Script Deobfuscation API

Overview

Allows users to deobfuscate obfuscated PowerShell scripts. Deobfuscation increases an analyst’s efficiency when analyzing malicious scripts.

Use Cases

Automatically deobfuscating PowerShell is not something that is generally and automatically available in industry.
Deobfuscation of PowerShell opens the doors to understanding attackers better and faster than manually deobfuscating
This API allows customers to automatically extract previously difficult information from a PowerShell script, and also deobfuscating and returning a more human readable version.

Note: This was initially released under the internal name Reveal and updated shortly after to Script Deobfuscation API.

Requirements

Any Carbon Black Cloud product

Resources

Carbon Black Postman Workspace
Carbon Black Cloud Python SDK support for Script Deobfuscation API coming soon
Carbon Black Cloud User Guide

Authentication

Determine whether you use Carbon Black Cloud or VMware Cloud Services Platform to manage identity and authorization, or see the Carbon Black Cloud API Access Guide for complete instructions.

CBC Managed Identity

Carbon Black Cloud Managed Identity and Authentication
Customize your access to the Carbon Black Cloud APIs with Role-Based Access Control; All APIs and Services authenticate via API Keys. To access the data in Carbon Black Cloud via API, you must set up a key with the correct permissions for the calls you want to make and pass it in the HTTP Headers.

Environment
Available on majority of environments; Use the Carbon Black Cloud Console URL, as described here.

API Route
Replace the {cbc-hostname} and {org_key} with the URL of your Environment and the org_key for your specific Org.

{cbc-hostname}/tau/v2/orgs/{org_key}/reveal

Access Level
Before you create your API Key, you need to create a "Custom" Access Level including each category:

Deobfuscation > Script Deobfuscation (previously Reveal) API > script.deobfuscation, allow permission to EXECUTE

API Key
When creating your API Key, use the Access Level Type of "Custom" and select the Access Level you created. Details on constructing and passing the API Key in your requests are available here.

CSP Managed Identity

Cloud Services Platform Managed Identity and Authentication
Customize your access to the Carbon Black Cloud APIs with OAuth Access Control; API access is controlled using OAuth apps or User API Tokens. This is currently limited to the UK Point of Presence and AWS GovCloud (US).

Environment
Available on Prod UK and AWS GovCloud (US). Full list of environments is available here; Use the Carbon Black Cloud Console URL from Cloud Services Platform, as described here.

API Route
Replace the {cbc-hostname} and {org_key} with the URL of your Environment and the org_key for your specific Org.

{cbc-hostname}/tau/v2/orgs/{org_key}/reveal

Access Level
Before you create your OAuth App, you need to create a custom Role with the following permissions under IDENTITY & ACCESS MANAGEMENT > Roles > VMware Carbon Black Cloud:

_API.Deobfuscation:script.deobfuscation, allow permission to EXECUTE

API Authentication
The Cloud Services Platform supports several authentication options, Access Token, API Token, and for backward compatibility, X-Auth-Token. To learn about the differences or how to use the authentication methods see the Authentication Guide.

API Calls

Deobfuscate script

Allows users to deobfuscate obfuscated scripts

API Permissions Required

Identity Manager	Permission (.notation name)	Operation(s)	Environment
Carbon Black Cloud	`script.deobfuscation`	`EXECUTE`	Majority of environments
VMware Cloud Services Platform	`_API.Deobfuscation:script.deobfuscation.execute`	N/A - included in permission name	Prod UK and AWS GovCloud (US)

Note:

Request

POST {cbc-hostname}/tau/v2/orgs/{org_key}/reveal

Request Body - application/json

{
  "input": "<string>"
}

Body Schema

Field	Definition	Data Type	Values
input REQUIRED	Obfuscated script content	String

Response Codes

Code	Description	Content-Type	Content
200	Script deobfuscated	application/json	Example Response Below
400	Bad request	application/json	`{ "error_code": "Bad Request", "message": "Malformed json payload: json payload has only one known property Input" }`
404	Not found	application/json	`{ "error_code": "Not Found", "message": "Not Found" }`

Examples

HTTP

Request

POST https://defense.conferdeploy.net/tau/v2/orgs/ABCD1234/reveal

Request Headers

X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"

Request Body

{
        "input": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIABUADEAMQA5ADcAIAAtAFQAZQBzAHQATgBhAG0AZQAgACIAQgBpAHQAcwBhAGQAbQBpAG4AIABEAG8AdwBuAGwAbwBhAGQAIAAoAGMAbQBkACkAIgAgAC0AUABhAHQAaABUAG8AQQB0AG8AbQBpAGMAcwBGAG8AbABkAGUAcgAgAEMAOgBcAEEAdABvAG0AaQBjAFIAZQBkAFQAZQBhAG0AXABDAHkAYgBvAHIAZwBcAGEAdABvAG0AaQBjAHMAIAAgAC0ASQBuAHAAdQB0AEEAcgBnAHMAIABAAHsAIgByAGUAbQBvAHQAZQBfAGYAaQBsAGUAIgAgAD0AIAAiAFMAdQBzAHAAaQBjAGkAbwB1AHMAVABMAEQAIgB9AA=="
}

Response Body

{
    "original_code": "[Console]::InputEncoding = New-Object Text.UTF8Encoding $false\n\n\nInvoke-AtomicTest T1197 -TestName \"Bitsadmin Download (cmd)\" -PathToAtomicsFolder C:\\AtomicRedTeam\\Cyborg\\atomics -InputArgs @{remote_file = \"SuspiciousTLD\",\n}\n",
    "deobfuscated_code": "[Console]::InputEncoding = New-Object Text.UTF8Encoding $false\n\n\nInvoke-AtomicTest T1197 -TestName \"Bitsadmin Download (cmd)\" -PathToAtomicsFolder C:\\AtomicRedTeam\\Cyborg\\atomics -InputArgs @{remote_file = \"SuspiciousTLD\",\n}\n",
    "identities": [
        "InputEncoding",
        "Invoke-AtomicTest",
        "New-Object",
        "T1197",
        "Text.UTF8Encoding"
    ],
    "strings": [],
    "obfuscation_level": 0.029678002879441317
}

To download or review the Carbon Black Cloud Postman collection, click here.

Fields

Script Deobfuscation Response

Field	Definition	Data Type
`deobfuscated_code`	Deobfuscated script	String
`identities`	Keywords identified in the deobfuscated script.Keys are the high level descriptions of the contained strings, and are dynamic over time.	Array
`obfuscation_level`	Level of obfuscation identified, Score from ML model, a floating point number in range of 0.0 to 1.0, where 1 being definitely obfuscated according to the model.	Float
`original_code`	Obfuscated input provided in request	String
`strings`	List of strings identified in the script and consist of function names, method names, and string values.	Array

Last modified on October 30, 2023

Carbon Black Cloud

Page Contents