Decoding Malicious PowerShell Activity - A Case Study has been a widely shared and well-received deep dive into PowerShell obfuscation. This blog provided a foundational look into how attackers manipulate PowerShell scripts to evade detection, making it a great starting point for those new to the topic.
In this second installment, we take a closer look at advanced PowerShell obfuscation techniques. Attackers have evolved far beyond basic string manipulation and compression. They now employ:
- Weaponizing Operators:
-join,-split,-f - Whitespace Tricks: Leveraging invisible characters to bypass detection
- Special Characters: Drowning scripts in encoded and deceptive symbols
- Deceptive Execution: Obfuscating
iex(Invoke-Expression) in creative ways - Script Block Logging Evasion: Manipulating PowerShell’s logging features
- Multi-Layered Obfuscation: Heavily obfuscated VBS payloads leading to PowerShell execution
By popular demand, this repository contains a collection of practice scripts to help you analyze and deobfuscate malicious PowerShell code. These scripts simulate real-world attack patterns, giving you a chance to hone your threat-hunting and incident response skills.