Preventing and Detecting Modern PowerShell Attacks – MITRE ATT&CK T1059.001

Webinar Registration

PowerShell is powerful and ubiquitous. Without even executing powershell.exe or touching file system, attackers can leverage PowerShell to access any functionality on the Windows system – including the full Windows API. That means you as an attacker can code any amount of malicious functionality in PowerShell and have a variety of options at your disposal for obfuscation and stealth. In fact, entire offensive testing suites have been written in PowerShell such as Empire, PoshC2 and PowerSploit. MITRE ATT&CK devotes an entire sub technique to PowerShell: T1059.001.

Of course, those of us in the defense world know this about attackers and PowerShell, and years ago we started looking for indicators of PowerShell malware and attempting to lock down PowerShell against malicious use. But that has proven difficult.

In this real training for free event, we will show you how sophisticated attackers hide PowerShell code in plain sight to avoid detection and how they evade preventive controls designed to pre-empt malicious use of malware. Some of the techniques we’ll discuss include:

Encoding
Compression
Fileless PowerShell
Bypass of powershell.exe
Introspection
Reflection
Execution from Excel macros

Then we’ll shift into defense mode and first look at preventive controls including mitigations like:

Code signing
Disabling local and remote PowerShell
Execution prevention
Execute permission
AppLocker
PowerShell Constrained Language Mode

We will discuss how each of those preventive controls has its limitations and can potentially break other functionality needed by some environments.

Then we will move on to discussing detective controls for PowerShell. The good news is, Windows provides detailed auditing capabilities for PowerShell that allow you to see modules loaded and actual commands executed. But you have to turn on PowerShell auditing. I will show you how and introduce you to the logs it generates.

Next step is collection and analysis of all those logs. This is where our sponsor ManageEngine comes in. Vivin Sathyan from ManageEngine will briefly demonstrate how ADAudit Plus can collect PowerShell logs from your Windows servers and workstations and then alert you when it detects suspicious PowerShell activity.

Please join us for this real training for free session.

Required

First Name:	Required
Last Name:	Required
Work Email:	Required Invalid email address
Phone:	Required
Organization:	Required
Servers & Workstations:	RequiredRequired
	Your information will be shared with the sponsor. By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor. Tweet

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.