I published the following diary on isc.sans.edu: “Did You Spot “Invoke-Expression”?“:
When a PowerShell script is obfuscated, the deobfuscation process is, most of the time, performed through the Invoke-Expression cmdlet. Invoke-Expression evaluates the string passed as an argument and returns the results of the commands inside the string… [Read more]