3

I am writing a powershell interpreter that looks at Malware. And I have some text I don't know how to parse. It looks like a pipeline but what comes after the pipe doesn't make sense to me and the interpreter I am modifying doesn't not handle. The relevant statement is shown below.

start-process($env:APPDATA+ '\mef.vbs')|I`E`X

I get the start-process part. It's just the pipe I don't grok. `E might be an backtick for escape, but `X isn't in any documentation I have seen. Moreover, it doesn't look like a command to process the output from the "start-process". So, what is "|I`E`X"?

intel_chris
  • 508
  • 1
  • 5
  • 18

3 Answers3

6

iex is an alias for Invoke-Expression. Here the two backticks don't make any difference, but just obfuscates the command a little. iex executes a string as an expression, even from pipe. Here Start-Process is a cmdlet that starts processes.

Wasif
  • 7,984
  • 2
  • 19
  • 32
  • Thanks. This makes sense. This malware is continually making strings that are intended to be "commands" (e.g. download this malware or in this case run the malware that the previous command downloaded). So, I just need to figure out where in the interpreter it is supposed to process `Invoke-Expression` and decide what to do with it (e.g. probably nothing). – intel_chris Sep 15 '20 at 06:59
  • Yes @intel_chris it `iex` makes us harder to read the statements. By the way, where did you get the malware code, if you have a link, give it to me, I like to analysis the code. – Wasif Sep 15 '20 at 07:01
  • Sorry, I can't do that. The project is under an NDA. Which is why I clipped only a very small part of the code. My guess is it is standard malware that is well handled as I had to turn off Windows Defender for the directory in which I am working as WD knew it as a specific Trojan. – intel_chris Sep 15 '20 at 07:29
3

I`E`X is an acronym for the PowerShell command Invoke-Expression.

Kamil Maciorowski
  • 69,815
  • 22
  • 136
  • 202
LPChip
  • 59,229
  • 10
  • 98
  • 140
2

It's an alias and PowerShell has tons of them.

You can see them all by typing

# Get named aliases
Get-Alias |
Out-GridView -PassThru -Title 'Available aliases'

Or a specific one...

Get-Alias -Name iex | Format-Table -AutoSize
# Results
<#
CommandType Name                     Version Source
----------- ----                     ------- ------
Alias       iex -> Invoke-Expression               
#>

Get-Alias -Definition Invoke-Expression | Format-Table -AutoSize
# Results
<#
CommandType Name                     Version Source
----------- ----                     ------- ------
Alias       iex -> Invoke-Expression 
#>

Even properties and switches have aliases

# Get cmdlet / function parameter aliases
(Get-Command Get-ADUser).Parameters.Values |
where aliases |
select Name, Aliases |
Out-GridView -PassThru -Title '
Alias results for a given cmdlet or function.'

# Or get only populated parameter aliases
(Get-Command Get-ChildItem).Parameters.Values | 
Select-Object -Property Name, @{
    Name       = 'Aliases'
    Expression = {$PSitem.Aliases}
} | Where-Object -Property Aliases -NE $null

Aliases are great for interactive stuff at the consoles, even with the ISE/VSCode, as long as it is throw-away code. Aliases should never be used in scripts as a best practice.

• Best Practices for aliaes Best Practice for Using Aliases in PowerShell Scripts https://devblogs.microsoft.com/scripting/best-practice-for-using-aliases-in-powershell-scripts https://devblogs.microsoft.com/scripting/using-powershell-aliases-best-practices

Why worry about aliases in the first place?

What is the big deal about using aliases anyway? If they make the code easier 
to type, what is the harm in using them in scripts? There are two things at 
work when it comes to a script. The first is that no alias is guaranteed to 
exist—even aliases that are created by Windows PowerShell.

FYI, when you see IEX/iex in code downloads, in most cases it is malware or some prank, as you have discovered.

Invoke-Expression

This command takes any string and executes it as if it was a PowerShell command.
While this is very powerful and sometimes plain necessary, it imposes all risks
of so-called “SQL injection” security issues.

Avoid Invoke-Expression wherever you can, and of course, the example above was somewhat constructed. There was no need for composing string commands, and you
could have submitted the user input directly to the appropriate command
parameters

There are extremely limited cases where IEX should be used, and you must understand the consequences of using it.

Invoke-Expression considered harmful

Always look out for its use as well as encoded commands. Enable full PowerShell logging and Transcripts to be alerted and catch this stuff hitting your environment. Have a proactive policy-based approach to dealing with its inevitability.

postanote
  • 4,589
  • 2
  • 7
  • 7