Deobfuscate PowerShell using PowerShell Logging

We will use inbuilt PowerShell Logging in Windows 10 VM to deobfuscate PowerShell code used to deliver Emotet & Qakbot. Malware uses PowerShell mostly to download payload from CC and execute it.

Why do we need to do this?

  • Easy technique to deobfuscate PowerShell without using any external tool
  • Extract CC from PowerShell


Enable PowerShell Logging

Windows 10 VM doesn’t require any software updates to support enhanced PowerShell logging. But if you still want to configure Windows 7 VM, please check the FireEye articleGreater Visibility Through PowerShell Logging.

1. Open Local Group Policy editor and navigate to
Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell

Initial PowerShell Logging Setting
Initial PowerShell Logging Setting

2. Enable the following three options shown below. Enter * in Module Names for Module logging.
PowerShell Group Policy Setting
PowerShell Group Policy Setting


Tip: Enter gpedit.msc in Run to open Local Group policy and eventvwr.msc for Event Viewer


  1. Open Event Viewer and navigate to Windows Logs -> Application and Service Logs -> Windows PowerShell, right click and clear the existing logs
  2. Execute the malware and wait for some time 30-60 sec.
  3. Open ProcessHacker and check for termination of PowerShell process.
  4. Open EventViewer and navigate to Windows PowerShell log and check the entries, you will see some deobfuscated PowerShell
  5. Analyze PowerShell if needed to extract CC info

Example of Emotet & Qakbot

  1. hta file contain Obfuscated VBScript code
    Initial Obfuscated hta
    Initial Obfuscated hta
    Initial Obfuscated hta file which contain VBScript
  2. Deobfuscate VBScript by replacing ]+($)#!%/=[?-_&*<> with ” and you can see obfuscated PowerShell.
    Initial Obfuscate PowerShell
    Initial Obfuscate PowerShell
    Initial Obfuscate PowerShell
  3. But we don’t need to do above step, we can just run the hta file and see more clearer PowerShell code shown below.
    Qakbot PowerShell Deobfuscation
    Qakbot PowerShell Deobfuscation
    2nd level deobfuscated code is much better as you can see the CC
  4. Extract CC by executing below PowerShell code
    Qakbot CC
    Execute PowerShell Code to extract CC
Obfuscated Emotet PoweShell cmd
Obfuscated Emotet PoweShell cmd
Contain PowerShell cmd extracted from Emotet doc
Emotet_Powershell 1st
Emotet Powershell 1st Entry

Emotet Deobfuscated Powershell
Emotet Deobfuscated Powershell
Check the highlighted Deobfuscated Code

Hope you enjoyed this post, please  me on Twitter to get the latest update about my malware analysis & DFIR journey. Happy Reversing 😊

Related Posts

3 Comments. Leave new

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.