Malicious PowerShell scripts are becoming the tool of choice for attackers. Although sometimes referred to as “fileless malware”, they can leave behind forensic artifacts for examiners to find. In this presentation, learn how to locate and identify activity of these malicious PowerShell scripts. Once located, these PowerShell scripts may contain several layers of obfuscation that need to be decoded. I will walk through how to decode them, as well as some light malware analysis on any embedded shellcode. I will also demonstrate how to use an open source python script to automate the process once you have discovered the MO of the attacker in your case.
For additional Kroll presentations from the 2018 DFIR Summit & Training, please take a look here
- Case Study: ModPOS vs. RawPOS – A Nerd's-Eye View of Two Malware Frameworks
- A Planned Methodology for Forensically Sound Incident Response in Microsoft’s Office 365 Cloud Environment
The annual SANS Digital Forensics & Incident Response (DFIR) Summit is the most comprehensive DFIR event of the year, bringing together an influential group of experts, immersion-style training, and industry networking opportunities in one place.
Highly technical digital forensics and incident response presentations from the industry's top practitioners during the two-day Summit.
Nine SANS DFIR courses to choose from to advance your training, build your arsenal of defenses and learn how to better protect your organization.
DFIR NetWars: The Coin Slayer! - Earn DFIR course coins by correctly answering all questions from all levels of the six DFIR domains. Leave Austin with a motherlode of coinage!
Join Mari DeGrazia for a session on "Finding and Decoding Malicious Powershell Scripts" on Friday, June 8, 2018 at 11:45 a.m. (EST)
February 24-28, 2020 San Francisco