Hello, welcome to the Friday, September 25th, 2020 edition of the Sandtonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

If I ran into some obfuscated PowerShell script and had a real hard time analyzing it, well, you are in it for a treat if you are following Xavier's diary from today.

Xavier is going over PowerShell ISE, the integration scripting environment that is installed by default on all current versions of Windows, just like the default

PowerShell interpreter.

But what's really different about PowerShe ise is the fact that it's a full interactive

debugger.

What you have to do is you have to load the PowerShe script into PowerShe

ISE and then you can step through it and essentially decode or let the script decode itself

until you can actually read or extract whatever shell code is in it. Now, Xavier has a big warning here.

Be careful when you do this.

And best, of course, to do this on a separate environment,

a separate system.

Because, of course, you don't want any malicious PowerShell script

to execute on a production system that you also have corporate data on.

And if you would like to know more details, Xavier is walking you through a sample script step by step.

So real nice little post here to follow along and do the analysis yourself with Xavier as your guide.

And yes, it is happening. Microsoft announced via its Microsoft Security Intelligence Twitter account

that they are seeing active exploitation of the

Zero Logon vulnerability. So again, this was CVE 2020, 1472 against the net logon

EOP vulnerability. Of course, I mentioned it already a couple times, so everybody here should be

aware of it and hopefully is patched. Let me got a couple smaller updates from Apple. First we got

...