Attackers obfuscate PowerShell to evade rigid detections. With recent improvements in obfuscation detection, savvy attackers have started to obfuscate less and more selectively to avoid detection. Come learn how PesterSec leverages Pester and ScriptAnalyzer to detect minimally-obfuscated PowerShell.
Over the years as attackers have increasingly used PowerShell as an important piece of their offensive toolkit, the PowerShell Team has countered by building deep inspection capabilities into PowerShell that are not found in any other scripting language. However, as defenders began using this new visibility and significantly improving their detection of malicious PowerShell usage, attackers adapted their techniques.
As attackers turned to the heavy usage of specific obfuscation techniques, like those found in Invoke-Obfuscation and Invoke-CradleCrafter, to target certain aspects of PowerShell’s ScriptBlock logging, defenders once again had to match this offensive shift with their own shift in detection methodology.
Defenders have since turned to various data science approaches, like those built into Revoke-Obfuscation, to more robustly detect heavy PowerShell obfuscation. However, countering offensive projects like PSAmsi have enabled attackers to apply selective obfuscation in minimal quantities to evade specific A/V signatures while falling under the “obfuscation threshold” of newer data science approaches.
Come learn how PesterSec combines the power of ScriptAnalyzer and Pester to perform context-specific detections of minimally-obfuscated PowerShell commands and scripts. These platforms also highlight the ease of access to PowerShell’s Abstract Syntax Tree (AST) for any PowerShell practitioner.