Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niques') -Join '')

No ratings

Presented at RVASec 2017 by

Daniel Bohannon

PowerShell is increasingly being used by advanced attackers and script kiddies alike in targeted attacks, commodity malware, and even ransomware. The most common usage involves PowerShell remotely downloading and running payloads entirely in memory, rendering many traditional detection mechanisms useless. Detection has increasingly shifted to monitoring for this malicious activity via process command line arguments and parent-child process relationships. While this is a significant improvement there are numerous evasion techniques of which the Red Team and Blue Team should be aware. For the past 1.5 years I have researched PowerShell obfuscation, evasion and advanced detection techniques. Picking up from where I left off in my recent presentations on Invoke-Obfuscation, in this presentation I will highlight my new tool Invoke-CradleCrafter. Additionally, I will introduce a new family of PowerShell obfuscation techniques and show how they can be applied to several new and obscure families of remote download cradles.