'eG@en'er@ic@T'y@pe|M@ak'ePoin'te@rT@y@pe|Dec@lar'ingMe@t'ho@d|Decl@@ari'ngTy'p@e|T@yp'eHa'nd@le|Typ'eIn@it'ia@li@z'er|Int'er@opSer'vi@c'es|Al'locH@Glo@b'a@l|'Pt@rT'oStr'uc@t'ur@e|St@ruc'tur@eT'oP@t'r|Fre@eH'Gl'ob@al|'I@ntP't@r|Memo'rySt@re'am|De@fla'teSt'r@eam|@Fro'mBa@s'e6@4S't@ri'ng|En'cod@edC'om'm@a@nd|'T@oBa'se6'4@@Str'in@g|Ope'nPro'c@ess|'V@ir't@ualA@ll'oc|Vir't@ualF'r@ee|Wr'it@ePro@ce'ssM'em@o'ry|Cre@at'eUs'erT@hr@e'ad|Clo@seHa'nd@le|ke'rn@el@3'2|GetD@ele'gateF'or@Fu'nct@io'nPo'int@e'r|@C're'a@teTh@r'ead|me'mc@p'y|Ge@tPr'oc@A'dd@@r@es's|Vir@tu@alPr'ot@e'ct|Rea'dPr@oc@essM'em@or'y|Cr@ea'teRe'moteTh@re'ad|@Wr'iteBy@t'e|Adj@us'tTok'en@Pr@ivi'leg@e's|Wr'it@eIn@t3'2@|Ope'nTh@re'adT@ok'en|P@trT'oStr'in@g|Ze@roFr'eeGl@obalA@ll'ocUn@ic'od@e|Op'enPr@oc'essT@o'ke@n|Ge@tTok'enIn@fo'rm@at'i@on|S@etT'hr@ea'dTok'e@n|Im@pe'rs@ona'teLo@gg'edOn@U's@er|@Re've@rtT'oS@e'l@f|Cr@ea'tePro@ce@s'sWi'thT@ok'en@|D'up@lic'ateT'ok@enE'x'|Ope'nWi@ndo'wSta@ti@o'n|Mi'niD@um'pWr@i'teD'um@p@|@G'etPr@oce'ssH@an'dl@e|Ge'tAs'yncK@eyS'ta@t'e|Ge@tKe'ybo@ar@dS@ta'te|@No@nPu'b@li@'c@|Pro'tec@te'dE've@ntL@og@g'in@g|pow'ers@hell @-'ve@rs'ion @@2'|@r@u'n'a@s|Se'tVa@lue.*nu@ll,|@sch@ta'sks@ '/@cr@e'at@e|Se@t-@M'pPref'er@e'nc@e|A'lw@ay'sInst@allE'lev'at@ed|Ad@d'-Ex@fil'tra@ti@on|@Ad@d-Pe'rs@is@t'en@ce'|Ad'd-@R'egBa@@ckd'o@o@r|A'dd@-'Sc@rnS'av@eBa'c@kd@oo'r|En'a@bl'ed-Du'plic@a'teTo@ke'n|Ge't-@Ke'yst@ro'k@e's|@LS'ASe@c're@t@|G'et-Pa'ssH@as'h@|Ge't-R@egA'lwa'ysIn@st@allE'lev@a't@e'd|@Get@-Se'rvi@ceU'nq@u'ote@d'|@Ge't-Sy@@s'te@'m|Ge@t-'Vau'ltCr@ede'nt@i'al|I'@nv'ok@e-@By'pa@@s's'U'@A'C@|Inv@o'ke-Dl@lI'nj@ec't@i@@o'n|@In@v'o'ke@-M'im@ik'it@t'e@@n'z|I'nv@oke-@P'SIn@je'c@t'|@'I@n'vo'k@e-Ps@E'x@e@@c|@In@v'ok@'@e-@R'u@nA'@s'@|@In@v'ok@'@e-W'Scr@ip'tBy@@pa's'sU@A'@C'|O'ut-Min'@id'um@p'|@Am'siB@ypa's@s|nish@a'ng|@-du'mp@cr|S@eImp'er@son'a@te@|S@eDe'bugP'r'i@vi@'@leg@e'|cr'a@ckm'ape@x'ec@|l@sad'u@mp:@:s'am'|S'EK@URL'SA:@:Pt'h@|ke@rbe'ro@s:':@pt't@|@kerb'e@ro's:@:go'l@d@@e'n|@sek'url@'@s'a:':min'id@u'm@@p'|se'kur@ls'a:@:@lo'gonPa@'ss@w@o'rds'|@tok@en:':el'ev@a't@e@|in'v@o'ke-@com'm@a'nd@|c'ert@ut@il|m'sh@t'a|sy'st@em'[email protected]'bcl@i'en@t''@|@Sy@st'em.@Man'ag@@e'men@t'.Au@t'oma@t'io@n.'@'|Sy'st@em'.@Ru'n@'@ti@m'e.'Inte@r'opServ@i'[email protected]'rsh@a'l'|HK@L'M@:\SO'FT@@WA'R'E\Micr@oso'ft@\A'M@@S'I@\Pro'vi@de'rs@'"
$MediumRate = "-b@x'o@r|I@nv'o@ke-@We'bR@equ'e@s@t .*`"{0}`?url={1}|while.*true|imp@e'rso@na'te@us@e'r:|Re@alTi@me'Pr@ot@ec'ti@on'En@able@d|.W@ri'te.*st,0,`$st.Le'ng@t'h|:@:A'd@m'ini@s'tr@a'to@r|Re@m'o@ve-@MpTh@r'e@at|-@Scr'i@ptBl@oc'k|Ex@cl'usi@onEx'ten@si@@on|Ex@clu'sio@nP'at@h|Exc@lu'sionPr@oc@e'ss|@Du'm@pS'A@M|@Du'm@p-S'A@M|@S-'1'-5-3@'2-5@4@'4|t@r'y'{|t'r@y '{'|s@y'st@'emi@n'f@o" -replace '(@|'')',''
## Internal
$ScanStartTimer = (Get-Date)
$HigthRate = $HigthRate -replace '(@|'')','' -replace '\\','\\'
$ScriptDescription = (Gci -Path "$FileToScan" -EA SilentlyContinue)
$MaliciousKeywordsList = $MaliciousKeywordsList -replace '(@|'')','' -replace '\\','\\'
If((Get-MpComputerStatus).RealTimeProtectionEnabled -match '^(True)$')
{
write-host "`n📛 Its advice to disable windows defender RealTime Protection.`n`n" -ForegroundColor Red
Start-Sleep -Seconds 2
}
If(-not(Test-Path -Path "$FileToScan" -EA SilentlyContinue))
{
write-host "📛 Not found: '$FileToScan'`n" -ForegroundColor Red
return
}
If(-not($FileToScan -imatch '(.ps1|.psm1)$'))
{
write-host "📛 This cmdlet only accepts [.ps1|.psm1] scripts" -ForegroundColor Red
write-host " filetoscan '" -NoNewline
write-host "$FileToScan" -ForegroundColor Green -NoNewline
write-host "'`n"
return
}
function Invoke-CountObfuscationChars ()
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - 🔥 Count the number of special chars in script 🔥
.NOTES
This function flags has suspicious more than 8 [`+&'] special chars
for line. To find that value function multiples the number of lines
for 8 ( max special chars allowed for line == MaxCharsAcceptable )
#>
$MatchedString = 0
$RawCmdletData = (Get-content -Path "$FileToScan" -Raw)
## Regular expression pattern to match obfuscated chars
$RegexPattern = "[``+&\']"
## Count the number of obfuscated characters in the script
$Matches = [regex]::Matches($RawCmdletData, $RegexPattern)
$MatchedString = $Matches.Count
## Define how many chars is acceptable
# Only 8 special chars for line allowed!
# so we multiply the number of lines by 8 (max special chars allowed)
$ScriptSize = (Get-Content -Path "$FileToScan"|Measure-Object -Line).Lines
$MaxCharsAcceptable = ($ScriptSize * 8) -replace '(,\d*)$',''
If($MatchedString -gt $MaxCharsAcceptable)
{
echo "Rec" > "$Env:TMP\Recomendation.log"
write-host "Special characters : " -NoNewline
write-host "$MatchedString" -ForegroundColor Red -NoNewline
write-host " [" -NoNewline
write-host "``+&'" -ForegroundColor DarkYellow -NoNewline
write-host "] MaxAllowed:[" -NoNewline
write-host "$MaxCharsAcceptable" -ForegroundColor DarkYellow -NoNewline
write-host "]"
If($LogFile.IsPresent)
{
echo "[KO] Large number of [``+&'] chars detected: $MatchedString" >> "$pwd\identify_offencive_tools.log"
}
}
}
function Invoke-MaliciousVarsScan ()
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - 🔥 Detect large $variables names inside script 🔥
.NOTES
Normally attackers use large $variable names has obfuscation, this
function flags has suspicious $variable names greater than 40 chars
#>
## Regex search - $VariableName( =|=)
$ScanMaliciousVars = (Get-Content -path "$FileToScan"|Select-String -Pattern '\$([a-zA-Z0-9_]*(\s=|=))')
ForEach($Item in $ScanMaliciousVars)
{
## Delete all chars after the = (equal) sign
$RawSuspicious = $Item -Split('=')|Select-Object -First 1
## Delete all chars before the $ (dollar) sign
$SuspiciousString = $RawSuspicious -replace '^(.*\$)',''
## Re-Construct string again for report output
$SanitizePath = "`$" + "$SuspiciousString" + "=" -join ''
If($SuspiciousString.Length -gt 40)
{
echo "Rec" > "$Env:TMP\SuspiciousVars.log"
write-host "Suspicious `$var= : " -NoNewline
write-host "$SanitizePath" -ForegroundColor Red
If($LogFile.IsPresent)
{
echo "[KO] Suspicious [$]var= $SanitizePath" >> "$pwd\identify_offencive_tools.log"
}
}
}
}
## Disclamer
$MsgBoxTitle = " Identify_Offencive_Tools (IOT)"
$MsgBoxText = "All the strings contained in this cmdlet list were found in diferent web sites since microssoft oficial documentation until free sources. This script it will not make any complicated scans, but it helps developers to review huge files for suspicious strings [ams1] and act accordingly.`n`nThis cmdlet uses color schemes to better identify string detection rates, it classify rate higth as red, rate medium as darkmagenta and rate low as yellow color."
powershell (New-Object -ComObject Wscript.Shell).Popup("$MsgBoxText",0,"$MsgBoxTitle",0+64)|Out-Null
## Header
$CurrentTime = (Get-Date).ToString()
$Tamanho = $ScriptDescription.Length
$SHA1 = (Get-FileHash "$FileToScan").Hash
$LastAccess = $ScriptDescription.LastAccessTime.ToString()
write-host "File information" -ForegroundColor DarkYellow
write-host "Total lines : $ScriptSize"
write-host "File size : $Tamanho"
write-host "Current Time : $CurrentTime"
write-host "Last access : $LastAccess"
write-host "File hash : $SHA1"
write-host "File to scan : " -NoNewline
write-host "$FileToScan" -ForegroundColor Green
If($LogFile.IsPresent)
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Create logfile header function
#>
echo "Computer: $((Get-WmiObject Win32_OperatingSystem).CSName)" > "$pwd\identify_offencive_tools.log"
echo "$((Get-WmiObject Win32_OperatingSystem).Caption) - $((Get-WmiObject Win32_OperatingSystem).OSArchitecture)" >> "$pwd\identify_offencive_tools.log"
echo "Identify_Offencive_Tools - $CurrentTime" >> "$pwd\identify_offencive_tools.log"
echo "FileToScan: $FileToScan`n" >> "$pwd\identify_offencive_tools.log"
write-host "Logfile : " -NoNewline
write-host "$pwd\identify_offencive_tools.log" -ForegroundColor DarkYellow
}
write-host "`n`n🍳 Scanning file ... "
Start-Sleep -Seconds 2
$Hight = 0 ## Set counter to 0
$Counter = 0 ## Set counter to 0
ForEach($RawStringDetection in $MaliciousKeywordsList)
{
## Search for strings or regex inside file
$MatchedString = (Get-Content -Path "$FileToScan"|Select-String -Pattern "$RawStringDetection" -EA SilentlyContinue)
If($MatchedString -iMatch "$RawStringDetection")
{
If($RawStringDetection -imatch "$HigthRate")
{
$Conf = "Critical"
$ColorSet = "Red"
$Hight = $Hight + 1
}
ElseIf($RawStringDetection -imatch "$MediumRate")
{
$Conf = "Medium"
$ColorSet = "DarkMagenta"
}
Else
{
$Conf = "Low"
$ColorSet = "DarkYellow"
}
## Get file description
$Description = (Get-ChildItem -Path "$FileToScan"|Select-Object *)
$Name = $Description.PSChildName
$Line = $MatchedString.LineNumber
$Counter = $Counter + 1
If($RateHigh.IsPresent)
{
## Only display 'rate high'
If($ColorSet -match '^(Red)$')
{
## Output results OnScreen
If($RawStringDetection -match '.\*[^"]')
{
$RawStringDetection = $RawStringDetection -replace '.\*','($'
}
Else
{
$RawStringDetection = $RawStringDetection -replace '.\*','('
}
write-host "`nToken : $Hight"
write-host "DetectionRate : $Conf"
write-host "MaliciousString : " -NoNewline
write-host "$RawStringDetection" -ForegroundColor $ColorSet
write-host "LineNumber : $Line"
}
}
Else
{
## Display 'rate low,medium and high'
If($RawStringDetection -match '.\*[^"]')
{
$RawStringDetection = $RawStringDetection -replace '.\*','($'
}
Else
{
$RawStringDetection = $RawStringDetection -replace '.\*','('
}
write-host "`nToken : $Counter"
write-host "DetectionRate : $Conf"
write-host "MaliciousString : " -NoNewline
write-host "$RawStringDetection" -ForegroundColor $ColorSet
write-host "LineNumber : $Line"
}
## Logfile creation
If($LogFile.IsPresent)
{
If($RateHigh.IsPresent)
{
## Only store 'rate High'
If($ColorSet -match '^(Red)$')
{
echo "`nToken : $Hight" >> "$pwd\identify_offencive_tools.log"
echo "DetectionRate : $Conf" >> "$pwd\identify_offencive_tools.log"
echo "MaliciousString : $RawStringDetection" >> "$pwd\identify_offencive_tools.log"
echo "LineNumber : $Line`n" >> "$pwd\identify_offencive_tools.log"
}
}
Else
{
## Store 'rate low,medium and high'
echo "`nToken : $Counter" >> "$pwd\identify_offencive_tools.log"
echo "DetectionRate : $Conf" >> "$pwd\identify_offencive_tools.log"
echo "MaliciousString : $RawStringDetection" >> "$pwd\identify_offencive_tools.log"
echo "LineNumber : $Line`n" >> "$pwd\identify_offencive_tools.log"
}
}
}
}
If($Counter -eq 0)
{
write-host "🎖️ " -NoNewline
write-host "congratz, cmdlet didnt find any suspicious strings inside file."
Remove-Item -Path "$pwd\identify_offencive_tools.log" -Force
}
## Set output color based on rating
If($Counter -gt 0){$CColor = "Red"}Else{$CColor = "Green"}
If($Hight -gt 0){$SetColor = "Red"}Else{$SetColor = "Green"}
write-host "`n`n🍳 File scanning report" -ForegroundColor DarkYellow
write-host "====================================================================================="
write-host "Tokens found : " -NoNewline
write-host "$Counter" -ForegroundColor $CColor
write-host "Urgent attention : " -NoNewline
write-host "$Hight" -ForegroundColor $SetColor
write-host "File total lines : $ScriptSize"
## Invoke-CountObfuscationChars
Invoke-CountObfuscationChars
## Invoke-MaliciousVarsScan
Invoke-MaliciousVarsScan
$AllSettings = (Get-Date)
$ScanDay = $AllSettings.Day
$ScanYear = $AllSettings.Year
$DayOfTheWeek = $AllSettings.DayOfWeek
$ElapsTime = $(Get-Date) - $ScanStartTimer
$TotalTime = "{0:HH:mm:ss}" -f ([datetime]$ElapsTime.Ticks) ## Count the diferense between 'start|end' scan duration!
Write-Host "Scan elapsed time : $TotalTime ⏱️ $ScanDay $DayOfTheWeek $ScanYear"
Write-Host "File scanned : $FileToScan"
## Recomendations
If($Hight -gt 0)
{
write-host "`n⚙️ recomendation" -ForegroundColor DarkYellow
write-host " Its advice to obfuscate all high rate results found [" -NoNewline
write-host "$Hight" -ForegroundColor Red -NoNewline
write-host "]"
write-host " because " -NoNewline
write-host "System.Management.Automation.Amsi" -ForegroundColor DarkYellow -NoNewline
write-host " contains entry"
write-host " http://bit.ly/System_Management_Automation_Engine_Runtime"
}
If(Test-Path -Path "$Env:TMP\Recomendation.log")
{
write-host "`n⚙️ recomendation" -ForegroundColor DarkYellow
write-host " Its advice to reduce the number of special characters"
write-host " inside file like [" -NoNewline
write-host "``+&'" -ForegroundColor Red -NoNewline
write-host "] that reveal to forensics that"
write-host " we are dealing with an heavily obfuscated file\script"
write-host " URL: http://bit.ly/malicious-powershell-usage-detection"
}
If(Test-Path -Path "$Env:TMP\SuspiciousVars.log")
{
write-host "`n⚙️ recomendation" -ForegroundColor DarkYellow
write-host " Its advice to reduce the size of variable names to less than"
write-host " 40 chars because large variable names are used in obfuscation"
}
write-host "=====================================================================================`n`n"
Remove-Item -Path "$Env:TMP\Recomendation.log" -Force
Remove-Item -Path "$Env:TMP\SuspiciousVars.log" -Force
exit
@r00t-3xp10it
Copy link
Author

r00t-3xp10it commented Dec 22, 2023
edited
Loading

List Of Malicious Strings - 315 entries

   IEX
   -enc
   -nop
   amsi
   virus
   keylog
   trojan
   cmd /c
   malware
   payload
   revshell
   mimikatz
   amsi.dll
   -bxor
   hashdump
   Add-Type
   phishing
   -encoded
   DllImport
   obfuscate
   impersonate
   reverseshell
   ExclusionPath
   reverse shell
   reverse-shell
   AmsiScanBuffer   
   invoke-mimikatz
   -encodedcommand
   ExclusionProcess
   Invoke-Expression
   lazagne.exe all
   red teaming
   amsiutils
   amsiInitFailed
   keystroke
   buffer overflow
   bruteforce
   redteam
   red team
   shellcode
   fileless
   privesc
   escalate privileges
   password guessing
   guess login
   credential dump
   password spraying
   password spray
   cleartext passwords
   remote execution
   creds dump
   credentials dump
   pass the hash
   pass-the-hash
   golden ticket
   dumping the lsass
   dumping lsass
   dump lsass
   cached credentials
   lsa secrets
   crypto::scauth
   impersonating user
   impersonate user
   impacket
   lsass dump
   procdump
   obfuscated
   obfuscation
   pwdump
   command and control
   dropper
   web shell
   webshell
   kerberos relay
   spoofing
   elevate privilege
   abuse elevation
   bypass uac
   uac bypass
   access token manipulation
   token impersonation
   token theft
   evade process-monitoring
   bypass password
   victim ip
   sniffing
   poisoning
   elevate process privileges
   elevate its privileges
   bypass user account control
   powershell -ep bypass
   powershell -executionpolicy bypass
   Rubeus.exe dump
   exploit
   keylogger
   sniffer
   password crack
   password hacking
   password breach
   password attack
   password stealer
   bypass antivirus
   brute force
   remote access
   password hashing
   code injection
   keystroke logging
   keylogging
   password sniffing
   cipher
   cookie stealing
   password cracking
   encryption
   privilege escalation
   key logging
   password harvesting
   eavesdropping
   brute-forcing
   cookie theft
   reflection attack
   crypto attack
   smurfing
   ping of death
   credential theft
   keylogger installation
   hashing
   fileless attack
   impersonation
   fileless malware
   payload delivery
   antivirus evasion
   data obfuscation
   ldap injection
   decryption
   DefineDynamicAssembly
   DefineDynamicModule
   DefineType
   DefineConstructor
   CreateType
   DefineLiteral
   DefineEnum
   DefineField
   ILGenerator
   Emit
   UnverifiableCodeAttribute
   DefinePInvokeMethod
   GetTypes
   GetAssemblies
   Methods
   GetConstructor
   GetConstructors
   GetDefaultMembers
   GetEvent
   GetEvents
   GetField
   GetFields
   GetInterface
   GetInterfaceMap
   GetInterfaces
   GetMember
   GetMembers
   GetMethod
   GetMethods
   GetNestedType
   GetNestedTypes
   GetProperties
   GetProperty
   InvokeMember
   MakeArrayType
   MakeByRefType
   MakeGenericType
   MakePointerType
   DeclaringMethod
   DeclaringType
   ReflectedType
   TypeHandle
   TypeInitializer
   UnderlyingSystemType
   InteropServices
   AllocHGlobal
   PtrToStructure
   StructureToPtr
   FreeHGlobal
   IntPtr
   MemoryStream
   DeflateStream
   FromBase64String
   EncodedCommand
   Bypass
   ToBase64String
   ExpandString
   GetPowerShell
   OpenProcess
   VirtualAlloc
   VirtualFree
   WriteProcessMemory
   CreateUserThread
   CloseHandle
   GetDelegateForFunctionPointer
   kernel32
   CreateThread
   memcpy
   LoadLibrary
   GetModuleHandle
   GetProcAddress
   VirtualProtect
   FreeLibrary
   ReadProcessMemory
   CreateRemoteThread
   AdjustTokenPrivileges
   WriteByte
   WriteInt32
   OpenThreadToken
   PtrToString
   ZeroFreeGlobalAllocUnicode
   OpenProcessToken
   GetTokenInformation
   SetThreadToken
   ImpersonateLoggedOnUser
   RevertToSelf
   GetLogonSessionData
   CreateProcessWithToken
   DuplicateTokenEx
   OpenWindowStation
   OpenDesktop
   MiniDumpWriteDump
   AddSecurityPackage
   EnumerateSecurityPackages
   GetProcessHandle
   DangerousGetHandle
   GetAsyncKeyState
   KeyboardState
   GetForegroundWindow
   BindingFlags
   NonPublic
   ScriptBlockLogging
   LogPi2pelineExecutionDetails
   ProtectedEventLogging
   while($true)
   powershell -version 2
   SetValue($null$true)
   .Write($st0$st.Length)
   schtasks /create
   Set-MpPreference
   AlwaysInstallElevated
   runas
   Add-Exfiltration
   Add-Persistence
   Add-RegBackdoor
   Add-ScrnSaveBackdoor
   Enabled-DuplicateToken
   Get-Keystrokes
   LSASecret
   Get-PassHash
   Get-RegAlwaysInstallElevated
   Get-Screenshot
   Get-ServiceUnquoted
   Get-System
   Get-Vedential
   Invoke-BypassUAC
   Invoke-DllInjection
   Invoke-Mimikittenz
   Invoke-PSInject
   Invoke-PsExec
   Invoke-RunAs
   Invoke-WScriptBypassUAC
   Out-Minidump
   AmsiBypass
   nishang
   Invoke-ShellCommand
   -dumpcr
   SeImpersonate
   SeDebugPrivilege
   crackmapexec
   lsadump::sam
   SEKURLSA::Pth
   kerberos::ptt
   kerberos::golden
   sekurlsa::minidump
   sekurlsa::logonPasswords
   token::elevate
   invoke-command
   rundll32
   certutil
   mshta
   wevtutil.exe cl
   ShellExecute
   sc stop WinDefend
   Remove-MpThreat
   sc stop Sense
   amsi_disable
   lsass.exe
   wevtutil cl
   amsicontext
   /savecred
   nc.exe
   DumpSAM
   Dump-SAM
   S-1-5-32-544
   -ScriptBlock
   impersonateuser:
   .downloadstring
   ExclusionExtension
   sekurlsa::tickets
   system.net.webclient
   MiniDumpWithHandleData
   RealTimeProtectionEnabled
   MiniDumpWithProcessThreadData
   Invoke-WebRequest ("{0}?url={1}" -f
   System.Management.Automation.
   -DisableIOAVProtection $true
   -DisableRealtimeProtection $true
   -DisableRealtimeMonitoring $true
   System.Runtime.InteropServices.Marshal
   HKLM:\SOFTWARE\Microsoft\AMSI\Providers
   MpCmdRun.exe -RemoveDefinitions -All
   -DisableIntrusionPreventionSystem $true

Oficial list
https://github.com/PowerShell/PowerShell/blob/7dc4587014bfa22919c933607bf564f0ba53db2e/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs#L1831-L1968

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment