Investigating PowerShell Attacks

Presented at Black Hat USA 2014, Aug. 7, 2014, 4:05 p.m. (25 minutes)

Over the past two years, we've seen targeted attackers increasingly make use of PowerShell to conduct command-and-control in compromised Windows environments. If your organization is running Windows 7 or Server 2008 R2, you've got PowerShell 2.0 installed (and on Server 2012, remoting is enabled by default!). This has created a whole new playground of attack techniques for intruders that have already popped a few admin accounts (or an entire domain). Even if you're not legitimately using PowerShell to administer your systems, you need to be aware of how attackers can enable and abuse its features. This presentation will focus on common attack patterns performed through PowerShell - such as lateral movement, remote command execution, reconnaissance, file transfer, and establishing persistence - and the sources of evidence they leave behind. We'll demonstrate how to collect and interpret these forensic artifacts, both on individual hosts and at scale across the enterprise. Throughout the presentation, we'll include examples from real-world incidents and recommendations on how to limit exposure to these attacks.

Presenters:

• Matt Hastings
  Matthew Hastings is a Consultant in Mandiant's Alexandria, VA office. Mr. Hastings particular areas of expertise include enterprise-wide incident responses, high-tech crime investigations, penetration testing, strategic corporate security development, and security control assessments. Mr. Hastings has experience working with the Federal government, defense industrial base, financial industry, telecommunications industry Fortune 500 companies, and global organizations.
• Ryan Kazanciyan - Mandiant, a division of FireEye, Inc.
  Ryan Kazanciyan is a Technical Director with Mandiant and has ten years of experience in incident response, forensic analysis, and penetration testing. Since joining Mandiant in 2009, he has led incident response and remediation efforts for dozens of Fortune 500 organizations, focusing on targeted attacks, industrial espionage, and financial crime. He has also helped develop Mandiant's investigative methodologies, forensic analysis techniques, and technologies to address the challenges posed by skilled intruders in complex environments. Prior to his work in incident response, Ryan led and executed penetration tests for both private and public-sector clients. His background included red-team operations in Windows and Unix environments, web application security assessments, and social engineering. As a lead instructor and content author for Mandiant's incident response training, Ryan also regularly teaches classes for corporate security teams, federal law enforcement, and at industry conferences.

Links:

• https://www.blackhat.com/us-14/archives.html#investigating-powershell-attacks
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2014/video/Investigating PowerShell Attacks.mp4
• https://www.youtube.com/watch?v=zUbTM9N7V7w
• https://www.blackhat.com/docs/us-14/materials/us-14-Kazanciyan-Investigating-Powershell-Attacks.pdf
• https://www.blackhat.com/docs/us-14/materials/us-14-Kazanciyan-Investigating-Powershell-Attacks-WP.pdf

Similar Presentations:

• DeepSec 2016 „Ten“ / Offensive PowerShell for Red and Blue Teams (closed)
• PancakesCon 1 (2020) Virtual / PowerShell and Pickling
• DEF CON 22 (2014) / Investigating PowerShell Attacks