Obfuscation With PowerShell


Image result for powershell logo

I’e covered PowerShell auditing before but hopefully this shows why you need to start controlling and auditing PowerShell within your environment. If you don’t, malicious parties may be able to mask their tracks.

The reason why is that malicious parties, may chose to encode their commands or scripts before executing/deploying them. The reason why is that if your auditing isn’t up to scratch, it may go unseen. In some cases it can also help bypass the AV.

Imagine you don’t have auditing enabled and you go looking at the history. You use the search filter and try and identify Invoke-Mimikatz. It returns nothing….. It may be that it’s because it’s running as encoded and the initial command would be:
Powershell -encodedCommand SQBuAHYAbwBrAGUALQBtAGkAbQBpAGsAYQB0AHo

This is because they have encoded the command first and PowerShell has the ability to run as encoded. To do this, run the command: Powershell -encodedCommand *encoded value*

View original post 485 more words

I’d love to hear any tips you’re willing to share in the comments!

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.