Finding and Decoding Malicious PowerShell Scripts

Malicious PowerShell scripts are becoming the tool of choice for attackers. Although sometimes referred to as “fileless malware”, they can leave behind forensic artifacts for examiners to find. Learn how to locate and identify activity of these malicious PowerShell scripts. Once located, these PowerShell scripts may contains several layers of obfuscation that need to be decoded. Learn how to manually decode them, as well as some light malware analysis on any embedded shellcode through a series of hands on labs. I will also demonstrate how to use an open source python script to automate some of the process once you have discovered the MO of the attacker in your case.

Requirements: Attendees should have a Windows system or Windows VM. The user must be able to turn off their AV. It would also be helpful if Python 2.7 is installed and added to the Path environment variable.

Mari DeGrazia

Mari DeGrazia is a Director at Kroll Cyber Security, which provides cyber security services on a global scale. Throughout her career, Mari has investigated high-profile breach cases, worked civil and criminal cases and provided testimony as an expert witness. She has written and released numerous programs/scripts to the forensics community; presented on her research at several industry conferences; and is a published author in several magazines. She holds several certifications in addition to earning a B.S. in Computer Science from Hawaii Pacific University.

Marc Padilla

Marc Padilla is a Senior Managing Consultant at Kroll Cyber Security and performs digital forensics and incident response for data breach investigations and cyber security engagements. He is enthusiastic about research and performs analysis for statistical observations of large data sets. As a motivated communicator who shares ideas and knowledge with others, he has presented to the Arizona Public Defenders Association and University of Arizona on the topic of digital forensics, network analysis, and security. Marc holds information security certifications, a B.S. in Information Science and Technology, and is currently pursuing a M.S. in Cybersecurity.