Skip to main content


Showing posts from July, 2018

Analyzing obfuscated powershell with shellcode

Recently, a PowerShell script came across my lab and I thought it might be worthwhile showing others how to handle this type of payload. Many PowerShell frameworks exist that allow pen-testers and attackers alike to build payloads with ease. The two I see most often are: Cobalt Strike - PowerShell Empire - The Script So let's just dive right in. What does a Powershell payload look like? Figure 1: Original PowerShell script When starting any malware analysis, I tend to look for low hanging fruit. In this case, I see a few things that interest me: "[Byte[]]$mK = [System.Convert]::FromBase64String” followed by a Base64 encoded text. "kernel32.dll VirtualAlloc" followed by: "$mK.Length,0x3000, 0x40" "kernel32.dll CreateThread" "kernel32.dll WaitForSingleObject" What's happening here is that the Base64 encoded payload is being decoded and converted into a byt