[ No 13  ]

PSMALWARE

Purely-Powershell Malware. Uses Multiple Attack Vectors and Retrieves Sequential Payload from C&C

Exploits

16 FEBRUARY 2020

Only caught by UAC.

Bypasses AV as of 2019.

PSMalware

Includes

  • Bypass
  • Register Alterations
  • Persistence
  • Event Clears
  • Encoding
  • Compression
  • Splitting
  • String formatting

Version 1

  • Runs only on host computer.
  • Kills execution within a VM.
  • Payload: Stop-computer

Version 2

  • Allows VM execution.
  • Includes 3 execution halts for easier reversing.
  • More obfuscation, encoding, string formats.
  • Payload: Stop-computer

by Aaron Ti

© Aaron Ti - Portfolio - 2023