A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science - Lee Holmes & Daniel Bohannon Derbycon 2017 (Hacking Illustrated Series InfoSec Tutorial Videos)

Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science
Lee Holmes & Daniel Bohannon
Derbycon 2017

Attackers, administrators and many legitimate products rely on PowerShell for their core functionality. However, its power has made it increasingly attractive for attackers and commodity malware authors alike. How do you separate the good from the bad? A/V signatures applied to command line arguments work sometimes. AMSI-based (Anti-malware Scan Interface) detection performs significantly better. But obfuscation and evasion techniques like Invoke-Obfuscation can and do bypass both approaches. Revoke-Obfuscation is a framework that transforms evasion into a treacherous deceit. By applying a suite of unique statistical analysis techniques against PowerShell scripts and their structures, what was once a cloak of invisibility is now a spotlight. It works with .evtx files, command lines, scripts, ScriptBlock logs, Module logs, and is easy to extend. Approaches for evading these detection techniques will be discussed and demonstrated. Revoke-Obfuscation has been used in numerous Mandiant investigations to successfully identify obfuscated and non-obfuscated malicious PowerShell scripts and commands. It also detects all obfuscation techniques in Invoke-Obfuscation, including two new techniques being released with this presentation.

Lee Holmes is the lead security architect of Microsoft's Azure Management group, covering Azure Stack, System Center, and Operations Management Suite. He is author of the Windows PowerShell Cookbook, and an original member of the PowerShell development team. Daniel Bohannon is a Senior Incident Response Consultant at MANDIANT with over seven years of operations and information security experience. He is the author of the Invoke-Obfuscation and Invoke-CradleCrafter PowerShell obfuscation frameworks

Lee - @Lee_Holmes, Daniel - @danielhbohannon

Back to Derbycon 2017 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast