I am writing a powershell interpreter that looks at Malware. And I have some text I don't know how to parse. It looks like a pipeline but what comes after the pipe doesn't make sense to me and the interpreter I am modifying doesn't not handle. The relevant statement is shown below.
start-process($env:APPDATA+ '\mef.vbs')|I`E`XI get the start-process part. It's just the pipe I don't grok. `E might be an backtick for escape, but `X isn't in any documentation I have seen. Moreover, it doesn't look like a command to process the output from the "start-process". So, what is "|I`E`X"?
3 Answers
iex is an alias for Invoke-Expression. Here the two backticks don't make any difference, but just obfuscates the command a little. iex executes a string as an expression, even from pipe. Here Start-Process is a cmdlet that starts processes.
I`E`X is an acronym for the PowerShell command Invoke-Expression.
It's an alias and PowerShell has tons of them.
You can see them all by typing
# Get named aliases
Get-Alias |
Out-GridView -PassThru -Title 'Available aliases'Or a specific one...
Get-Alias -Name iex | Format-Table -AutoSize
# Results
<#
CommandType Name Version Source
----------- ---- ------- ------
Alias iex -> Invoke-Expression
#>
Get-Alias -Definition Invoke-Expression | Format-Table -AutoSize
# Results
<#
CommandType Name Version Source
----------- ---- ------- ------
Alias iex -> Invoke-Expression
#>Even properties and switches have aliases
# Get cmdlet / function parameter aliases
(Get-Command Get-ADUser).Parameters.Values |
where aliases |
select Name, Aliases |
Out-GridView -PassThru -Title '
Alias results for a given cmdlet or function.'
# Or get only populated parameter aliases
(Get-Command Get-ChildItem).Parameters.Values |
Select-Object -Property Name, @{ Name = 'Aliases' Expression = {$PSitem.Aliases}
} | Where-Object -Property Aliases -NE $nullAliases are great for interactive stuff at the consoles, even with the ISE/VSCode, as long as it is throw-away code. Aliases should never be used in scripts as a best practice.
• Best Practices for aliaes Best Practice for Using Aliases in PowerShell Scripts
Why worry about aliases in the first place? What is the big deal about using aliases anyway? If they make the code easier to type, what is the harm in using them in scripts? There are two things at work when it comes to a script. The first is that no alias is guaranteed to exist—even aliases that are created by Windows PowerShell.
FYI, when you see IEX/iex in code downloads, in most cases it is malware or some prank, as you have discovered.
Invoke-Expression
This command takes any string and executes it as if it was a PowerShell command.
While this is very powerful and sometimes plain necessary, it imposes all risks
of so-called “SQL injection” security issues.
Avoid Invoke-Expression wherever you can, and of course, the example above was somewhat constructed. There was no need for composing string commands, and you
could have submitted the user input directly to the appropriate command
parametersThere are extremely limited cases where IEX should be used, and you must understand the consequences of using it.
Invoke-Expression considered harmful
Always look out for its use as well as encoded commands. Enable full PowerShell logging and Transcripts to be alerted and catch this stuff hitting your environment. Have a proactive policy-based approach to dealing with its inevitability.
