Finding and Decoding Malicious PowerShell Scripts

Mari DeGrazia


Malicious PowerShell scripts are becoming the tool of choice for attackers. Although sometimes referred to as “fileless malware”, they can leave behind forensic artifacts for examiners to find. Learn how to locate and identify activity of these malicious PowerShell scripts. Once located, these PowerShell scripts may contains several layers of obfuscation that need to be decoded. Learn how to manually decode them, as well as some light malware analysis on any embedded shellcode through a series of hands on labs. I will also demonstrate how to use an open source python script to automate some of the process once you have discovered the MO of the attacker in your case.


  • Windows system or Windows VM.
  • User must be able to turn of their AV.
  • Helpful if Python 2.7 is installed and added to the Path environment variable.

Mari DeGrazia

Mari DeGrazia is a Director at Kroll Cyber Security, which provides cyber security services on a global scale. Throughout her career, Mari has investigated high-profile breach cases, worked civil and criminal cases and provided testimony as an expert witness. She has written and released numerous programs/scripts to the forensics community; presented on her research at several industry conferences; and is a published author in several magazines. She holds several certifications in addition to earning a B.S. in Computer Science from Hawaii Pacific University.