PowerShell

Gather MD5, SHA256, Name and FullName of NanoCore files

PowerShell Commands for Incident Response

May 25, 2020

Blue Team, Cheat Sheet, Commands, NanoCore, PowerShell, RAT

We will learn different PowerShell Commands can be used in Incident Response to remediate the machine. I will take a real world scenario where a machine is infected with malware e.g. NanoCore RAT to explain this PowerShell Commands. These commands can be very useful in a limited Windows environment where…

Excel 4.0 Macro, hta, VBScript & PowerShell Analysis Ataware Ransomware – Part 0x1

April 30, 2019

Ataware, Deobfuscation, hta, Macro analysis, PowerShell, Ransomware, T1086, T1170, VBScript, xls

This will be a multiple part blog series analysing the complete infection chain from Excel to Ataware Ransomware. In this post we will discuss analysis steps for hta, VBScript & PowerShell code to extract the final payload url. Let’s start with xls, I was browsing Twitter for an interesting sample,…

Deobfuscate PowerShell using PowerShell Logging

April 20, 2019

Deobfuscation, Emotet, PowerShell, Qakbot

We will use inbuilt PowerShell Logging in Windows 10 VM to deobfuscate PowerShell code used to deliver Emotet & Qakbot. Malware uses PowerShell mostly to download payload from CC and execute it. Why do we need to do this? Easy technique to deobfuscate PowerShell without using any external tool Extract…

Deobfuscate Emotet PowerShell – Part 0x2

May 26, 2018

Deobfuscation, Downloader, Emotet, PowerShell, Video Tutorial

We will deobfuscate PowerShell and extract CC from the PowerShell cmd extracted from the Emotet downloader macro discussed in the previous article. If you want to learn how to deobfuscate and analyse the malicious macro code, please check this article and video. Video Tutorial Let see how to use this above…