A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


PowerShell exploitation, PowerSploit, Bloodhound, PowerShellMafia, Obfuscation, PowerShell Empire, the Empire has fallen, you CAN detect PowerShell exploitation - Michael Gough (ShowMeCon 2018) (Hacking Illustrated Series InfoSec Tutorial Videos)

PowerShell exploitation, PowerSploit, Bloodhound, PowerShellMafia, Obfuscation, PowerShell Empire, the Empire has fallen, you CAN detect PowerShell exploitation
Michael Gough

ShowMeCon 2018
http://www.showmecon.com

PowerShell is all the rage for the Red Team and the criminals. There are many tools or frameworks now available to Pentesters and the criminal elements. Utilizing PowerShell in attacks and exploit systems without requiring the addition of malicious binaries, rather live of the land and use the built-in Windows PowerShell functionality to get the job done is the Red Teams goal, so what about the Blue Team? PowerShell attacks CAN be detected, and everyone should be moving to configure their systems to record what is needed to capture PowerShell attacks and all the Fu that goes along with it. Because by default, Windows does NOT enable what you will need to detect PowerShell exploitation. This talk will show a few examples of PowerShell exploitation that can be caught, what and why it can be detected, what you need to configure, what kind of queries you will need to build to capture malicious activity, and of course some examples queries you can use to build your own reports and alerts to detect and hunt for malicious PowerShell.

Bio: Michael is a Malware Archaeologist, Blue Team defender, Incident Responder and logoholic. Michael developed several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for. Michael is co-developer of LOG-MD, a free tool that audits the settings, harvests and reports on malicious Windows log data and malicious system artifacts. Michael is also blogs on HackerHurricane.com on various InfoSec topics. Michael also is co-host of the "Brakeing Down Incident Response" BDIR Podcast to education on Incident Response daily tasks. Michael also ran BSides Texas for five years for the Austin, San Antonio, Dallas and Houston cons.

Back to ShowMeCon 2018 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast