Hello, welcome to the Friday, March 31st, 2017 edition of the Santonet Storm Center's Stormcast.

My name is Johannes Ulrich and the I'm recording from Jacksonville, Florida.

Quite often useful features that are being added to software are being used against you by the bad guys.

Latest example that Xavier shows here is the encoded command feature in PowerShell,

which allows you to execute, for example, base 64 encoded strings.

This is of course useful because it allows you to transport these strings safely

through different channels, but then again it can also be used by bad guys to obfuscate their code.

And simple strings that are often being used to detect malware like SystemNet Webclined or download file and

the like are then really just converted into sort of randomish-looking characters.

Now, some anti-malware, of course, will decode it, but yet more work that you ask your

anti-malver to do.

So it may be worthwhile as Xavier suggests to just look for the encoded command string.

Well, and this may actually work quite well if it wouldn't be for another useful feature in PowerShell

that allows you to abbreviate commands.

For this particular encoded command argument, there are as one commoner

pointed out about 15 different versions to write it. It can be as simple as just the letter

E or E C or E.N and then essentially just any number of letters from the encoded command string.

And Palo Alto has documented pretty interesting

semi-targeted matter campaign.

In this particular case, I call it semi-targeted

because it wasn't really targeted

at a specific organization,

...