Closed adamcysec closed 10 months ago
not sure it's wtf, that's how the RCE feature of their cloud-ish EDR is supposed to work. not pristine engineering, but how would you have it run custom powershell scripts & commands remotely without touching the disk ? (it's doable, but it's not my problem :D)
not sure it's wtf, that's how the RCE feature of their cloud-ish EDR is supposed to work. not pristine engineering, but how would you have it run custom powershell scripts & commands remotely without touching the disk ? (it's doable, but it's not my problem :D)
I pointed out the .NET code because i don't see .NET code used often in Powershell. $scriptFileStream
uses .NET code to store a filestream, but then the filestream variable isn't used, so i don't fully understand why it's defined.
The more wtf feature is the encoded Powershell parameters. Normally we see encoded Powershell commands, but script PSScript_{76F8D82D-0DBC-45D2-B6DB-B948001BBB49}.ps1
actually defines a -ParamsAsBase64
parameter and contains code to decode the b64 parameters passed to it. Note the boolean parameter -IsCompressed
indicates the b64 parameters are also compressed.
Thanks for your patience! Added in d83a37e
[System.IO.File]::Open()
to read another Powershell script into memory for execution. The second Powershell script executed has it's parameters passed in as base64 encoded text.SenseIR.exe
:I've censored part of the base64 parameters as decoding the text would reveal sensitive info for my org.