Challenge link: https://app.letsdefend.io/challenge/powershell-script
Let’s explain some of the powershell parameters.
-NoP: This parameter stands for "NoProfile." It tells PowerShell not to load the user's profile (profile scripts) when starting. This can be useful for running scripts without interference from user-specific settings.
When you give $profile command in powershell then it will show you the default user profile script which is shown to you in the above screenshot. This script is loaded/run when you launch powershell.exe
In other words, In PowerShell, a profile is a script that runs automatically when you start a PowerShell session.
This profile can contain various PowerShell commands and settings. They are often used to customize the environment, load specific modules, define aliases, set environment variables, and perform other tasks that affect the behavior and appearance of the PowerShell session.
-NoProfile parameter is used when launching PowerShell to prevent the automatic execution of the user-specific profile scripts (such as the
$PROFILE script) during the session startup.
-NonI: This parameter stands for "NonInteractive." It instructs PowerShell not to run in interactive mode, which means it won't present prompts or wait for user input.
-W Hidden: This parameter likely sets the window style to "Hidden." It means the PowerShell window won't be visible to the user when the command is executed.
-Enc: This parameter indicates that the following text is Base64-encoded PowerShell code. It tells PowerShell to decode and execute the encoded script.
-Sta: Single-Threaded Apartment (STA) in COM: In the context of COM (Component Object Model), certain objects and components are designed to be used in a single-threaded apartment. A single-threaded apartment is a threading model where COM objects are accessed by a single thread at a time. This ensures that the objects are accessed in a thread-safe manner, preventing potential issues related to concurrent access.
-sta Parameter in PowerShell: The
-sta parameter is used when starting a PowerShell session to specify that the session should use a single-threaded apartment for COM objects. When this parameter is included, PowerShell runs in STA mode, ensuring that COM objects are accessed in a thread-safe manner.
What Happens If You Don’t Use
-sta: If you don't use the
-sta parameter when running PowerShell, it runs in the default threading mode, which is known as MTA (Multi-Threaded Apartment). In MTA mode, PowerShell allows multiple threads to access COM objects concurrently, which is not suitable for COM objects that require an STA.
-sta when working with STA-requiring COM objects, you may encounter various issues, including:
- Threading Violations: Accessing COM objects in a way that violates their threading model can lead to errors, crashes, or unpredictable behavior.
- Race Conditions: Multiple threads trying to access the same COM object simultaneously can result in race conditions and data corruption.
- Deadlocks: Deadlocks can occur when multiple threads block each other from completing their tasks.
To avoid these issues and ensure proper interaction with STA-requiring COM objects, it’s essential to use the
-sta parameter when starting PowerShell sessions in such scenarios.
Ok lots of theory done. Now lets go the practical:
Decode the code using CyberChef.
We need to use two recipes. From base64 and Remove null bytes.
After decoding from the base64 you will see something like just the above image. Then you need to use the remove null bytes recipe to get the actual output.
From the output you will get all the questions answers.
Some other of my writeups from where you can learn powershell deobfuscation techniques:
How to analyze powershell obfuscated code, Part-1
Nowadays its very much certain that you will get obfuscated type of powershell code while analyzing any APT behavior or…
How to analyze powershell obfuscated code (this one is base64), Part-2
This is the continuation of my previous part-1.
LetsDefend pdf-analysis challenge writeup
I have download the challenge from letsdefend and put it on my sansforensics machine. Don’t execute the pdf files in…
Thanks. Please Subscribe below.