THREAD
On today's installment of RANDOM HEAVILY ENCODED THINGS, I do somebody's HTB homework for them.

We start out with a block of decimal-encoded bytes which decodes to some JavaScript: The JavaScript decodes a blob of base64 data info a file and loads it in a document.body element (so to be viewed in a browser, the object is named "message.pdf" which is our first clue.

THREAD
Found an interesting #PowerShell dropper today that uses multiple rounds of complex obfuscation, even actual encryption. And I reversed the whole things using one stupid trick: Replace 'Invoke-Expression' with 'Write-Host' Wanna see? The initial script has two lines: the first writes obfuscated code to the string variable0 $dz61UV and the second executes the contents of that string with Invoke-Expression after first reversing the order of bytes and stripping out unneeded spaces.

THREAD
Prompted by a thread earlier today, I've compiled a few presentations that Target's cybersecurity team members have given over the years that I think are particularly interesting or novel, mostly aligned to the themes of maturity and innovation. Target alumni @jshlbrd presenting on file analysis with Strelka* at @BSidesSF 2019:

THREAD:
If you work in cyber, you should understand the basic mechanics of risk. I don’t mean RISK = IMPACT * LIKELIHOOD. I mean, what can you do about a risk once you know about it? There are 4 basic strategies: 1. Avoid - Don’t do the thing that introduces the risk in the first place. In cyber, this requires being part of purchasing and/or design decisions *with* *decision* *authority*. This is the rarest, but also the most effective risk management strategy.

THREAD
Let's analyze a malicious VBA macro payload. On visual inspection, we can easily see that the macro performs string concatenation and then uses Shell() to execute a PowerShell script. It declares AutoOpen() & Workbook_Open() in order to execute when the document is opened. Once we decode the base64 script from the macro, we can see that it further obfuscates its intention with more base64 encoding and gzip compression.

THREAD
Let's talk about detection philosophy a little bit. There are 2 main competing approaches; 1) Define Normal, Detect Abnormal, and 2) Find Evil. 1/7 First, let's acknowledge this is a false choice. You can do both. The key is to know which approach is superior in which context. In general, I prefer Find Evil. Let me tell you why. 2/7

THREAD for beginning malware/SOC analysts
When analyzing interpreted languages like PowerShell, JavaScript, VBA/VBS, there are some handy shortcuts to dealing with obfuscated code. (NOTE: Always do this kind of analysis in a sandbox VM off of your corporate network.) Let's use this PowerShell script as an example (raw code on the right). The code is triggered with an obfuscated 'IEX' command that is reconstructed from a predictable PowerShell environment variable, $PSHome.

THREAD
A quick walk-through of analyzing a PowerShell backdoor using Python.
Here's the backdoor if you want to play along at home: pastebin.com/JbYwq9WJ 1. Looking at the raw payload, we can see powershell.exe is invoked and a base64-encoded script is passed for execution.

This thread got me thinking about DefCon, hacker culture, and insecurity. 1/

External Tweet loading...
If nothing shows, it may have been deleted
by @withzombies view original on Twitter

My first con of any kind was DC6 in 1998. At the time, I worked for a school, fixing Macs and LaserJets, resetting passwords, etc 2/