PowerShell as an attack platform was first publicly demonstrated at DEF CON 18 (2010) in Dave Kennedy & Josh Kelly's talk and has grown to be an effective post-exploitation tool useful for the Red Team (and attacker). Microsoft Windows 7 and Windows Server 2008 R2 were released with PowerShell version 2 configured as a core operating system component, meaning it cannot be uninstalled. As organizations update systems from Windows XP and Windows 2003 to newer versions of Windows, they realize that PowerShell is built-in to the OS by default. With attackers leveraging PowerShell code as part of the attack portfolio, it's more important than ever for organizations to understand how to detect, mitigate, and prevent PowerShell attacks.
The purpose of this talk is to familiarize the audience with PowerShell's offensive capabilities, how attackers leverage PowerShell as an attack platform, and what can be done to counter these tactics. PowerShell attack tools such as PowerSploit and PowerShell Empire are covered and new techniques to mitigate and detect these attacks are demonstrated. A number of compelling security enhancements in the latest PowerShellv5 are covered as well.
The talk content is sourced primarily from my research and much of the information is new to this presentation. Given the prevalence of PowerShell in the enterprise, this material is critical to detecting and defending attacks leveraging this new platform.
This presentation shows attendees how PowerShell attacks work (& why) and provides effective methods to detect and mitigate modern PowerShell attacks in the enterprise.
Key takeaways:
Information on how modern attackers leverage PowerShell as a platform showing real-world PowerShell attacks.
Knowledge of the most common PowerShell attack frameworks/tools, shared components, and their capability. This information is unique to this talk.
Methods to detect and mitigate the latest PowerShell attack techniques as well as PowerShell security enhancements with the latest version of PowerShell and Windows 10.
Sean Metcalf is founder and principal security consultant at Trimarc (www.TrimarcSecurity.com), an information security consulting firm focused on improving enterprise security. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory attack and defense at BSides, Shakacon, Black Hat, DEF CON, and DerbyCon security conferences. Sean has provided Active Directory and security expertise to government, corporate, and educational entities since Active Directory was released. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog, ADSecurity.org. Follow him on Twitter @PyroTek3.