Merry Christmas from test.local!

Rich
3 min readDec 24, 2022

TL;DR Base64 encoded commands in PowerShell and a corny IT Christmas carol

Merry Christmas and welcome to Part VII of our Back to the Basics Series!

Part I: NTDS.dit vs SAM

Part II: Ownership Matters

Part III: Recovering from a Crash

Part IV: Setting up a Simple Honeypot Account

Part V: Automating DC Deployment

Part VI: Sometimes it’s the dumbest thing

Part VII: Merry Christmas, macros, & Base64

Part VIII: Why old 0 Days make great teaching tools

Part IX: PowerShell & PS1s without PowerShell.exe

Part X: Ownership & so called “effective permissions”

Part XI: Windows Event Forwarding & SACLs

Part XII: Poorly planned honeypots & other Bad Ideas

Part XIII: Setting up a simple honey token

Part XIV: Smartcards and Pass-the-Hash

Part XV: Forwarding logs to Sentinel & basic alerts

Background

I have seen a couple of cybersecurity courses mention attackers Base64 encoding PowerShell commands, but I had not seen them explain it well. We covered how malicious macros are still a threat and how to mitigate them previously. Attackers can write a macro that will run on document open and call out to PowerShell to run a Base64 encoded command that reaches out to the Internet to download malware. This malware can then establish an encrypted outbound connection to the attacker’s C2 server. If they are sneaky and use port 443 it may slip right through the FW as it looks rather like HTTPS web browsing.

Base64 PowerShell

First things first, in the spirit of Christmas:

PowerShell.exe -EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgACcATQBlAHIAcgB5ACAAQwBoAHIAaQBzAHQAbQBhAHMAIAB0AG8AIABTAGMAcgBpAHAAdABpAG4AZwBXAGkAZgBlACAAZgByAG8AbQAgAE0AaQBzAGgAawB5ACEAJwAgADsAIABTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADAA

If you don’t trust us enough to copy/paste that into your run command then I don’t blame you. I wouldn’t trust us either. Hence here at test.local we like to show our work, share how we did something, and not hoard information while saying “trust us bro”.

#https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/
$MyCommand = "Write-Host 'Merry Christmas to ScriptingWife from Mishky!' ; Start-Sleep -Seconds 30"
$MyBase64 = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("$MyCommand"))
$MyBase64
$DecodedCommand = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("$MyBase64"))
$DecodedCommand

The variable $MyBase64 is holding the encoded ‘one liner’ command so just copy/paste it to create the encoded PowerShell above.

I am not sure why this is a feature in Windows, but it is. I am also not sure who, other than attackers and hobbyists, ever actually uses it. It is something that defenders need to be aware of.

A corny IT Christmas carol

It’s an oldie but a goodie. We originally made this up before Christmas 2020 when we were first starting these lab projects and were doing one on Kerberoasting and mitigations.

Kerberoasting on an open fire
Attackers nipping at your NTLMv2
Security carols being sung by a SOC
And EC Council dressed up in black hoodies

Everybody knows a service account and a weak pwd
Help to make an attacker's night
Script kiddies with their eyes all aglow
Will find it easy to crack tonight

They know that Delpy's on his way
He's loaded lots of hacks and tricks on his mimikatz
And every wannabe leet is gonna pry
To see if vulnerable SPNs really are gonna fly

And so I'm offering this simple phrase
To admins from one to ninety-two
Although it's been preached endlessly
Follow security best practices dammit!

Summary

Be aware of phishing TTPs, macros, Base64, etc. Attackers are probably the only ones still using Visual Basic, but it will still run on document open in Office if you allow it.

Merry Christmas and stay safe!

References

Obfuscation & Base64: https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/

--

--

Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.