Discover and read the best of Twitter Threads about #powershell

Most recents (24)

🐀 AsyncRAT 🐀 - Defeating Obfuscation Using CyberChef

An overview of some advanced CyberChef tricks for decoding malware

[1/12] 🧵

#AsyncRAT #Decoding #CyberChef #Malware Decoding Decimal Values using cyberchefDecoding String Reverse Using CyberchefDecoding Replace Operations Using CyberChefExample of Using Registers and Regex to perform Replace Oper
[2/] First, some links if you wish to follow along.

The Malware File:…

Links to CyberChef Recipes:…
[3] Decimal Values:

Some text is converted to decimal to hinder simple text based analysis.

To defeat:
- Subsection - This grabs encoded data without removing the rest of the script
- Regex - Grab the decimal and ignore the "chr" junk
- From Decimal - Decode the decimal Decimal Encoded Values "chr(45)" etc - Prior to De
Read 12 tweets
Even with the $20B drop in Fed balance sheet yesterday, #NetLiquidity is still up yesterday and today. Image
Projected TGA change in tomorrow's report:


Also keep in mind the QT over the next three Thursdays:


RRP +$19B

Read 66 tweets
Recorded Future analysts monitor targeting of ethnic and religious minorities by Chinese state-sponsored groups. In the first half of 2022, #TA413 exploited zero-days #Follina and CVE-2022-1040 with new custom backdoor #LOWZERO in Tibetan targeting. 1/9
#MalDoc lures, in Tibetan language, pose as applications for compensation, contest... This one sent from tibet[.]bet was weaponized with #RoyalRoad SHA 028e07fa88736f405d24f0d465bc789c3bcbbc9278effb3b1b73653847e86cf8, drops #LOWZERO and contacts hardcoded C2 45.77.19[.]75. 2/9 Image
Sent from the same domain, this lure has #phishing email links to tibet-gov.web[.]app posing as the Tibetan government-in-exile. Sent in 2 waves, the 1st email links to .docx attachment hosted on Google Firebase which attempts #Follina via the ms-msdt MSProtocol URI scheme. 3/9 Image
Read 9 tweets
PowerShell is a cross-platform task automation solution a command-line shell, a scripting language, and a configuration mangt framework.
PowerShell runs on Windows, Linux, & macOS.

To master #PowerShell, here are some excellent free resources: 🧵

#Linux #Windows #infosec
PowerShell for Beginners

Read 5 tweets
n² likes = n powershell tips
I guess I should tag this #powershell lol

1/ `?` is an alias for Where-Object and `%` is an alias for ForEach. So you can do `obj | ? filter | % block` to do things compactly.

`&` lets you invoke a string or script-block as a powershell command
2/ ctrl-space gives you a menu-completion for all options. This means you can write `obj.` and hit ctrl-space to get all its properties.

Alternatively, you can pipe the object to the `get-member` cmdlet
Read 18 tweets
NEW: Reconstructing PowerShell scripts from multiple Windows event logs

On the trail of malicious #PowerShell artifacts too large to be contained in a single log? Help is on the way.

Adversaries continue to abuse PowerShell to execute malicious commands and scripts. It's easy to understand its popularity among attackers: Not only is it present on all versions of Windows by default (and crucial to so many Windows applications that few disable it)... 2/19
... this powerful interactive CLI and scripting environment can execute code in-memory without malware ever touching the disk. This poses a problem for defenders and researchers alike. 3/19
Read 19 tweets
Found an interesting #PowerShell dropper today that uses multiple rounds of complex obfuscation, even actual encryption. And I reversed the whole things using one stupid trick: Replace 'Invoke-Expression' with 'Write-Host' Wanna see? Image
The initial script has two lines: the first writes obfuscated code to the string variable0 $dz61UV and the second executes the contents of that string with Invoke-Expression after first reversing the order of bytes and stripping out unneeded spaces. Image
Invoke-Expression is first replaced with its shorthand 'IEX' and then in the next round reconstructed to 'ieX' from characters in the Windows $ShellId global environment variable. In both cases, replacing with Write-Host works just fine. ImageImage
Read 5 tweets
🔷Want to master Command Line but struggling to find where to start ? Then here is the mega thread 🧵for you to start
🔷This thread covers Windows Commands, Power shell Cmdlets, Linux shell commands along side Mac
🔷You will get to know Kernels & Shells

#Windows #Linux #macOS Image
What is KERNEL?
What is Shell ?
What is the Relation ?
Unlike many things, Every Operating System will have KERNEL not just Linux, it's a misconception
#kernel #Shell #DEVCommunity Image
Windows - Regular Command Prompt
Linux - Most of shells like SH, BASH and ZSH
Apple - ZSH shell
#Developer Image
Read 13 tweets
Un atacante exitoso podría, dijo #Microsoft, "instalar programas; ver, cambiar o eliminar datos; o crear nuevas cuentas con derechos de usuario completos". Todas las versiones de #Windows10 desde 1809 en adelante son #vulnerables a este método de ataque.
En cuanto a los parches, todavía no hay uno; en cambio, Microsoft ha emitido una solución alternativa para restringir el acceso mediante el símbolo del sistema o #PowerShell y luego eliminar los puntos de restauración del sistema existentes.
Esa solución se puede encontrar aquí…
Read 3 tweets
Hi #PowerShell community. You may wonder where I've been these past few years. My blog is dormant. My PS PRs nonexistent.
What follows are my thoughts/feelings on recent community discussions.

This is not new. Neither the problems nor the promises. I sought in earnest to become a member PS Committee. Met with almost all of them. In the end, it did not happen. I'm mad, but not at any personal slight.

I'm mad because no one else was added either. Nothing sells me on previous MSFT employees on the committee being "community members."

Read 12 tweets
After a lot of fretting for years, I've decided to give blogging a go.
Read on to find out how you can leverage #PowerShell to create custom-file structures for your next project:…
Check out this post to learn how to easily generate QR codes for any text using #PowerShell:…
Check out this post to learn how to write a simple #PowerShell cmdlet that easily lets you log in/out of your user accounts. Not very efficient, but a helpful use-case for beginners.…
Read 5 tweets
1 / _ , where _ = 12
Here is the story of how the vast portion of my driving motivation to someday be paid for my coding prowess (i.e. a professional coder) is a phone convo from over a yr ago

2 / _
Backstory ...
May 20, 2019 my prev employer suddenly closed their doors

We walked into those doors that morning thinking it would be a typical Mon, only to learn at closing that we would never walk thru those doors again
3 / _
There I was, 2 Associate degrees in engineering tech (so not full blown engineering degrees, least not to HR depts) with 3 yrs exp in a niche industry

But! I had slowly been learning #PowerShell to automate many aspects of my job (and some other people's 😆)
Read 12 tweets
I have no idea why I'm looking at this but...…

public const double PI = 3.1415926535897931;

PS > [math]::pi


Where did my 2 digits go?

#dotnet #pi #PowerShell
The rabbit hole goes deeper... Image
And it goes even DEEPER...above is PS7 and this is Windows PowerShell Image
Read 3 tweets
Attackers can check your security visibility faster than you can configure it.

Here's an UNC group we track 😉 using Outlook home page (CVE-2017-11774) to check the target's attack surface and process creation & PowerShell event visibility - then sending it to domain-fronted C2. ImageImageImageImage
If some of the #PowerShell logging terms there were new to you, make sure you check out @matthewdunwoody's classic blog on visibility.ps1:… (it still holds up!)

I also plan to blog with more info on the first stage TTPs (not pictured) & hardening guidance.
Here’s the blog as promised on how this persists and removes the CVE-2017-11774 patch
Read 3 tweets
It uses a spreadsheet launch a macro register a scheduled task run #PowerShell copy a file run VBA in Outlook
..................for C2
(╯°□°)╯︵ ✉️🔥
Read 3 tweets
#Campaign in tweets - @Guardicore Labs in a new tradition; we find the attacks, you get to know them and learn the attackers' tricks and techniques. This time, let's get familiarized with "Lemon_Duck", a #cryptomining campaign involving a sophisticated #propagation tool. 🍋🦆
Before we start: all scripts, binaries and IOCs are available on our github repository. In addition, malicious IPs, attack servers and domains appear on @Guadicore Cyber Threat Intelligence portal. You're welcome to take a look :)……
Lemon_Duck starts by breaching machines over the #MSSQL service or the #SMB protocol. We'll focus on the MS-SQL flow. Once inside the machine, the attacker enables #xp_cmdshell to run shell commands. It will take only a single command line to trigger the rest of the attack.
Read 12 tweets
<thread> My thoughts around #PowerShell's future... Being blindly optimistic about PowerShell's future or overly pessimistic about major team member's departure is actionless. There will always be a future. /1
And it is the choice you make from this point on determines how bright that future is. When you choose to use PowerShell; learn about its new use cases (e.g in the Cloud); talk about it; build new solutions with it; /2
show the solution to peers; participate and contribute on GitHub/StackOverFlow/Reddit/, and always ask your vendor when they will actively offer PowerShell support, you brighten PowerShell's future. I am sure you can think of lots more. You might ask why? /3
Read 6 tweets
A round up of tweets from 2017 about learning and exploring security follows
Incorporate the security mindset to see security issues where others see reliability problems:
• Hardcoded metasploit addresses in crashes:
• Support case:
Read 9 tweets
Which of you red-teamers is going to own up to this one? #PowerShell threat decrypts a payload from a USB drive using the volume DeviceId 😱 Image
Decoded source:
Sample hash: e0679efedeb04d62b61fa60a3940fcf040bf21b56d920f0513e500965ca48c45
If you want to look further on this threat, I suggest these links.
Related hashes:… ImageImageImageImage
Read 3 tweets
Put this 1,000 line #PowerShell in your malware reading list.
JoeSandbox link:… ImageImageImage
@joe4security Sample hash: b2272e6d165a35ba1174c8b957c01844e6db0f366873c89fee2ff0f18d9c1af6
Also see:
@joe4security Better source link with more decode:
Read 3 tweets
That time you analyze a macro and obfuscated #PowerShell for 30 mins only to realize it's probably someone's CTF. ImageImageImageImage
Sample hash: 93db9aa0c088c93867fcbca3b53a1a87705008ca619dd0ce412f924eb1648f8d
Read 3 tweets
You'd be forgiven for missing the expand.exe call in this obfuscated #PowerShell script, but command line logging sees it just fine. ImageImageImage
Sample hash: 948e12bb410ee39f7afec26ecd2cb681d3f6b30e52626e475ac76aa5ba4957a6
@marcurdy your mention of expand.exe in helped me notice this
Read 3 tweets
Use this one-liner in #PowerShell to impress your coworkers with this selection coloring trick.😎💪 Image
Set-ItemProperty -Path HKCU:\Console -Name EnableColorSelection -Value 1
Read 3 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!