Invoke-Obfuscation: PowerShell obFUsk8tion Techniques

Presented at BruCON 0x08 (2016), Oct. 28, 2016, 5 p.m. (60 minutes)

The very best attackers hide their commands from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, network defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs. We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker.

Presenters:

• Daniel Bohannon / DBO   as Daniel Bohannon

Links:

• https://brucon0x082016.sched.com/event/8Y7s/invoke-obfuscation-powershell-obfusk8tion-techniques

Similar Presentations:

• DerbyCon 6.0 Recharge (2016) / Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To) D””e`Tec`T ‘Th’+’em’
• RVAsec 2017 / Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niques') -Join '')
• Black Hat USA 2017 / Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science