DEF CON 25 - Daniel Bohannon, Lee Holmes - Revoke Obfuscation: PowerShell Obfuscation
HTML-код
- Опубликовано: 1 ноя 2017
- Attackers, administrators and many legitimate products rely on PowerShell for their core functionality. However, its power has made it increasingly attractive for attackers and commodity malware authors alike. How do you separate the good from the bad?
A/V signatures applied to command line arguments work sometimes. AMSI-based (Anti-malware Scan Interface) detection performs significantly better. But obfuscation and evasion techniques like Invoke-Obfuscation can and do bypass both approaches.
Revoke-Obfuscation is a framework that transforms evasion into a treacherous deceit. By applying a suite of unique statistical analysis techniques against PowerShell scripts and their structures, what was once a cloak of invisibility is now a spotlight. It works with .evtx files, command lines, scripts, ScriptBlock logs, Module logs, and is easy to extend.
Approaches for evading these detection techniques will be discussed and demonstrated.
Revoke-Obfuscation has been used in numerous Mandiant investigations to successfully identify obfuscated and non-obfuscated malicious PowerShell scripts and commands. It also detects all obfuscation techniques in Invoke-Obfuscation, including two new techniques being released with this presentation. 
Наука
So this utility has string/regex whitelisting?
What's stopping the powershell script from adding itself as an obfuscated whitelist entry?
What to do about runtime detection. I have several backdoors wich can be scanned without going detected.
As soon i execute them, i get an alert from my temp folder. ( I assume its detected from memory).
Any tips to combat this?
ROTFLMAO
You have released the hounds. We are ALL special characters. And you have become the most interesting characters.
Young man, what do you mean by " 'If you promise not to tell anyone' " ? Do not bother with an answer.
#HackTheWideOpenAndorra
First