How Hackers Can Hide PowerShell in Environment Variables
57,827
Published 2024-04-05
🗨️ Mapping printable characters to positions within Windows environment variables... to slap together silly obfuscated PowerShell code! Masking the original command in a cutesy way that made help evade detection... (or at least be a fun scripting challenge) 💬
Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricetraining.com/
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥YOUTUBE ALGORITHM ➡ Like, Comment, & Su
All Comments (21)
-
This is a very NEAT technique, did you stumble upon this technique in the wild being used by some bad actors?, how did you come up with it, Its really nice. I LOVED IT
-
Great video, seems like a good way to obfuscate commands!
-
Im really happy to see you grow, I have recommended you to a "thousand" others and now I see u got 1.3 m subs which is AMAZING. Keep on what ur doing! Greetings!
-
If you have variables that only have the user name as a variable path, you could for example use string splitting on \ to get more options.
-
This video is eye-opening! It's crazy to see how hackers can use something as innocuous as environment variables to hide malicious PowerShell commands. The level of sophistication in cyber attacks is just mind-boggling. Understanding these tactics is crucial for staying safe online. Thanks for the insightful breakdown! Time to up my cybersecurity game.
-
Thanks for the great video John, I would like to see what kind of setup you are using (home lab, personal rig, laptop etc.). Can you do a home lab, everyday carry video? I think it will be very interesting and inspiring for the community
-
love the content!! keep killing it! what keyboard are you using in the newish setup?
-
As i understand reverse engineering, which is very little admitedly. This is how hackers optimize building ROP gadgets. If you get a fixed number of bytes to add to the execution stack, you make sure that what is added is entirely built from other sections of the static mapped memory, because specific strings of assembly will be in fixed locations to reference. So instead of creating code that takes several bytes you just point to a chunk of that already in memory, thereby keeping the exploit within that limited stack space required to maintain the overflow or use after free or whatever tactic the codespace was permitted to hit the stack without the kernel overflowing. Stringing multiple gadgets together creates a ROP chain which is the set of functions you need the exploit to do.
-
TNX bro
-
Please bring a video on the new xz malware discovered
-
THANKS YOU
-
Did this idea come from a sample or just random thought ? Also nice to have more of the red team POV stuff. I've been trying to improve on red side since I've been made part of purple team and stuff like this is helping me make the mental shift.
-
Watching right now❤
-
Cool video keep it up
-
So helpful
-
My suspicion are these videos must be preprogrammed weeks or months in advance because the greatest linux open source supply chain hack just occurred, the XZ backdoor, and yet here we are watching powershell hacks???
-
You disappeared off my algorithm then I tried to remember ur name when I saw the xz hack and then I see u have 1.3 milli subs, you had 350k last time I watched a vid, killin it!!!
-
YES!😃
-
Great stuff. I would like to know how this looks in the event logs. Does it just show the env variables or does it show the cmdlet being run?
-
Its Because PSModulePath include another Environment Variable (%ProgramFiles%)
