Powershell obfuscation is commonly used by adversaries because it allows for native code execution, and it evades static string detection. There’s no way to write static detection for all possible obfuscation techniques. Instead, let’s go hunt for the obfuscation! It turns out that for normal/non-obfuscated Powershell commands, there are strong correlations between the length of a command and the count of various characters in that command. We can use statistical techniques such as Linear Regression to find commands that don’t match our expected correlations, and therefore have a higher chance of being obfuscated. This presentation will demonstrate an effective technique for finding these outliers.Speaker: Joe Petroske, Cyber Threat Hunter, Target
Музыка
Фильмы
ТВ Шоу
Категории видео
