Greetings, friends! I know it’s been a while, but today I’ve got a special treat for you. Earlier this week, a malicious PowerShell script was detected on one of the systems I protect. After a bit of digging, my colleagues were able to extract the complete code listing, which I decided to reverse-engineer. It’s big, it’s ugly, and it’s fascinating as hell. When I first looked at the script, I recognized that it had been carefully obfuscated in order to be impossible to read and understand, but that didn’t deter me; I love a good challenge. I decided to try and reverse-engineer the code and see how it worked, despite the fact that I had never worked with PowerShell before, and had no idea how the language worked. On top of that, I’d never attempted to reverse-engineer anything before.

I had no idea how deep this rabbit hole would go. When I was done, well… Let’s just say, I was blown away.

I learned so much from this exercise, not just about PowerShell, reverse-engineering, or malware development, but about the incredible lengths that malicious hackers will go to get their code onto your system undetected.

“Fascinating,” you say! “I’d love to learn more about it!”

Well, you’re in luck!

I documented the whole endeavor.

Feast your brains, dear readers. I hope you enjoy the guide.

While you’re at it, I’m going to go take a nap. I’m fried.