Challenge accepted!
My first attempt was to use EncodedCommand, but wasted a bunch of time and gave up, lol. It has to be a, what I would say is a non-standard base64 encoding, to execute. Didn't find that out until I was a few hours in! Trying to find an easy way to ecode never panned out, even the great cyberchef failed me.
So I couldn't run PS scripts out right and didn't have time for EncodedCommand "im sure I was just doing something wong", so I moved on to Invoke-Expression (IE).
M$ says, "The Invoke-Expression cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command. Without Invoke-Expression, a string submitted at the command line is returned (echoed) unchanged."
So we can use IE to execute any string, First I tried to just put my script in a variable, but PS never liked it. I think the line breaks or some char was messing it up, Then looked at reading a file and putting it into a variable. So I base64 encoded the text from my script and used [Convert]::FromBase64String to decode then wrote it to a file in C:\Users\Public\ because I couldn't be sure what user context it was going to write in so I bet on low privileges. Then used Get-Content -Raw to pull it into a variable, passed it to IE and Whammy! it worked. The most complicated process I could come up with to bypass Cylance PS script blocking :)
Enjoy the 1's and 0's
No comments:
Post a Comment