 Hello, I'm Didier Stevens, a senior handler with the Internet Storm Center. Now here we are going to look at a PowerShell script that contains a payload and that payload has been encrypted with AES and I'm going to show you how you can use my tools to decrypt this PowerShell script. So here we have the script and you can see already two base 64 strings. So you have this string here that is converted to binary data CFII and if you go looking down here for CFII you see that it is assigned to something with a property key. So this is the key in base 64 and here we have another base 64 string so that must be the encrypted payload. As you can see here we have AES managed, a block size of 128, a padding mode PKCS7, the mode is the code book chain and the key size 256 and this is indeed the payload here because the initialization vector is actually taken from the first 16 bytes of this decoded base 64 string as you can see here and then the decryption is done here with the remaining bytes. So the bytes after the 16 first bytes and once the decryption is done then it is also decompressed and Gzip decompressed. So we are going to look at this and how to do this. So first of all with base 64 dump I'm going to search here for base 64 strings in my example PowerShell script and I have many of them because of course you have key words that resemble base 64 and are syntactically valid base 64 strings but they are not encoding anything. So to have less of those strings you can say for example the minimum length of the decoded string must be 20 and then we only have our two base 64 strings. Now I'm going to select this payload and pipe it into my translate program and give it a small script to do the decryption and this is the small script. So I import some crypto functions and then I have here my small decryption function which just takes the data. So the initialization vector is first 16 bytes of the data and the cipher texture which has to be decoded decrypted are the remaining bytes. The key is base 64 decoded from a variable key base 64 and this is a variable we are going to pass along with the command line and then here we create a new AES decryption function, an AES object with a key, a mode and initialization vector and then here we do the decryption and the unpacking. So let's take this key and this is the base 64 key that we are going to pass along with command line. Here I select the second stream, the second base 64 stream, I dump this and I pipe this into my translate program and so there is an expression, a Python expression that we are going to pass along and that's the key, key base 64 equals this base 64 string that we copied. Then we are going to pass it along a script, that's the decryption script, a full read we operate on the full data that is passed along from base 64 stream so not byte per byte but on the full data and then we just call the decrypt function like this and this here is actually the decrypted payload. Why is it not readable? Well that's because it is also compressed, we have to decompress it. So I can do that again with translate, full read and then gzip, decompression and here we have our small payload, this is a test. Now let me come back here and show you if I modify the key, the uppercase q here, let's make it a lowercase q and now you can see here we have a padding error. That's because the decryption failed, what we have is not the actually clear text and then when we try to do the un-padding then we get an error. That's how you can recognize when you are using the wrong key.