Forum Discussion

CyberSharpe's avatar
CyberSharpe
Icon for Bronze III rankBronze III
3 months ago

Powershell Deobsfuscation Ep.7

Team, has anyone ventured into PowerShell Deobsfucation yet? I’ve got to 7 no issues but I cannot get another further. The drama is every time you reset it’s a completely different code or it freezes or stutters. When it’s not being choppy it’s pure nails. 
I can’t ask an exact question as it keeps changing but more of how are you approaching it. Are you creating your own scripts to decode this, if so could you share ideas, are you copying it out to powershell decoder or manually doing it by hand or using cyberchef if so what actions are you selecting? 

  • Hello - the labs use "invoke obfuscation" which is why they are different every time. They are really difficult, it took me a month to complete them.

    Have a look at some internet articles - this is a good primer 

    https://medium.com/mii-cybersec/malicious-powershell-deobfuscation-using-cyberchef-dfb9faff29f

     

  • Hello - the labs use "invoke obfuscation" which is why they are different every time. They are really difficult, it took me a month to complete them.

    Have a look at some internet articles - this is a good primer 

    https://medium.com/mii-cybersec/malicious-powershell-deobfuscation-using-cyberchef-dfb9faff29f

     

  • Hi Jay,

    What tool or approach you use is very much a personal choice, but CyberChef is very powerful and flexible as you can tweak and fine-tune your recipe and see the results in real time.

    Out of interest, have you looked at the 'Introduction to PowerShell Deobfuscation' collection?

    If you continue to struggle then let me know - I'll be happy discuss approaches in more detail.

    Cheers,
    Barny