This post was originally published on this site is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to

Many attackers continue to leverage PowerShell as a part of their
malware ecosystem, mostly delivered and executed by malicious binaries
and documents. Of malware that uses PowerShell, the most prevalent use
is the garden-variety stager: an executable or document macro that
launches PowerShell to download another executable and run it. There
has been significant development and innovation in the field of
offensive PowerShell techniques. While defenders and products have
implemented greater
PowerShell visibility
and improved detection, the offensive
PowerShell community has adapted their tools to avoid signature-based
detections. Part of this response has come through an increased use of
content obfuscation – a technique long employed at both the binary and
content level by traditional malware authors.

In our Revoke-Obfuscation
white paper
, first presented at Black Hat USA 2017, we provide
background on obfuscated PowerShell attacks seen in the wild, as well
as defensive mitigation and logging best practices. We then make the
case for the inefficiencies of static detection by exploring the many
layers of obfuscation now available to attackers for launching
PowerShell scripts, shortening and complicating commands contained
within the scripts, manipulating strings, and using alternate and
obscure methods to evade defenders. We then present a number of unique
approaches for interpreting, categorizing, and processing obfuscated
PowerShell attributes in order to build a framework for high fidelity
obfuscation detection. To support our research, we collected an
unprecedented PowerShell data corpus comprised of 408,000 scripts –
including 7,000 manually-reviewed and labeled scripts – from a vast
set of sources, both public and previously unavailable. In addition to
releasing the PowerShell data corpus, we have released the Revoke-Obfuscation
, which has been used in numerous Mandiant
investigations, to assist the security community in classifying
PowerShell scripts’ obfuscation at scale.

Download the Revoke-Obfuscation
white paper

Revoke-Obfuscation is the result of industry research collaboration
between Daniel Bohannon (@danielhbohannon), Senior
Applied Security Researcher at Mandiant/FireEye, and Lee Homes (@Lee_Holmes
), Lead
Security Architect of Azure Management at 


At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.

Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group,