(Re)Investigating Powershell attacks

Presented at BruCON 0x0A (2018), Oct. 3, 2018, 1:30 p.m. (60 minutes)

At BruCon 2014, we presented “Investigating PowerShell Attacks” at what ended up being the precipice of widespread adoption and abuse of PowerShell in the wild. A year later, we examined how PowerShell Desired State Configuration (DSC) provided further avenues for covert persistence and C2. In this presentation, we’ll look at how these offensive techniques - and the corresponding approaches to detection and response - have evolved.

Presenters:

• Ryan Kazanciyan
• Matt Hastings

Links:

• https://brucon0x0a.sched.com/event/FXI0/reinvestigating-powershell-attacks
• https://infocon.org/cons/BruCON/BruCON 0x0A 2018/(Re)Investigating Powershell attacks - Matt Hastings and Ryan Kazanciyan.mp4
• https://infocon.org/cons/BruCON/BruCON 0x0A 2018/(Re)Investigating Powershell attacks - Matt Hastings and Ryan Kazanciyan.eng.srt (subtitles)
• https://www.youtube.com/watch?v=W4Wq4vaBDAo

Similar Presentations:

• PancakesCon 1 (2020) Virtual / PowerShell and Pickling
• DeepSec 2016 „Ten“ / Offensive PowerShell for Red and Blue Teams (closed)
• BSidesDC 2016 / PowerShell Security: Defending the Enterprise from the Latest Attack Platform