A huge shoutout to **ImmersiveLabs** for crafting such engaging and insightful content. Their PowerShell de-obfuscation series served as a major inspiration for this guide—aimed at helping threat hunters, incident responders, and malware researchers navigate the tangled web of obfuscated scripts.

• Decoding Malicious PowerShell Activity - A Case Study - Blog - SophosLabs - Sophos Community has been a fan favorite and widely shared. It provides a foundational look into PowerShell obfuscation techniques, serving as a great starting point for those new to the topic.

In this second installment, we dive deeper into the dark arts of PowerShell obfuscation. Attackers have refined their techniques beyond simple string manipulation or compression —weaponizing -join, -split, and -f operators, exploiting whitespace tricks, and drowning scripts in special characters to evade detection. We’ll break down deceptive IEX executions, explore script block logging tricks, and tackle heavily obfuscated VBS payloads leading to PowerShell execution.

<aside> ✅

If you've ever looked at a script and thought, "This makes no sense,"—you're in the right place.

</aside>

Table of Contents

Tracking Down IEX (And 🏃‍♂️Running in the Opposite Direction 💨)

Invoke-Expression (iex) is a powerful yet potentially dangerous PowerShell cmdlet that evaluates and executes a string as code. It is commonly used for dynamic script execution, such as running commands stored in variables or retrieved from external sources.

<aside> ⚠️

It’s heavily advised to use a sandboxed environment to perform the techniques outlined in this article for obvious reasons.

</aside>

It’s a game of attention to details.

• Observing code blocks carefully—especially how they are structured.
• Tracking where brackets () start and end to ensure control flow is understood.
• Identifying unnecessary *iex* (Invoke-Expression) or *invoke* calls, which can often be substituted with safer alternatives to prevent unintended execution.

A secure and static method for decoding is by using CyberChef.

We can either use PowerShell ISE or execute the command directly on a Terminal

The F’ing Operator

The -f operator in PowerShell is used for string formatting, similar to printf in other languages. It replaces placeholders in a string with specified values. Think of it as PowerShell’s way of doing string interpolation before it was cool. It works by replacing placeholders ({0}, {1}, etc.) with corresponding values provided after -f.

PS C:\\Users\\Vikas> ("{0}{1}{2}{3}{4}" -f "http://", "attackerdomain", ".corp", "/test", "123")
<http://attackerdomain.corp/test123>

PS C:\\Users\\Vikas> ("{1}{4}{0}{2}{5}{3}" -F'RV','RUntIme.Inte','ICes.','ShAL','rOPSe','mar')
RUntIme.InterOPSeRVICes.marShAL

A real-world example:

For instance,

1. C2 URLs are always a hot topic, making any mention of http stick out like a sore thumb.
2. By scrutinizing the brackets and staying cautious of any invoke commands, we can uncover the C2.

The Split-Join Tango