Add PowerShell deobfuscation operations (Format String, EncodedCommand, Backtick, Concatenation, Char Decode)#2455
Conversation
|
|
|
What you do now? powershell deobfuscation is hard process, what you do now? powershell obfuscation is hard and use multiple techniques, just close, i do'nt see any value of that and can be easily defeated, powershell obfuscation is a complex thing I do'nt see any value for that, obfuscation is not something simple can be solved, AI can even struggle with some |
|
@HackingRepo Agree with your point. It is near impossible for us to write recipes for all available obfuscation techniques. What I have done is added a few of them that may help us in the dropper stage of commodity malware/analysis. I've come across these a lot of times while working at the SOC previously and it adds value for those members who use it and don't have a separate VM where they can detonate stuff or install additional tools. |
vigneshrajan94
force-pushed
the
add-powershell-format-string-deobfuscator
branch
from
f3f09f2 to
817c9f1
Compare
Implements five new operations under the 'Code tidy' category to
deobfuscate common PowerShell obfuscation techniques:
- PowerShell Format String Deobfuscate: resolves (-f) format operator
expressions such as ("{0}{2}{1}" -f 'new-ob','t','jec') -> new-object
- PowerShell Decode EncodedCommand: decodes -enc / -e / -ec Base64
UTF-16LE payloads, accepting raw tokens or full command lines
- PowerShell Backtick Remove: strips obfuscating backticks with an opt-in
'Preserve escape sequences' mode for legitimate PS escapes
- PowerShell Concatenation Join: iteratively joins 'frag'+'ment' string
literals, handling mixed quote types and arbitrary chain lengths
- PowerShell Char Decode: decodes [char]N and [char[]](N,N,...) casts
supporting both decimal and 0x hex values
Each operation includes auto-detection checks for the Magic operation,
comprehensive unit tests, and OSINT-validated test cases sourced from
Emotet, AMSI bypass, and Invoke-Obfuscation real-world samples.
vigneshrajan94
force-pushed
the
add-powershell-format-string-deobfuscator
branch
from
817c9f1 to
19dd80b
Compare
|
Thank you for working on this PR and for partially addressing the PowerShell deobfuscation feature request. I understand that PowerShell obfuscation is a very broad and complex topic, and no single implementation can handle every possible technique from the beginning. However, as an Iranian proverb says: “Drop by drop, a sea is formed.” Great projects do not usually start as complete and perfect systems. They grow step by step. Even these initial operations can be very useful for analysts, SOC teams, students, and malware researchers who need quick and safe static deobfuscation inside CyberChef. If this feature continues to be improved over time with more techniques, better detection, and deeper static analysis, it could eventually become a very powerful and professional PowerShell deobfuscation toolkit within CyberChef. So I believe this PR is a valuable first step, and it can become the foundation for something much bigger in the future. |
4 participants
Summary
Partially addresses #2396.
Adds five new operations to the Code tidy category covering all PowerShell obfuscation techniques requested in #2396:
-fformat operator("{0}{2}{1}" -f 'new-ob','t','jec')→new-object-enc/-e/-ecBase64 UTF-16LEpowershell -enc SQBFAFgA→IEXIn`voke-Ex`pression→Invoke-Expression'New-'+'Object'→'New-Object'[char]/[char[]]casting[char[]](73,69,88)→"IEX"Implementation details
OperationwithinputType/outputType: "string"and lives insrc/core/operations/checkspatterns so the Magic operation auto-detects obfuscated input`n,`t,`r,`$,`",0xhex values, single[char]Ncasts,[char[]](...)arrays, and the-join [char[]]form; out-of-range codes are left unchangedTests
Each operation has a dedicated test file in
tests/operations/tests/:PowerShellFormatStringDeobfuscate.mjsPowerShellDecodeEncodedCommand.mjsPowerShellBacktickRemove.mjsPowerShellConcatenationJoin.mjsPowerShellCharDecode.mjsTest cases were validated against real-world OSINT samples from Emotet download cradles, AMSI bypass patterns, Invoke-Obfuscation output, and Invoke-PSObfuscation output.
All 241 existing operation tests continue to pass. The two pre-existing Node API test failures (
chef.helpcount andMAGICsuggestions) are unrelated to this PR and present on the unmodifiedmasterbranch.Test plan
npm test— 241 passing, same 2 pre-existing Node API failures("{0}{2}{1}" -f 'new-ob','t','jec')into Format String Deobfuscate →new-objectSQBFAFgAinto Decode EncodedCommand →IEXIn`voke-Ex`pressioninto Backtick Remove →Invoke-Expression'New-'+'Object'into Concatenation Join →'New-Object'[char[]](73,69,88)into Char Decode →"IEX"