unsapien is a Python script developed in order to extract scripts, files and configuration from executables created by SAPIEN Script Packager available in products such as:
Script has been initially created in order to quickly extract and triage PowerShell scripts from a large number of (potentially malicious) executables found on VirusTotal.
This script needs Python 2.7.x and has been tested on macOS High Sierra and Ubuntu 17.10. Following additional Python modules are needed:
- hexdump
- pefile
- construct (>=2.9)
- pbkdf2
- pycrypto
usage: unsapien.py [-h] [-v] [-d directory] file
Extracts embedded scripts, files and configuration from binaries generated by
SAPIEN Script Packager (available e.g. in PowerShell Studio or PrimalScript)
positional arguments:
file Input file
optional arguments:
-h, --help show this help message and exit
-v, --verbose Enable verbose output
-d directory, --dump directory
Dump files to specified directory
Script is based solely on data obtained from analysis performed on limited number of executables found on VirusTotal and may not work with all versions of SAPIEN Script Packager.
ExeToPosh is a tool written by @RemkoWeijnen and capable of extracting scripts packaged by some versions of SAPIEN PowerShell Studio.
Blog post by @mattifestation showing how to dynamically extract script content from binaries generated by SAPIEN PrimalScript.