Watch Finding and Decoding Malicious Powershell Scripts - SANS DFIR Summit 2018 in New Channel | Channify

Malicious PowerShell scripts are becoming the tool of choice for attackers. Although sometimes referred to as “fileless malware”, they can leave behind forensic artifacts for examiners to find. In this presentation, learn how to locate and identify activity of these malicious PowerShell scripts. Once located, these PowerShell scripts may contain several layers of obfuscation that need to be decoded. I will walk through how to decode them, as well as some light malware analysis on any embedded shellcode. I will also demonstrate how to use an open source python script to automate the process once you have discovered the MO of the attacker in your case. Mari DeGrazia (@maridegrazia), Director of Incident Response, Kroll