Incident Response Training, Decoding Powershell- Day 18

preview_player
Показать описание
In this full series we will talk about Incident Response and it will be a Free Training Course for everyone. Today is Day-18 and we are going to explore the easiest way to read, understand, analyze, decode malicious PowerShell scripts through practical demonstration. Malicious PowerShell scripts are becoming the tool of choice for attackers. Although sometimes referred to as “fileless malware”, they can leave behind forensic artifacts for examiners to find. In this episode, learn how to locate and identify activity of these malicious PowerShell scripts. Once located, these PowerShell scripts may contain several layers of obfuscation that need to be decoded. I will walk through how to decode them, as well as some light malware analysis on any embedded shellcode. I will also demonstrate how to use some freely available tools to easily automate the process once you have discovered the MO of the attacker in your case.
First we will go through some theatrical part which any incident responder need to understand about PowerShell, why they are used and some of the basic conventions, afterwards we will show 3 samples of heavily obfuscated PowerShell and how can we decode them to identify the basics and thus take required actions.

🔗LINKs for your requirements-
-------------------------------------------------------------------------------------------------------------------------

WATCH BELOW Playlists as well, if you want to make your career in DFIR and Security Operations!!
-------------------------------------------------------------------------------------------------------------------------


Timelines
-------------------------------------------------------------------------------------------------------------------------
0:00 ⏩ Introduction
1:18 ⏩ Why Powershell
5:03 ⏩ PowerShell LoL example
8:00 ⏩ How to find it from Logs
18:14 ⏩ Sample1 Analysis
23:21 ⏩ Sample2 Analysis
33:28 ⏩ Sample3 Analysis
38:51 ⏩ Summarize

📞📲
FOLLOW ME EVERYWHERE-
-------------------------------------------------------------------------------------------------------------------------
✔ Twitter: @blackperl_dfir

SUPPORT BLACKPERL
-------------------------------------------------------------------------------------------------------------------------
╔═╦╗╔╦╗╔═╦═╦╦╦╦╗╔═╗
║╚╣║║║╚╣╚╣╔╣╔╣║╚╣═╣
╠╗║╚╝║║╠╗║╚╣║║║║║═╣
╚═╩══╩═╩═╩═╩╝╚╩═╩═╝
➡️ SUBSCRIBE, Share, Like, Comment

-------------------------------------------------------------------------------------------------------------------------
🙏 Thanks for watching!! Be CyberAware!! 🤞
  1. BlackPerl
  2. Incident Response Training
  3. incident response training free
  4. incident response training csirt
  5. Incident response training course
  6. incident response training
Рекомендации по теме
Incident Response Training, 0:41:19

Incident Response Training, Decoding Powershell- Day 18

Finding and Decoding 0:35:01

Finding and Decoding Malicious Powershell Scripts - SANS DFIR Summit 2018

Decoding Malicious PowerShell 0:01:38

Decoding Malicious PowerShell Activity

Incident Response: Azure 0:19:15

Incident Response: Azure Log Analysis

Windows Incident Response 1:42:25

Windows Incident Response webinar Live analysis with PowerShell

Powershell:Decoded 0:13:37

Powershell:Decoded

Remoting Incident Response 0:31:59

Remoting Incident Response using Powershell

Get-Baseline : PowerShell 0:05:00

Get-Baseline : PowerShell Script for Agentless Incident Response.

Incident Response Training, 1:25:19

Incident Response Training, Full Analysis of Sev0 Real Incident, Day 11

The PowerShell Podcast 1:24:24

The PowerShell Podcast E21: 'Using PowerShell for Incident Response' with Fernando Tomlins...

Incident Response Training 0:20:37

Incident Response Training Course, Malicious Document Analysis, Day 15

Flip the Script: 0:57:37

Flip the Script: PowerShell 'Microsoft’s Incident Response Language' - Jared Atkinson

DEF CON 22 0:37:15

DEF CON 22 - Ryan Kazanciyan and Matt Hastings, Investigating PowerShell Attacks

Windows Incident Response 0:07:31

Windows Incident Response Practice Lab

PowerDecode in action: 0:02:26

PowerDecode in action: Automatic deobfuscation of a malicious PowerShell script

How To Decode 0:02:16

How To Decode PowerShell

Malicious PowerShell Analysis 0:13:38

Malicious PowerShell Analysis / Blue Team Online LABS

Powershell Scripting for 0:09:52

Powershell Scripting for Security Defense

BlueTeamLabs Online - 0:04:42

BlueTeamLabs Online - Powershell Analysis Keylogger Walkthrough

T309 Rapid Incident 0:50:41

T309 Rapid Incident Response with PowerShell Mick Douglas

Incident Response Procedures 0:15:26

Incident Response Procedures with Microsoft Sentinel

Atomic Spotlight: Defense 0:15:11

Atomic Spotlight: Defense Evasion with PowerShell Encoded Command

PowerShell as a 0:53:33

PowerShell as a cyberattack tool - learn how it works

Deobfuscating malicious PowerShell 0:02:24

Deobfuscating malicious PowerShell scripts

Комментарии
Автор

In this full series we will talk about Incident Response and it will be a Free Training Course for everyone. Today is Day-18 and we are going to explore the easiest way to read, understand, analyze, decode malicious PowerShell scripts through practical demonstration. Malicious PowerShell scripts are becoming the tool of choice for attackers. Although sometimes referred to as “fileless malware”, they can leave behind forensic artifacts for examiners to find. In this episode, learn how to locate and identify activity of these malicious PowerShell scripts. Once located, these PowerShell scripts may contain several layers of obfuscation that need to be decoded. I will walk through how to decode them, as well as some light malware analysis on any embedded shellcode. I will also demonstrate how to use some freely available tools to easily automate the process once you have discovered the MO of the attacker in your case.
First we will go through some theatrical part which any incident responder need to understand about PowerShell, why they are used and some of the basic conventions, afterwards we will show 3 samples of heavily obfuscated PowerShell and how can we decode them to identify the basics and thus take required actions.

🔗LINKs for your requirements-



WATCH BELOW Playlists as well, if you want to make your career in DFIR and Security Operations!!



Timelines

0:00 ⏩ Introduction
1:18 ⏩ Why Powershell
5:03 ⏩ PowerShell LoL example
8:00 ⏩ How to find it from Logs
18:14 ⏩ Sample1 Analysis
23:21 ⏩ Sample2 Analysis
33:28 ⏩ Sample3 Analysis
38:51 ⏩ Summarize

📞📲
FOLLOW ME EVERYWHERE-

✔ Twitter: @blackperl_dfir

SUPPORT BLACKPERL

╔═╦╗╔╦╗╔═╦═╦╦╦╦╗╔═╗
║╚╣║║║╚╣╚╣╔╣╔╣║╚╣═╣
╠╗║╚╝║║╠╗║╚╣║║║║║═╣
╚═╩══╩═╩═╩═╩╝╚╩═╩═╝
➡ SUBSCRIBE, Share, Like, Comment


🙏 Thanks for watching!! Be CyberAware!! 🤞

BlackPerl
Автор

You are a great teacher. The way you explain the topics is clear and understandable. Hoping you can come up with more of this type of videos.

KA-NV
Автор

You rock! Thanks for putting this series together...

conanbradley
Автор

Love this Incident Response Training series. Thanks for these videos.

anurodhacharya
Автор

To the point !! Thanks a Ton for doing this. I have learnt many new things :)

abhinavsheel
Автор

This is excellent. Thanks for making the series

josephford
Автор

Thank you for video, video is very great. I have a question. My question is how can dowloand sample code?

servermadum
Автор

I loved your way of explanation. I didn't miss any lectures on your channel. Please share the samples with me.

saichandtadepalli
Автор

Thanks for the content. My query is how can we find whether it is encoded with Base64 or other algorithm.

varunsankar
Автор

As feedback: It would be better if you would provide samples to us to get hands-on experience. 🤞🤞

yashgoldsmith
Автор

Can you Please show how you get the decimal values from the sample loaded at the end in ghidra ?

sagibersodsky
Автор

Thanks a lot man .This is what i was looking for . Could you please share these samples ?

subhampareek