How Hackers Can Hide PowerShell in Environment Variables

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello it's me again and today we're going to do something weird you know how on your computer whether or not you're in Linux or Windows you have these environment variables different settings different switches different things you could configure or tweak for your environment things like the path variable commands and applications programs you can run from the command line but on Windows in Powershell it's a little bit interesting because they're actually even also configured as a Powershell drive so if I were to dir like old school cmd.exe command prompt rendition or LS maybe an alias inside of Powershell and of course the commandlet get child item ultimately we could go interrogate and ask for things that are in our EnV or environment drive and this will list out all of the specific environment variables that have a given name and a value and some of these though usually might be tweaked or modified there are a couple that never tend to get touched like oh maybe the common program files location or when or comspec or maybe just program data application data etc etc there's a lot of interesting stuff that we might be able to use and maybe use a little bit of indirection I'm thinking we tried to hide mask or obus gate Powershell code by representing different characters as an index inside of an environment variable that has never changed or at least very very likely not going to be changed we could write some small stupid tool a little proof of concept just to test that idea and that's what we're going to do in this video so hey nothing fancy I've gone ahead and Googled just done a little bit of research for the default Windows environment variables so good lot of hits here but I'm interested in this one computer hope because it will list out what are the default environment variables within windows and this goes through and tells me hey a big long list of things that might be something we could take advantage of if we wanted to go through that technique so let's build out a script that allows us to do this let me get back to my command line I'm just going to make a directory for uh EnV hiide how about that and we'll move into that directory and let's open up a Sublime Text Editor or whatever text editor you want for our envh hi. py python script now that we have our python script created and ready for us let's go ahead and import OS because we'll use that to actually access the environment variable set here but first of all let's make a big long list of these environment variables that we want to interrogate I'll simply honestly just go copy and paste what we might find out of this big long listing common files being one good example and we'll just add this in I'll paste might have missed app data just as well I'll copy and paste these maybe it's worth bringing these up and doing some alphabetical order here but let's go ahead and validate that okay so what I'm going to do is avoid some of these with parentheses because I think Powershell whines about that but I do think it is worth hey maybe getting some of the others so I will go through copy paste and build up this list here I want to avoid void the things that are a little bit variable though like the username or the computer name because that could be configurable to whatever that end Target you know victim environment that we want to deploy some dropper or potential obfuscated code into would really work so we'll just look for the stuff that is static hey before we go too far here this is a good opportunity to take a break and remind you that look I try to get as many free cyber security educational videos out as I can as frequently as I can but the only way that I can do that is with the and support of some sponsors so please allow me to tell you about the sponsor of today's video sneak sneak is hosting a capture the flag 101 workshop on April 18th where you get to learn how to get started with capture the flag you'll get a walkr on how to solve different buer exploitation and web application security challenges and you'll have the opportunity to solve your first challenge with Live support from the sneak team if you're just getting started out or if you've competed in a few Capture the Flag competitions before you'll walk away with a ton of tips and tricks to compete in ctfs it'll be a ton of fun and the best part is it's virtual and completely free so you can sign up with my link below in the video description jh. life/ sneak cf101 okay so at this point we've made a decent list of a couple of environment variables and I've tried to avoid the ones that are variable or may be changed things like the path of course things like user name and computer name Etc but with that we could just Loop through for each variable in environment variables and then we can check look if that os. getet environment each variable actually has it then you know what we can go ahead and Stage that print it out just to validate see it on the screen let me go actually make sure that that works set it as a variable so if there is a value we could go ahead and print out maybe an F string so we could display our each variable is set to that value fingers cross that works a okay let me control B just to run this and there we go we can see all that output and things look good app data however does include my username so maybe that's not worthwhile and same thing with temp and the others so unfortunately that will be a little bit of a nuisance because we can't index just as well as we want to any of the letters or different characters inside one of those strings because the username could be of any length and we wouldn't know that in an unknown environment so let's try to remove those out of our potential list what we could do is just check look okay let me get my current username current username could equal that as an environment variable and we could say if that username is in that value then we don't really care about that one let's just continue onward we could probably remove that from the list but just for our own sake validation yep that looks to be a okay for what we want let me go ahead and cruise through to remove app data and those temp directories from our core list and then we don't need to do that testing later because this was just for our understanding now we need to build up a map as to which variables and their values have what letters of the known principal character set like letters A through Z and numbers 0 through 9 and I don't know any punctuation marks that might already be accounted for or covered so what I'll do is actually import the string Library built in in Python and we could go ahead and maybe make an environment mapping where we Define a dictionary right so what we could do is try to find every single character inside of every single environment variable and its value and see if we could track down which variables have what and where now the way that we can do that is with that string module that we imported we could Loop through every single character inside of printable characters as a known list so for character in string. printable that gives us a value and I can just display that out on the screen so you know what I'm talking about here are all of our options all the letters 0 through 9 and Etc now what I could do is actually Loop through every single variable inside of our environment variables list and that way we could kind of hey go through each of them if we determine their value we did that just a moment ago with a get EnV function and out of our OS module let's go ahead and include the variable that we're looking at there so now we're getting that environment variable value and we can check if the current character we're looking at inside everything of our string. pral list is actually in that value and if it is we want to keep track of it so what we might be able to do is actually use our environment mapping dictionary sort of hash set here for us where we could say cool at that character as a key to denote okay all of the options for that character we would actually want to track that specific environment variable and it would might be best to actually do that as a dictionary inside of a dictionary little nested there because that way we could keep track of everything in a same way so actually for every single character inside of string. printable I want to add that as a key to our environment mapping big dictionary with a nested inner dictionary is this weird I promise it'll make sense in a second because then finally we could actually validate while we're checking if the character is even there to begin with in the value the environment variable let's just set that variable as a key and make that an empty list so that we can track all of the indexes in a moment in fact let's do that now we could do for I given the index or iterator as we Loop through the value of that variable and its character right C I guess in that value we could check if the current character that we're looking at in our string. prinal Loop is equal to the current character at that position an index of our value in which case we should go ahead and add it to our array but we won't be able to use the syntax nice and easily because four would normally expect just one iterator value here we will need to make sure that we use the enumerate function wrapping around that so we have a little generator and we can track our index our I value our iterator as we move through so if that character is present then here's what we'll do we'll just add it to our mapping for every character for that variable with the append function we'll just add in that I for the index now at this point I don't know if this makes any sense saying it out loud we've built out a big long list so that by a character any that we choose we could determine what environment variables might be an option for us to use and where it could come from let me actually make that a little bit more visible for you if I do from print import print we'll be able to pretty print that and let's see if that looks good as I print out this mapping fingers crossed if I go back to my command line and I run with python my EnV hide python script ooh take a look okay so there are a handful of values set for a couple different characters some are missing some values like f couple punctuation marks of course maybe capital letters X Y and Z but otherwise there are a lot of options here like what's a good one we could probably dig into D has a lot of options where it's maybe accessible in the all users profile and the path extension and the Powershell module path and the program data let's actually evaluate that say like the number two as an option comspec is a variable that could be used to get it at index 18 same thing with PS module path 112 goodness that's a big one so let me actually go ahead and Echo our environment com speec and now we should be able to see that that is C Windows system 32 now if I'm looking for the number two that's uh I don't know I can eyeball probably say that's about 18 characters in right can I index that does that work indexed at 18 yeah it does it okay cool number two and that is what we want now we could build out something to use and represent Powershell code strictly with these stupid environment variable options but let's CLE up our code a little bit Let's Fold out these environment variables let's maybe Define a build environment mapping dictionary and now we could probably use a function that we might want to use to environmen hide obus skate given a string now we could represent a new string perhaps and maybe that's just a empty list for now that we'll build up and iterate through because what we could do is do a 4 C in that given argument string and then use our environment variable mapping to specify the key for that character which will give us all of the options for possible environment variables that we could use so we'll call that possible vars now I'd like to just randomly get one of them so I'm going to import random I think that would be kind of cool we'll just choose arbitrarily whatever one that we want for our chosen variable to mask or hide that character possible vs equals n mapping of C let's choose that chosen VAR to equal random. choice of the possible vars and actually since this returns a whole dictionary I only want to get the keys from that and I think that will return a iterable so I will need to cast that to a list now we choose a random one and then we could choose any of the possible indexes at any of those possible locations right so possible indexes or indices I guess will now be our environment mapping at that chosen variable now I'll use a chosen index to be our random. choice once again from our possible indices and with that we have everything to build out our new character just represented as a index of an environment variable so our new character should be our environment mapping at our chosen variable giv The Chosen index will that work for me let's do our new string. append our new character finally at the very end of our function we can return honestly we'll keep it probably abstract for now let's just use our new string and even though we have it as a list yeah maybe that's not the right wording let's just call it op code we'll place that there okay so now we have our environment hide obuse gate given a string and let's see if we could actually have that render and working well for us just as a test let's use a Powershell command where I write output and then the number 420 hell yeah now let's see if we could actually print out our environmen hide obuse gate function call on that Powershell command that we want to try to obate or hide with these environment variables if I run this everything's wrong oh oh oh oh I'm forgetting that we need to include the character that we're working with up to actually access the variable that we want after we've chosen it so we should do the very very same here and the new character should actually come from the environment variable itself not our mapping so we will need to do os. getet environment of our chosen VAR at that Index right okay that looks a little bit better how about this ah now we're going to be running into the issue where maybe we don't in fact have that character as a represented option within our environment variable mapping so we'll kind of need to handle those others that we want just on their own or use some other trick to maybe hey use asky tables and calculate the number offset to be able to add or subtract some value to go get the value that we want without it strictly being in an environment variable in fact we could just use the asky number to keep things simple that's what I'm going to do for this demo and showcase so if we determine the possible variables and there aren't any there's nothing actually in that dictionary then we could say if not possible characters then we would add to our obus gated code just actually the character itself just the letter C in this case and then we would continue onward because we don't want to fall back down into the rest of this code so this condition would not actually trigger if it did have keys and then it would add it appropriately otherwise it wouldn't and it would just add the regular value and let's see if this works here okay looks like it's building the string right output 420 in fact we could just for a demonstration sake join this all together but bear in mind we have just created the exact same string that we started with so this is not super duper helpful now we need to build and bake in some of those Powershell syntax the way that we could represent one of those is exactly how we did on the terminal just a minute ago grabbing from the environment that com speec or whatever value we want at whatever index so let's try and add that in let's go back to just returning the obus Gated code on its own for the moment and we will go ahead and actually aend maybe a Powershell syntax being a format string of our environment variable at our chosen variable indexed at the chosen index wrapped as a value there now we would actually add that as our Powershell syntax and maybe a good way to avoid hey having the literal character in there could be to just represent it as a character I think we can do that well in Powershell if we just do like the character rep representation of the letter A we treat that as an INT well I guess actually that is what we take the character representation of an asky value capital letter a is 65 so we just need that value and then the character prefix in front of it I think that would work for us so we could then actually just add the syntax maybe of a character representation of the ordinal value of C in which case that'll be the asky value presented there so fingers crossed if that's all getting added to our actual little list here for the new obious sked code that we build out can I pr print that we still have that imported yeah so let's go see how gross and disgusting that is let me pie our environment hide script and there we go we have represented right output the number 420 uh with this and that's the gist we could do this as well and we'll get a different value every single time because it's randomly getting those that it knows it could pull out of the different Environ variables so that's kind of slick now we need to put these together in a way that it'll actually execute within Powershell I don't think that we could do just the environment variables paste it in on their own let me go find out if I try to run this no unexpected token which makes complete sense even if we like wrap it in this quotes here does that work no what if I add a comma in the mix that doesn't actually return anything could I then join those together um with an empty string but that's not actually invoking it what if IEX that yeah but that doesn't give me the raw string do I do two string on that that's an empty string why oh there we go ex would do it if we tack join so we could literally have them all output it and then join them together with null if we wanted to that'll represent the same way if we don't Supply an argument there yeah it will need a value so null could be an option though can we index a value that like definitely doesn't exist that would work or we could just choose any arbitrary variable that wouldn't exist at all so that could be another opportunity to add Randomness and Opus gate whatever we want then we just need to hide our I ex with the exact same obfuscation technique so we could probably do that so since we have this underlying helper function now to get the array of characters could I then Define maybe just another that's like Powershell obuse gate given a string where I pass that to my environment hide Opus skate and this should be super simple honestly we could just return what would be an ampersand to like invoke a new I ex or like hey start a a script to be ran or command to run so we could return that with inside of parentheses maybe all of those pieces joined together with just a comma so that way we'll have them presented and we will ultimately then in power shell use a join and let's actually put like a variable for complete nonsense we'll use random. randint in this case and we can go from like one to whatever value that we really want um and then fingers crossed we should be able to just get that Powershell obfuscated syntax for our Powershell command and if I run this now we have this syntax that will write host one if I copy and paste it into my Powershell command line correct let's try it copy paste this Abomination oh no so this is the command that it tried to run which is obviously not right host 420 but I guess maybe all along the way we actually had some of our indexes wrong what is PS module path and then what is is it indexed at 17 it is C how is that c where is that actually oh documents that is not a w where did we go wrong some of them seem to work but others didn't is our mapping wrong it doesn't quite make sense to me that some of them are right and some of them are wrong I want to try and take a look at our mapping one more time because I think the issue is maybe we're getting set values in the wrong place cuz everything that I see from looking at these values is correct right a comspec environment variable at index 12 is a letter Y just like we see here so what is going wrong for capital W capital W and the PS module path oh it doesn't even have 17 which is what we saw earlier so am I just getting a wrong random Choice what is wrong with that our obus skated stuff must be wrong when we choose a possible variable we choose that possible indexes should be the environment variable mapped at that character mapped at that chosen variable choosing them let's print out our possible indices and the chosen variable just for me to be able to see it in action and then we don't need to print our environment variable I just want to do it can I see this so w is a very very first one oh no no no now we're at Winder Winder has chosen possible index of three which should be right did this just magically get it now or is something still wrong nope oh it is correct Anderson won't run that though right output for 20 won't trigger with an Amper sand it will why did that not work ah does it not need to be joined then as a string let's change this and then literally not even use join and just put it all together would that work run our script this should be what fires yeah no that's very wrong we'll probably need an IEX just like in there alongside it not ideal but can I put I as an option and then maybe join those together as well let's use IEX there now let me pie environment hide so our erson will invoke something new which will then have a segment to include our specific I X payload and then the actual thing that we wanted to run fingers crossed if I were to paste this in still no what if we actually did keep that as a join string let's create an i stage variable where we use our I joined together and then maybe our payload stage which should just be the pieces that we put together all with Randomness and then we would simply include those with our I and our payload is that work is that dumb now they're all joined in Powershell so there should be a natural string let's run that we get this disaster paste that [Laughter] 420 question is why did that not work earlier what was the Oddity where right host was not getting built correctly with the other variables when it was using like PS module path this one has PS module path in it so let's see if no that one still works why is that so weird let's not print out any of the chosen indexes anymore let's just do this and that will spit out our output for our obus skated syntax and that will continue to do what we want now what else can I do I mean it's a stupid Powershell cradle if you wanted to you could manipulate these ones that I have an oddball instance that aren't in one of the environment variables uh maybe you manipulate that with some other numbers or some math to tweak and hide that a little bit more maybe you could build this in a format string where you actually have like the way that we're organizing things right now is that it is in chronological order um 0 1 2 three with all the item lists that we want here but if we actually built this out and split it to a sense you could totally Shuffle these and that would be really really sweet hey maybe make these in any order that is arbitrary and completely chosen at random uh that would be kind of fun we might Tinker with that just as well but we can validate some other p loads like what is another worthwhile thing we could just run like di right dur obviously this would work fine yeah nothing wrong with that and we got some messy stuff and maybe we could clean up how we approach that but look at the gist it's seemingly functional and we are hiding what is the original payload inside of stupid environment variables
Info
Channel: John Hammond
Views: 58,768
Rating: undefined out of 5
Keywords: cybersecurity for beginners, cybersecurity, hacking, ethical hacking, dark web, john hammond, malware, malware analysis, programming, tutorial, python programming, beginners, how-to, education, learn, learn cybersecurity, become a hacker, penetration testing, career, start a career in cybersecurity, how to hack, capture the flag, ctf, zero to hero, cybersecurity for noobs, ethical hacking for noobs, networkchuck, learn to hack, how to do cybersecurity, cybersecurity careers
Id: 8CiNx4nNqQ0
Channel Id: undefined
Length: 25min 26sec (1526 seconds)
Published: Fri Apr 05 2024
Related Videos
Free Coding Tool Distributes Malware
John Hammond
126K
Notepad.exe Will Snitch On You (full coding project)
John Hammond
184K
Finding WEIRD Devices on the Public Internet
John Hammond
163K
OpenAI "SHOCKED" Everyone! Voice, Vision, & Free?!
Theoretically Media
2.3K
How Can Fuzzing Help You Find Hidden API Endpoints?
Medusa
4K
60 Hacking Commands You NEED to Know
NetworkChuck
327K
Hackers Hide with Clever Alternate Data Streams
John Hammond
75K
How Hackers Move Through Networks (with Ligolo)
John Hammond
248K
Learn PowerShell in Less Than 2 Hours
PowerShell Engineer
217K
this Cybersecurity Platform is FREE
John Hammond
510K
Scraping Dark Web Sites with Python
John Hammond
118K
Tracking Cybercrime on Telegram
John Hammond
223K
A Competition for Unreadable Code?
LaurieWired
109K
Disable These 3 Windows Settings Now! (For Security)
ThioJoe
464K
INSANE OpenAI News: GPT-4o and your own AI partner
AI Search
5.9K
Kubernetes Tutorial for Beginners [FULL COURSE in 4 Hours]
TechWorld with Nana
7.7M
30 Windows Commands you CAN’T live without
NetworkChuck
2.1M
Learn to Hack AWS & Cloud Security
John Hammond
5.9K
Is Valorant Spyware?
The PC Security Channel
650K
Hackers Use Github For Malware
John Hammond
65K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.