Category Archives: PowerShell

Those Pesky Powershell Shellcode’s And How To Understand Them

Shellcode comes in various forms for different operating systems. Some can just be dropped into a hex editor and get the needed understanding what it is doing , some may require looking at the generated assembly code generated by a … Continue reading

Posted in Malware, Networking, PowerShell | Tagged , , | Leave a comment

A look at a bmp file with embedded shellcode

The sample today is from PaulM @melsonp While watching his BSIDES Augusta talk from 2018  Here,  at that the end he shows a picture file that gets downloaded from a layered PowerShell script. He was kind enough to send me … Continue reading

Posted in Malware, PowerShell, security | Tagged , , | Leave a comment

Understanding Invoke- “X” Special Character Encoding

I say Invoke- “X” because it can be found in both Invoke-Obfuscation and in Invoke-Dosfucation. We can find a reference to the encoding scheme in this Twitter thread Here where @danielhbohannon references the the blog post from 2010 by @mutaguchi … Continue reading

Posted in Malware, PowerShell, Programming, security | Tagged , | Leave a comment

A look at a Word document macro using Invoke-DOSfuscation

The sample from this one comes from  Packet Wire @packet_Wire. Twitter thread here  After getting the location of the Word document and downloading it. The file name was “Auditor-of-State-Notification-of-EFT-Deposit” with hash values of. Sha1: 4C7C8B1897CA22E4E477C361DAF676D471A4F4AFSha256: EBDA287F6B33A0C7A689E1D8FDE7ABC708C9DFBCA2759A56CD055868B2CC0911MD5: 35756ECC87405E42F62DEEEEF18FD43A Let’s dive into … Continue reading

Posted in Malware, PowerShell, VBScript | Tagged , ,

PowerShell encoding used for Emotet Downloader

I first ran across the SecureString usage in this twitter thread where  @Anyrun_app is talking about a version of “Fake Net” to get all of the C2’s here https://twitter.com/anyrun_app/status/966227622899351552 There are a few methods listed in this thread by different … Continue reading

Posted in Malware, PowerShell, Programming | Tagged , ,

Peeling away the layers of a word document macro

The sample used in this one was first brought to my attention from the blog post by @HerbieZimmerman  and the blog post is here. https://www.herbiez.com/?p=1028 and the link to the doc file is here https://www.hybrid-analysis.com/sample/0de3f4380b642e59d0cde5570ed13bfc727000b94a034ce10e1f87bfac3fac79?environmentId=100 This one peaked my interest … Continue reading

Posted in Malware, PowerShell, security, VBScript | Tagged , ,