June 2018
Beginner
510 pages
13h 7m
English
Content preview from Learning Malware Analysis
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
1.6.3 How Attackers Use PowerShell
With an understanding of basic PowerShell and what tools to use for analysis, let's now look at how attackers use PowerShell. Due to the restriction in executing the PowerShell scripts (.ps1) via the PowerShell console or by double-clicking (which will open it in notepad rather than executing the script), it is unlikely to see adversaries sending PowerShell scripts to their victims directly. The attacker must first trick the user into executing the malicious code; this is mostly done by sending email attachments containing files such as .lnk, .wsf, javascript, or malicious macro documents. Once the user is tricked into opening the attached files, the malicious code can then invoke PowerShell directly (