I’m blown away by how many people enjoyed my first PowerShell reverse-engineering write-up! In fact, it was such a popular post that people were even sharing it with their work teams in order to learn new malware techniques being used by attackers! I’m thrilled that my post was useful, and I hope that it inspires others to give malware reversing a try. After reading my write-up, a Twitter user named Chad got in touch with me and shared a couple other samples of PowerShell malware that his team had found.
Greetings, friends! I know it’s been a while, but today I’ve got a special treat for you. Earlier this week, a malicious PowerShell script was detected on one of the systems I protect. After a bit of digging, my colleagues were able to extract the complete code listing, which I decided to reverse-engineer. It’s big, it’s ugly, and it’s fascinating as hell. When I first looked at the script, I recognized that it had been carefully obfuscated in order to be impossible to read and understand, but that didn’t deter me; I love a good challenge.