Fileless Malware Analysis & PowerShell Deobfuscation

id watch the unlisted video, always exciting seeing the journey

Nothing better than some John Hammond to start the morning

Because of this videos i was able to be quite high in rankings on Huntress ctf so keep em coming friend (also first ctf ever).

That's the content we want to see john , Thank you !

I know you aren’t sure about the value of showing things like breaking user policy but I have to say, there is a ton of value in seeing that. I actually met you at B Sides in SF last year and mentioned that one of my favorite things about your videos is observing your process. So many of us have gotten where we are by trying and breaking things and once in a while, we feel…dumb lol. Seeing someone else going through a lot of the headaches we have or struggling with some of the same things we have is both valuable and extremely helpful. Please keep making awesome content good sir and thank you!

Hi John I am Heather Hammons, I went to school with a Hammond at Rio Linda High school

You're looking for a very big applause to thank you so much john sir.

pronunciation of the word "malware" as "meowlware" so cool😊

That is interesting, I am also curious about what it attempted to write and what about windows login writes to the HKCU. That if we know that and the agent or process of the system/user that does it, a tighter security measure could be put into control and a better understanding of what is and isn't needed.
Though part of me suspects that HKCU is a fully temp tree, that is recreated each and every time on login, but I am not sure...
a deeper dive on this would be of value I think.

love this kind of content ❤

Haven't seen a lot of deobfuscation lately, nice one

Now to modify the kernel to make your changes actually functional. :)

i knew this would make a good and unusual educational video, glad to see u took my recommendation for a video idea and kinda used it in a more safe way. (if u even used my idea lol).

Nice video @john

Excelente video 👌

John! In order for this to work, threat actors have to input those HKCU keys into the system, how would that be done?

anyrun needs to improve their SEO because I was looking for this one a month ago!!! why don't just include "online virtual machine" in the description? please help others with this! make more easy and simple descriptions. I know it can do some fancy stuff but remember most of us just want to test a site to see if it's a malware etc.

i missed these

I find it amusing that someone who was once Coast Guard is talking about *land* mines. Not a criticism of course, but ...

Was that website limited to 100 users? It seemed to be still active - very active

I would just disable autoruns entirely if not necessary for the organization

Hello

dang

That's Norwegian or Danish.

Become my tutor.

Diddy ram

👍👍👍👍👍👍👍👍👍

erlaerlar

most of modern antimalware softwares nowadays blocks PowerShell execution ( notify user for ask permission ) in HIPS technology so if anyone configure HIPS properly i think it would stop most of malicious codes

what is html ?

Is it love?
😂 duh!

Fanglette9. You can't help but love these obfuscated function names.

Pwsh