A common tactic threat actors use to cover their tracks is to encode their commands using decimal character codes. These decimal-character encoded commands become unreadable by humans, but computers have no problem interpreting and running them. Luckily, it is possible to decode these commands and uncover what they are trying to do.
The first thing to be aware of is that both PowerShell and Windows command prompts can process character-encoded commands. The method is slightly different between them. See the following examples:
CMD:
"C:\Windows\system32\cmd.exe" /c calc.exe
becomes…
"C:\Windows\system32\cmd.exe" /c CHAR(99)+CHAR(97)+CHAR(108)+CHAR(99)+CHAR(46)+CHAR(101)+CHAR(120)+CHAR(101)
PowerShell:
powershell.exe -Command "Start-Process calc"
becomes…
powershell.exe -Command "Start-Process $([char]99+[char]97+[char]108+[char]99)"
Although the commands look very different, computers interpret and process them identically.
Notice that the encoded CMD prompt defines the character by using CHAR(code). PowerShell uses [char]code with a plus symbol (+) to string the subsequent characters together. Running commands this way is not as simple as running calc.exe
.
To decode a large string, follow these steps:
- Extract the portion of the command that is character encoded.
Example:CHAR(99)+CHAR(97)+CHAR(108)+CHAR(99)+CHAR(46)+CHAR(101)+CHAR(120)+CHAR(101)
or[char]99+[char]97+[char]108+[char]99
- Carefully delete everything except the numbers, keeping spaces between each integral to maintain the integrity of each number's meaning.
Tip: For this step, use a tool like Cyberchef or a document editor that can find and replace characters in bulk.
Example:99 97 108 99 46 101 120 101
or99 97 108 99
- Decode the string of numbers using a decimal-to-text decoder, like this, in which you can paste the numbers to reveal the human-readable command.
Alternatively, you can manually decode the command by referring to a decimal code chart, such as this one. - Lastly, to get the full context, don’t forget to add back any non-character-encoded pieces that you removed in the previous step.
Using Cyberchef to decode
Cyberchef is a great utility that can help us achieve the same results. Use these recipes to help you decode decimal-encoded commands:
CMD
For easy copy and paste, here are the strings for the find and replace values above: (?i)CHAR|\(|\)
and \+
.
PowerShell
For easy copy and paste, here are the strings for the find and replace values above: (?i)\[CHAR\]
and \+
.