Analyzing PowerShell Payloads - Part 1

This series is intended to provide introductory knowledge on extracting tactical information from common payloads used by adversaries and malware. Data obfuscation is something that defenders commonly experience when analyzing malicious activity. The most common application of data obfuscation is using the built-in capabilities of PowerShell to encode important indicators of compromise (IoC) such as command and control (C2) domains or IP addresses.

Defenders who possess the skills to extract the tactical data from obfuscated PowerShell payloads increase the speed and effectiveness of the incident response process by quickly gathering actionable intelligence.

In this first example, John will walk you through the extraction of the tactical information from a standard obfuscated PowerShell payload that would be generated through a common C2 framework such as Metasploit or Cobalt Strike.

--

Cyber Chef Recipe

Regular_expression('User defined','[0-9a-zA-Z+/=]{30,}',true,true,false,false,false,false,'List matches')
From_Base64('A-Za-z0-9+/=',true)
Gunzip()
Regular_expression('User defined','[0-9a-zA-Z+/=]{30,}',true,true,false,false,false,false,'List matches')
From_Base64('A-Za-z0-9+/=',true)

--

John Dwyer

--

Disclaimer: Samples shown in the video were pulled from open source intel locations and we don't recommend accessing the associated IPs or domains.