mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 21:54:56 +03:00
mukul975
1.9 KiB
1.9 KiB
Standards and Frameworks Reference
PowerShell Obfuscation Taxonomy
Layer Classification
| Layer | Technique | Example |
|---|---|---|
| L1 | Base64 EncodedCommand | powershell -enc SQBFAFgA... |
| L2 | String Concatenation | $a='Inv'+'oke'+'-Ex'+'pression' |
| L3 | Character Code Array | [char[]](73,69,88)-join'' |
| L4 | Tick-Mark Insertion | I`nv`oke-Exp`ress`ion |
| L5 | Environment Variable | $env:COMSPEC[4,15,25]-join'' |
| L6 | SecureString | ConvertTo-SecureString ... -Key |
| L7 | Compression + Base64 | IO.Compression.DeflateStream |
| L8 | XOR Encoding | `$bytes |
| L9 | Replace Chain | .Replace('abc','I').Replace(...) |
| L10 | Format String | ("{2}{0}{1}" -f 'ke-','Ex','Invo') |
MITRE ATT&CK Mappings
| Technique | ID | Description |
|---|---|---|
| Command and Scripting Interpreter: PowerShell | T1059.001 | Malicious PowerShell execution |
| Obfuscated Files or Information | T1027 | Encoding/encryption of scripts |
| Deobfuscate/Decode Files | T1140 | Runtime deobfuscation |
| Ingress Tool Transfer | T1105 | Downloading payloads via PS |
| System Binary Proxy Execution | T1218 | Using trusted binaries |
PowerShell AST Node Types for Analysis
Key Expression Nodes
CommandExpression: Direct command invocationsInvokeMemberExpression: Method calls on objectsBinaryExpression: String concatenation operatorsArrayExpression: Character array constructionSubExpression: Nested expression evaluationExpandableStringExpression: String interpolation