I published the following diary on isc.sans.edu: “Did You Spot “Invoke-Expression”?“:
When a PowerShell script is obfuscated, the deobfuscation process is, most of the time, performed through the Invoke-Expression cmdlet. Invoke-Expression evaluates the string passed as an argument and returns the results of the commands inside the string… [Read more]
The post [SANS ISC] Did You Spot “Invoke-Expression”? appeared first on /dev/random.
Article Link: https://blog.rootshell.be/2020/11/05/sans-isc-did-you-spot-invoke-expression/