PowerShell as an attack platform was first publicly demonstrated at DEF CON 18 (2010) in Dave Kennedy & Josh Kelly's talk and has grown to be an effective post-exploitation tool useful for the Red Team (and attacker). Microsoft Windows 7 and Windows Server 2008 R2 were released with PowerShell version 2 configured as a core operating system component, meaning it cannot be uninstalled. As organizations update systems from Windows XP and Windows 2003 to newer versions of Windows, they realize that PowerShell is built-in to the OS by default. With attackers leveraging PowerShell code as part of the attack portfolio, it's more important than ever for organizations to understand how to detect, mitigate, and prevent PowerShell attacks.
The purpose of this talk is to familiarize the audience with PowerShell's offensive capabilities, how attackers leverage PowerShell as an attack platform, and what can be done to counter these tactics. PowerShell attack tools such as PowerSploit and PowerShell Empire are covered and new techniques to mitigate and detect these attacks are demonstrated. A number of compelling security enhancements in the latest PowerShellv5 are covered as well.
The talk content is sourced primarily from my research and much of the information is new to this presentation. Given the prevalence of PowerShell in the enterprise, this material is critical to detecting and defending attacks leveraging this new platform.
This presentation shows attendees how PowerShell attacks work (& why) and provides effective methods to detect and mitigate modern PowerShell attacks in the enterprise.
Key takeaways:
Information on how modern attackers leverage PowerShell as a platform showing real-world PowerShell attacks.
Knowledge of the most common PowerShell attack frameworks/tools, shared components, and their capability. This information is unique to this talk.
Methods to detect and mitigate the latest PowerShell attack techniques as well as PowerShell security enhancements with the latest version of PowerShell and Windows 10.