filmov
tv
Analyzing PowerShell Payloads Part 5
Показать описание
Example 5: PowerShell payload containing shellcode contained within obfuscated hexadecimal data
Cyber Chef Recipe
Regular_expression('User defined','[0-9a-zA-Z+/=]{30,}',true,true,false,false,false,false,'List matches')
From_Base64('A-Za-z0-9+/=',true)
Remove_null_bytes()
Regular_expression('User defined','[0-9a-z\\<\\,]{30,}',true,true,false,false,false,false,'List matches')
Find_/_Replace({'option':'Regex','string':'<'},'BxDx',true,false,true,false)
Find_/_Replace({'option':'Regex','string':'BxD'},'0',true,false,true,false)
From_Hex('Auto')
--
John Dwyer
--
Disclaimer: Samples shown in the video were pulled from open source intel locations and we don't recommend accessing the associated IPs or domains.
Cyber Chef Recipe
Regular_expression('User defined','[0-9a-zA-Z+/=]{30,}',true,true,false,false,false,false,'List matches')
From_Base64('A-Za-z0-9+/=',true)
Remove_null_bytes()
Regular_expression('User defined','[0-9a-z\\<\\,]{30,}',true,true,false,false,false,false,'List matches')
Find_/_Replace({'option':'Regex','string':'<'},'BxDx',true,false,true,false)
Find_/_Replace({'option':'Regex','string':'BxD'},'0',true,false,true,false)
From_Hex('Auto')
--
John Dwyer
--
Disclaimer: Samples shown in the video were pulled from open source intel locations and we don't recommend accessing the associated IPs or domains.
0:09:26
0:10:45
0:08:04
1:00:38
0:43:22
0:13:40
0:13:14
0:24:27
1:06:25
0:15:09
0:00:28
0:01:19
0:59:38
0:01:38
0:26:42
0:35:01
0:51:28
1:40:15
0:03:27
0:00:52
0:14:38
0:45:17
0:00:46