Summary
Keywords
Full Transcript
In this full series we will talk about Incident Response and it will be a Free Training Course for everyone. Today is Day-18 and we are going to explore the easiest way to read, understand, analyze, decode malicious PowerShell scripts through practical demonstration. Malicious PowerShell scripts are becoming the tool of choice for attackers. Although sometimes referred to as “fileless malware”, they can leave behind forensic artifacts for examiners to find. In this episode, learn how to locate and identify activity of these malicious PowerShell scripts. Once located, these PowerShell scripts may contain several layers of obfuscation that need to be decoded. I will walk through how to decode them, as well as some light malware analysis on any embedded shellcode. I will also demonstrate how to use some freely available tools to easily automate the process once you have discovered the MO of the attacker in your case. First we will go through some theatrical part which any incident responder need to understand about PowerShell, why they are used and some of the basic conventions, afterwards we will show 3 samples of heavily obfuscated PowerShell and how can we decode them to identify the basics and thus take required actions. 🔗LINKs for your requirements- ------------------------------------------------------------------------------------------------------------------------- 1. Custom Decoding Tools - https://github.com/archanchoudhury/DFIR-Tools/blob/main/Malware%20Analysis/Decode-Tools.7z 2. scdbg tool- http://sandsprite.com/blogs/index.php?uid=7&pid=152 WATCH BELOW Playlists as well, if you want to make your career in DFIR and Security Operations!! ------------------------------------------------------------------------------------------------------------------------- INCIDENT RESPONSE TRAINING Full Course 👉https://youtube.com/playlist?list=PLjWEV7pmvSa4yvhzNsCjOJovOn1LLyBXB DFIR Free Tools and Techniques 👉 https://youtube.com/playlist?list=PLjWEV7pmvSa6f-NTpXsaUYWZLjLAB_0TS Windows and Memory Forensics 👉 https://youtube.com/playlist?list=PLjWEV7pmvSa50erciZUSnzvE7nK0FyvsH Malware Analysis 👉 https://youtube.com/playlist?list=PLjWEV7pmvSa6u32RongesgDtkfKBfrFWW SIEM Tutorial 👉 https://youtube.com/playlist?list=PLjWEV7pmvSa7cXTkCppnYHERUdy8Dd71x Threat Hunt & Threat Intelligence 👉 https://youtube.com/playlist?list=PLjWEV7pmvSa5UTZlsWp5wRnURNbeMS-fu ⌚ Timelines ------------------------------------------------------------------------------------------------------------------------- 0:00 ⏩ Introduction 1:18 ⏩ Why Powershell 5:03 ⏩ PowerShell LoL example 8:00 ⏩ How to find it from Logs 18:14 ⏩ Sample1 Analysis 23:21 ⏩ Sample2 Analysis 33:28 ⏩ Sample3 Analysis 38:51 ⏩ Summarize 📞📲 FOLLOW ME EVERYWHERE- ------------------------------------------------------------------------------------------------------------------------- ✔ LinkedIn: https://www.linkedin.com/company/blackperl ✔ You can reach out to me personally in LinkedIn as well- https://bit.ly/38ze4L5 ✔ Twitter: @blackperl_dfir ✔ Git: https://github.com/archanchoudhury ✔ Insta: (blackperl_dfir)https://www.instagram.com/blackperl_dfir/ ✔ Can be reached via [email protected] SUPPORT BLACKPERL ------------------------------------------------------------------------------------------------------------------------- ╔═╦╗╔╦╗╔═╦═╦╦╦╦╗╔═╗ ║╚╣║║║╚╣╚╣╔╣╔╣║╚╣═╣ ╠╗║╚╝║║╠╗║╚╣║║║║║═╣ ╚═╩══╩═╩═╩═╩╝╚╩═╩═╝ ➡️ SUBSCRIBE, Share, Like, Comment ☕ Buy me a Coffee 👉 https://www.buymeacoffee.com/BlackPerl 📧 Sponsorship Inquiries: [email protected] ------------------------------------------------------------------------------------------------------------------------- 🙏 Thanks for watching!! Be CyberAware!! 🤞
