Skip to content

Malicious Documents

Malicious Scripts

  • Targeting powershell.exe, cscript.exe, cmd.exe and mshta.exe
  • Windows Subsystem for Linux introduce more script support
  • Prevent Powershell detection:
    • If the attacker places a malicious script under the path %USERPROFILE%\profile.ps1 and start PowerShell ISE, the script will be executed without powershell.exe being involved
    • Bypass execution policy: HKEY_CURRENT_USER\Software\MicrosoftPowerShell\1\ShellIds\Microsoft.PowerShell - And set the registry value ExecutionPolicy to Unrestricted.
    • Invoke-NoShell
      • 12 different evasive document permutations
    • Invoke-Obfuscation
    • Invoke-DOSfuscation

Living off the Land

Malicious Code in Memory