Discover and read the best of Twitter Threads about #powershell

Most recents (24)

🐀 AsyncRAT 🐀 - Defeating Obfuscation Using CyberChef

An overview of some advanced CyberChef tricks for decoding malware

[1/12] 🧵

#AsyncRAT #Decoding #CyberChef #Malware Decoding Decimal Values using cyberchefDecoding String Reverse Using CyberchefDecoding Replace Operations Using CyberChefExample of Using Registers and Regex to perform Replace Oper
[2/] First, some links if you wish to follow along.

The Malware File: bazaar.abuse.ch/sample/26c9f29…

Links to CyberChef Recipes:
github.com/embee-research…
[3] Decimal Values:

Some text is converted to decimal to hinder simple text based analysis.

To defeat:
- Subsection - This grabs encoded data without removing the rest of the script
- Regex - Grab the decimal and ignore the "chr" junk
- From Decimal - Decode the decimal Decimal Encoded Values "chr(45)" etc - Prior to De
Read 12 tweets
Even with the $20B drop in Fed balance sheet yesterday, #NetLiquidity is still up yesterday and today. Image
Projected TGA change in tomorrow's report:

+$143B

Also keep in mind the QT over the next three Thursdays:

-$19B
-$17B
-$39B


RRP +$19B

Image
Image
Image
Read 66 tweets
Recorded Future analysts monitor targeting of ethnic and religious minorities by Chinese state-sponsored groups. In the first half of 2022, #TA413 exploited zero-days #Follina and CVE-2022-1040 with new custom backdoor #LOWZERO in Tibetan targeting. 1/9 bit.ly/3LwzoDf
#MalDoc lures, in Tibetan language, pose as applications for compensation, contest... This one sent from tibet[.]bet was weaponized with #RoyalRoad SHA 028e07fa88736f405d24f0d465bc789c3bcbbc9278effb3b1b73653847e86cf8, drops #LOWZERO and contacts hardcoded C2 45.77.19[.]75. 2/9 Image
Sent from the same domain, this lure has #phishing email links to tibet-gov.web[.]app posing as the Tibetan government-in-exile. Sent in 2 waves, the 1st email links to .docx attachment hosted on Google Firebase which attempts #Follina via the ms-msdt MSProtocol URI scheme. 3/9 Image
Read 9 tweets
PowerShell is a cross-platform task automation solution a command-line shell, a scripting language, and a configuration mangt framework.
PowerShell runs on Windows, Linux, & macOS.

To master #PowerShell, here are some excellent free resources: 🧵

#Linux #Windows #infosec
PowerShell for Beginners

Read 5 tweets
n² likes = n powershell tips
I guess I should tag this #powershell lol

1/ `?` is an alias for Where-Object and `%` is an alias for ForEach. So you can do `obj | ? filter | % block` to do things compactly.

`&` lets you invoke a string or script-block as a powershell command
2/ ctrl-space gives you a menu-completion for all options. This means you can write `obj.` and hit ctrl-space to get all its properties.

Alternatively, you can pipe the object to the `get-member` cmdlet
Read 18 tweets
NEW: Reconstructing PowerShell scripts from multiple Windows event logs

On the trail of malicious #PowerShell artifacts too large to be contained in a single log? Help is on the way.

1/19
Adversaries continue to abuse PowerShell to execute malicious commands and scripts. It's easy to understand its popularity among attackers: Not only is it present on all versions of Windows by default (and crucial to so many Windows applications that few disable it)... 2/19
... this powerful interactive CLI and scripting environment can execute code in-memory without malware ever touching the disk. This poses a problem for defenders and researchers alike. 3/19
Read 19 tweets
THREAD
Found an interesting #PowerShell dropper today that uses multiple rounds of complex obfuscation, even actual encryption. And I reversed the whole things using one stupid trick: Replace 'Invoke-Expression' with 'Write-Host' Wanna see? Image
The initial script has two lines: the first writes obfuscated code to the string variable0 $dz61UV and the second executes the contents of that string with Invoke-Expression after first reversing the order of bytes and stripping out unneeded spaces. Image
Invoke-Expression is first replaced with its shorthand 'IEX' and then in the next round reconstructed to 'ieX' from characters in the Windows $ShellId global environment variable. In both cases, replacing with Write-Host works just fine. ImageImage
Read 5 tweets
🔷Want to master Command Line but struggling to find where to start ? Then here is the mega thread 🧵for you to start
🔷This thread covers Windows Commands, Power shell Cmdlets, Linux shell commands along side Mac
🔷You will get to know Kernels & Shells

#Windows #Linux #macOS Image
What is KERNEL?
What is Shell ?
What is the Relation ?
Unlike many things, Every Operating System will have KERNEL not just Linux, it's a misconception
#kernel #Shell #DEVCommunity Image
Windows - Regular Command Prompt
Linux - Most of shells like SH, BASH and ZSH
Apple - ZSH shell
#Developer Image
Read 13 tweets
CVE-2021-36934
Un atacante exitoso podría, dijo #Microsoft, "instalar programas; ver, cambiar o eliminar datos; o crear nuevas cuentas con derechos de usuario completos". Todas las versiones de #Windows10 desde 1809 en adelante son #vulnerables a este método de ataque.
En cuanto a los parches, todavía no hay uno; en cambio, Microsoft ha emitido una solución alternativa para restringir el acceso mediante el símbolo del sistema o #PowerShell y luego eliminar los puntos de restauración del sistema existentes.
Esa solución se puede encontrar aquí msrc.microsoft.com/update-guide/v…
Read 3 tweets
Hi #PowerShell community. You may wonder where I've been these past few years. My blog is dormant. My PS PRs nonexistent.
What follows are my thoughts/feelings on recent community discussions.

1/11
This is not new. Neither the problems nor the promises. I sought in earnest to become a member PS Committee. Met with almost all of them. In the end, it did not happen. I'm mad, but not at any personal slight.

2/11
I'm mad because no one else was added either. Nothing sells me on previous MSFT employees on the committee being "community members."

3/11
Read 12 tweets
After a lot of fretting for years, I've decided to give blogging a go.
Read on to find out how you can leverage #PowerShell to create custom-file structures for your next project:
crtejaswi.github.io/blog/13-02-202…
Check out this post to learn how to easily generate QR codes for any text using #PowerShell:
crtejaswi.github.io/blog/15-02-202…
Check out this post to learn how to write a simple #PowerShell cmdlet that easily lets you log in/out of your user accounts. Not very efficient, but a helpful use-case for beginners.
crtejaswi.github.io/blog/16-02-202…
Read 5 tweets
1 / _ , where _ = 12
Here is the story of how the vast portion of my driving motivation to someday be paid for my coding prowess (i.e. a professional coder) is a phone convo from over a yr ago

#100DaysOfCode
2 / _
Backstory ...
May 20, 2019 my prev employer suddenly closed their doors

We walked into those doors that morning thinking it would be a typical Mon, only to learn at closing that we would never walk thru those doors again
3 / _
There I was, 2 Associate degrees in engineering tech (so not full blown engineering degrees, least not to HR depts) with 3 yrs exp in a niche industry

But! I had slowly been learning #PowerShell to automate many aspects of my job (and some other people's 😆)
Read 12 tweets
I have no idea why I'm looking at this but...

docs.microsoft.com/en-us/dotnet/a…

public const double PI = 3.1415926535897931;

PS > [math]::pi
3.14159265358979

3.1415926535897931
3.14159265358979

Where did my 2 digits go?

#dotnet #pi #PowerShell
The rabbit hole goes deeper... Image
And it goes even DEEPER...above is PS7 and this is Windows PowerShell Image
Read 3 tweets
Attackers can check your security visibility faster than you can configure it.

Here's an UNC group we track 😉 using Outlook home page (CVE-2017-11774) to check the target's attack surface and process creation & PowerShell event visibility - then sending it to domain-fronted C2. ImageImageImageImage
If some of the #PowerShell logging terms there were new to you, make sure you check out @matthewdunwoody's classic blog on visibility.ps1: fireeye.com/blog/threat-re… (it still holds up!)

I also plan to blog with more info on the first stage TTPs (not pictured) & hardening guidance.
Here’s the blog as promised on how this persists and removes the CVE-2017-11774 patch
Read 3 tweets
It uses a spreadsheet
...to launch a macro
......to register a scheduled task
..........to run #PowerShell
.............to copy a file
................to run VBA in Outlook
..................for C2
(╯°□°)╯︵ ✉️🔥
Read 3 tweets
#Campaign in tweets - @Guardicore Labs in a new tradition; we find the attacks, you get to know them and learn the attackers' tricks and techniques. This time, let's get familiarized with "Lemon_Duck", a #cryptomining campaign involving a sophisticated #propagation tool. 🍋🦆
Before we start: all scripts, binaries and IOCs are available on our github repository. In addition, malicious IPs, attack servers and domains appear on @Guadicore Cyber Threat Intelligence portal. You're welcome to take a look :)
threatintelligence.guardicore.com/?utm_medium=or…
github.com/guardicore/lab…
Lemon_Duck starts by breaching machines over the #MSSQL service or the #SMB protocol. We'll focus on the MS-SQL flow. Once inside the machine, the attacker enables #xp_cmdshell to run shell commands. It will take only a single command line to trigger the rest of the attack.
Read 12 tweets
<thread> My thoughts around #PowerShell's future... Being blindly optimistic about PowerShell's future or overly pessimistic about major team member's departure is actionless. There will always be a future. /1
And it is the choice you make from this point on determines how bright that future is. When you choose to use PowerShell; learn about its new use cases (e.g in the Cloud); talk about it; build new solutions with it; /2
show the solution to peers; participate and contribute on GitHub/StackOverFlow/Reddit/PowerShell.org, and always ask your vendor when they will actively offer PowerShell support, you brighten PowerShell's future. I am sure you can think of lots more. You might ask why? /3
Read 6 tweets
A round up of tweets from 2017 about learning and exploring security follows
Incorporate the security mindset to see security issues where others see reliability problems:
• Hardcoded metasploit addresses in crashes:
• Support case:
Read 9 tweets
Which of you red-teamers is going to own up to this one? #PowerShell threat decrypts a payload from a USB drive using the volume DeviceId 😱 Image
Decoded source: ghostbin.com/paste/7xnkx
Sample hash: e0679efedeb04d62b61fa60a3940fcf040bf21b56d920f0513e500965ca48c45
If you want to look further on this threat, I suggest these links.
Related hashes: ghostbin.com/paste/j2ce4
github.com/H3LL0WORLD/Pow… ImageImageImageImage
Read 3 tweets
Put this 1,000 line #PowerShell in your malware reading list.
Source: ghostbin.com/paste/qk4vj
JoeSandbox link: joesandbox.com/analysis/33888… ImageImageImage
@joe4security Sample hash: b2272e6d165a35ba1174c8b957c01844e6db0f366873c89fee2ff0f18d9c1af6
Also see: github.com/cocaman/retefe
@joe4security Better source link with more decode: ghostbin.com/paste/s8ykn
Read 3 tweets
That time you analyze a macro and obfuscated #PowerShell for 30 mins only to realize it's probably someone's CTF. ImageImageImageImage
Sample hash: 93db9aa0c088c93867fcbca3b53a1a87705008ca619dd0ce412f924eb1648f8d
Read 3 tweets
You'd be forgiven for missing the expand.exe call in this obfuscated #PowerShell script, but command line logging sees it just fine. ImageImageImage
Sample hash: 948e12bb410ee39f7afec26ecd2cb681d3f6b30e52626e475ac76aa5ba4957a6
@marcurdy your mention of expand.exe in helped me notice this
Read 3 tweets
Use this one-liner in #PowerShell to impress your coworkers with this selection coloring trick.😎💪 Image
Set-ItemProperty -Path HKCU:\Console -Name EnableColorSelection -Value 1
Read 3 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!