Invoke Obfuscation - PowerShell Obfuscation Techniques and How To Try To Detect Them

Explore advanced PowerShell obfuscation techniques and detection methods in this 55-minute conference talk from nullcon 2017. Delve into a dozen never-before-seen obfuscation methods used by sophisticated attackers to evade detection by antivirus and application whitelisting technologies. Learn about three new layers of obfuscation that can be applied to PowerShell commands and scripts, including direct manipulation of cmdlets and functions, string manipulation, and content execution techniques. Discover how these methods can be stacked to create highly evasive payloads. Gain insights into the challenges of detecting obfuscated commands and the importance of PowerShell event logging. Witness a demonstration of Invoke-Obfuscation, an open-source tool for applying these techniques. Presented by Daniel Bohannon, an Incident Response Consultant at MANDIANT with expertise in PowerShell-based attack research and detection techniques.

nullcon 2017 - Invoke Obfuscation: Powershell Obfuscation Techniques n How To Try To Detect Them