6

I am writing a powershell interpreter that looks at Malware. And I have some text I don't know how to parse. It looks like a pipeline but what comes after the pipe doesn't make sense to me and the interpreter I am modifying doesn't not handle. The relevant statement is shown below.

start-process($env:APPDATA+ '\mef.vbs')|I`E`X

I get the start-process part. It's just the pipe I don't grok. `E might be an backtick for escape, but `X isn't in any documentation I have seen. Moreover, it doesn't look like a command to process the output from the "start-process". So, what is "|I`E`X"?

intel_chris
  • 658
  • 3
  • 7
  • 21

4 Answers4

9

iex is an alias for Invoke-Expression. Here the two backticks don't make any difference, but just obfuscates the command a little. iex executes a string as an expression, even from pipe. Here Start-Process is a cmdlet that starts processes.

wasif
  • 9,176
3

I`E`X is an acronym for the PowerShell command Invoke-Expression.

Kamil Maciorowski
  • 81,893
LPChip
  • 66,193
3

It's an alias and PowerShell has tons of them.

You can see them all by typing

# Get named aliases
Get-Alias |
Out-GridView -PassThru -Title 'Available aliases'

Or a specific one...

Get-Alias -Name iex | Format-Table -AutoSize
# Results
<#
CommandType Name                     Version Source
----------- ----                     ------- ------
Alias       iex -> Invoke-Expression               
#>

Get-Alias -Definition Invoke-Expression | Format-Table -AutoSize


Results


<#
CommandType Name                     Version Source




Alias       iex -> Invoke-Expression 
#>

Even properties and switches have aliases

# Get cmdlet / function parameter aliases
(Get-Command Get-ADUser).Parameters.Values |
where aliases |
select Name, Aliases |
Out-GridView -PassThru -Title '
Alias results for a given cmdlet or function.'

Or get only populated parameter aliases


(Get-Command Get-ChildItem).Parameters.Values | 
Select-Object -Property Name, @{
    Name       = 'Aliases'
    Expression = {$PSitem.Aliases}
} | Where-Object -Property Aliases -NE $null

Aliases are great for interactive stuff at the consoles, even with the ISE/VSCode, as long as it is throw-away code. Aliases should never be used in scripts as a best practice.

• Best Practices for aliaes Best Practice for Using Aliases in PowerShell Scripts https://devblogs.microsoft.com/scripting/best-practice-for-using-aliases-in-powershell-scripts https://devblogs.microsoft.com/scripting/using-powershell-aliases-best-practices

Why worry about aliases in the first place?

What is the big deal about using aliases anyway? If they make the code easier 
to type, what is the harm in using them in scripts? There are two things at 
work when it comes to a script. The first is that no alias is guaranteed to 
exist—even aliases that are created by Windows PowerShell.

FYI, when you see IEX/iex in code downloads, in most cases it is malware or some prank, as you have discovered.

Invoke-Expression

This command takes any string and executes it as if it was a PowerShell command.
While this is very powerful and sometimes plain necessary, it imposes all risks
of so-called “SQL injection” security issues.


Avoid Invoke-Expression wherever you can, and of course, the example above was somewhat constructed. There was no need for composing string commands, and you
could have submitted the user input directly to the appropriate command
parameters

There are extremely limited cases where IEX should be used, and you must understand the consequences of using it.

Invoke-Expression considered harmful

Always look out for its use as well as encoded commands. Enable full PowerShell logging and Transcripts to be alerted and catch this stuff hitting your environment. Have a proactive policy-based approach to dealing with its inevitability.

postanote
  • 5,136
0

I`E`X is in fact IEX, which is an alias for Invoke-Expression The additional symbols "`" are ignored by interpreter but are used by malicious actors as a light obfuscation technique in malware attacks.

Your particular line attempts to pipe the resulted output of the execution of VBS file situated in the APPDATA folder to the command interpreter (execute).

Conclusion: the line attempts to run a VBS script via Start-Process, then it pipes the output to the PowerShell command Invoke-Expression to run the "second-stage" code resulted.

Sometimes this technique is used to avoid signature detection by generating the malware code at runtime via mef.vbs

Sab
  • 1