TL;DR Base64 encoded commands in PowerShell and a corny IT Christmas carol
Merry Christmas and welcome to Part VII of our Back to the Basics Series!
Part I: NTDS.dit vs SAM
Part II: Ownership Matters
Part III: Recovering from a Crash
Part IV: Setting up a Simple Honeypot Account
Part V: Automating DC Deployment
Part VI: Sometimes it’s the dumbest thing
Part VII: Merry Christmas, macros, & Base64
Part VIII: Why old 0 Days make great teaching tools
Part XI: Windows Event Forwarding & SACLs
Part XIII: Setting up a simple honey token
Part XIV: Smartcards and Pass-the-Hash
I have seen a couple of cybersecurity courses mention attackers Base64 encoding PowerShell commands, but I had not seen them explain it well. We covered how malicious macros are still a threat and how to mitigate them previously. Attackers can write a macro that will run on document open and call out to PowerShell to run a Base64 encoded command that reaches out to the Internet to download malware. This malware can then establish an encrypted outbound connection to the attacker’s C2 server. If they are sneaky and use port 443 it may slip right through the FW as it looks rather like HTTPS web browsing.
First things first, in the spirit of Christmas:
PowerShell.exe -EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgACcATQBlAHIAcgB5ACAAQwBoAHIAaQBzAHQAbQBhAHMAIAB0AG8AIABTAGMAcgBpAHAAdABpAG4AZwBXAGkAZgBlACAAZgByAG8AbQAgAE0AaQBzAGgAawB5ACEAJwAgADsAIABTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADAA
If you don’t trust us enough to copy/paste that into your run command then I don’t blame you. I wouldn’t trust us either. Hence here at test.local we like to show our work, share how we did something, and not hoard information while saying “trust us bro”.
$MyCommand = "Write-Host 'Merry Christmas to ScriptingWife from Mishky!' ; Start-Sleep -Seconds 30"
$MyBase64 = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("$MyCommand"))
$DecodedCommand = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("$MyBase64"))
The variable $MyBase64 is holding the encoded ‘one liner’ command so just copy/paste it to create the encoded PowerShell above.
I am not sure why this is a feature in Windows, but it is. I am also not sure who, other than attackers and hobbyists, ever actually uses it. It is something that defenders need to be aware of.
A corny IT Christmas carol
It’s an oldie but a goodie. We originally made this up before Christmas 2020 when we were first starting these lab projects and were doing one on Kerberoasting and mitigations.
Kerberoasting on an open fire
Attackers nipping at your NTLMv2
Security carols being sung by a SOC
And EC Council dressed up in black hoodies
Everybody knows a service account and a weak pwd
Help to make an attacker's night
Script kiddies with their eyes all aglow
Will find it easy to crack tonight
They know that Delpy's on his way
He's loaded lots of hacks and tricks on his mimikatz
And every wannabe leet is gonna pry
To see if vulnerable SPNs really are gonna fly
And so I'm offering this simple phrase
To admins from one to ninety-two
Although it's been preached endlessly
Follow security best practices dammit!
Be aware of phishing TTPs, macros, Base64, etc. Attackers are probably the only ones still using Visual Basic, but it will still run on document open in Office if you allow it.
Merry Christmas and stay safe!