PowerShell is all the rage for the Red Team and the criminals. There are many tools or frameworks now available to Pentesters and the criminal elements. Utilizing PowerShell in attacks and exploit systems without requiring the addition of malicious binaries, rather live of the land and use the built-in Windows PowerShell functionality to get the job done is the Red Teams goal, so what about the Blue Team? PowerShell attacks CAN be detected, and everyone should be moving to configure their systems to record what is needed to capture PowerShell attacks and all the Fu that goes along with it. Because by default, Windows does NOT enable what you will need to detect PowerShell exploitation. This talk will show a few examples of PowerShell exploitation that can be caught, what and why it can be detected, what you need to configure, what kind of queries you will need to build to capture malicious activity, and of course some examples queries you can use to build your own reports and alerts to detect and hunt for malicious PowerShell.

Bio: Michael is a Malware Archaeologist, Blue Team defender, Incident Responder and logoholic. Michael developed several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for. Michael is co-developer of LOG-MD, a free tool that audits the settings, harvests and reports on malicious Windows log data and malicious system artifacts. Michael is also blogs on HackerHurricane.com on various InfoSec topics. Michael also is co-host of the "Brakeing Down Incident Response" BDIR Podcast to education on Incident Response daily tasks. Michael also ran BSides Texas for five years for the Austin, San Antonio, Dallas and Houston cons.

Back to ShowMeCon 2018 video list