Powershell-Fu – Hunting on the Endpoint

Presented at BSidesLV 2016, Aug. 3, 2016, 10:45 a.m. (45 minutes).

Hunting is the art of searching for badness and unauthorized activity on our own systems or network.  By knowing what is normal in our networks and what is possible of adversaries, the hunter can identify malware, signs of unauthorized activity, and indicators of compromise lurking within. In this session, we will explore how to hunt for malware and compromises on windows endpoints using built-in Powershell commands and scripts.  We will explore how to validate what's running on our systems and identify some of the tell-tale signs that you've been pwned. The failure of automated prevention and detection coupled with a disappearing perimeter means hunting will become an increasingly important skill among defenders. The skills demonstrated will be useful on your own local system or remotely against hundreds or even thousands of systems.


Presenters:

  • Chris Gerritz - Co-Founder and CEO - Infocyte
    Chris is co-founder of Infocyte, a malware and threat hunting product developer. Chris is a pioneer in defensive cyberspace operations having helped establish and lead the U.S. Air Force's Enterprise Hunt Team.  Prior to co-founding Infocyte, Chris served as the Air Force Computer Emergency Response Team (AFCERT)'s first Chief of Counter-Cyber Operations. In this role, he led a team of 28 operators tasked with finding, tracking, and neutralizing state-sponsored threats on the Air Force's $2B, 800k node enterprise network. He personally conducted and/or oversaw 350+ adversarial hunt and incident response missions on networks throughout the world. Chris holds a B.S. in Electrical & Computer Engineering from Oregon State University. When he isn't working, he might be found hanging out on Battle.net or mixing up a new Powershell script/cmdlet.

Links:

Similar Presentations: