[New WTFBin]: SenseIR Executes Encoded PowerShell

[adamcysec]

• Contributor Name: Adam Ponce @adamcysec
• Application/Executable: SenseIR.exe
• WTF Behavior Description: Microsoft Defender Advanced Threat Protection uses SenseIR.exe to launch Powershell scripts that then uses .NET function [System.IO.File]::Open() to read another Powershell script into memory for execution. The second Powershell script executed has it's parameters passed in as base64 encoded text.
• Link to Documentation of Behavior: I was unable to find detailed documentation for SenseIR.exe. I did find documentation indicating SenseIR.exe is a component Microsoft Defender for Endpoint.
• Please provide any images for additional evidence. The Powershell script executed by SenseIR.exe:

I've censored part of the base64 parameters as decoding the text would reveal sensitive info for my org.

& {
$OutputEncoding = [Console]::OutputEncoding = [System.Text.Encoding]::UTF8

$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{76F8D82D-0DBC-45D2-B6DB-B948001BBB49}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read)

$calculatedHash = Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{76F8D82D-0DBC-45D2-B6DB-B948001BBB49}.ps1' -Algorithm SHA256

if (!($calculatedHash.Hash -eq 'c2c9226f709e38f67c4777b7a5e0c6a2c40ae87076b65a5a02e846419b3e4ef7')) {
exit 323

} 

Start-Transcript -Path 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Transcript_{76F8D82D-0DBC-45D2-B6DB-B948001BBB49}.txt'

. 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{76F8D82D-0DBC-45D2-B6DB-B948001BBB49}.ps1' -ParamsAsBase 64 0 wIAAB + LCAAAAAAAAANMkMtyokAARf + FbaYj3XTTYFUWCKiooAQVcciigVYRAeURoyn / fRgzi1neqvs4db8FL2ZFwSut2tdCX / gOhVGbJqHQDwWRMsiosgM0JhxgFnOgiDwCSRzBCKuJzBIYCr9CwWbxIS249RPDmMRqFPNdIlPKZUKUzq7KiCc0iThElOAdS2j8f1QvO4a4Scui7jp + dxQG37H21IxYw6 / s1tl █████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████BK8sYaI7KX7gjVtxbuj83HtsQ3vNSQ611cZzr1gI91P1iDqjS3J0bRidTv03JpKntFzm4Te1Hw + sT5J9i5 + TvzRRV8fbd9e4NMiOy6xt3Gux8E6kjZzy / vaWUZ2N6eVd6rs8WJ9Vyb47F3m721Kp5MWkc3LthzNnEIp62BWZXwmN7a / tNfTyl5WvXfHEOXUi + █████████████████████████████████████████████████████████████ / nMHV7GWDVLY / H9fHIDustF7jm3rpu60mVlvqkKwpR / f6clsPXb70SnWhk4OqBXD / AsmqpM0wz4lZbOe2VrBqkF3xsUZuLpqLBkE63LZuGmXBlu3z1vUdS1bEyfXtTXj8AQAA / 8 DACOv3o / TAgAA -IsCompressed True
}

[59e5aaf4]

not sure it's wtf, that's how the RCE feature of their cloud-ish EDR is supposed to work. not pristine engineering, but how would you have it run custom powershell scripts & commands remotely without touching the disk ? (it's doable, but it's not my problem :D)

[adamcysec]

not sure it's wtf, that's how the RCE feature of their cloud-ish EDR is supposed to work. not pristine engineering, but how would you have it run custom powershell scripts & commands remotely without touching the disk ? (it's doable, but it's not my problem :D)

I pointed out the .NET code because i don't see .NET code used often in Powershell. $scriptFileStream uses .NET code to store a filestream, but then the filestream variable isn't used, so i don't fully understand why it's defined.

The more wtf feature is the encoded Powershell parameters. Normally we see encoded Powershell commands, but script PSScript_{76F8D82D-0DBC-45D2-B6DB-B948001BBB49}.ps1 actually defines a -ParamsAsBase64 parameter and contains code to decode the b64 parameters passed to it. Note the boolean parameter -IsCompressed indicates the b64 parameters are also compressed.

[mttaggart]

Thanks for your patience! Added in d83a37e