Play all

Intro

PowerShell Exploitation

What is set? What version?

Audit with LOG-MD

PS Event IDs - Windows PowerShell

PS Event IDs - PowerShell/Operational

What is Malware Using?

Exploit Kits

Typical Malware launching PowerShell

Did that look normal?

They do this to hide what you see

PowerShell Logs show it too

Base64 Encoded

Manual Translation

PS Base 64 blob

4104 Decodes Base64 blobs

Obfuscation - Odd stuff - 4688

Script Blocks are labeled

This is a normal Script Block

WARNING !!!!

4100 - Executing Pipeline

PS v2 - 500 Events

Filtering out the good, to find the bad

Code your PowerShell for exclusion

Create Email Alerts

PowerShell Log Goodness

Security Log

PowerShell v5

How do I hunt for PS?

Summary

Resources

Questions?

Description:

Explore PowerShell exploitation techniques, including PowerSploit, Bloodhound, and PowerShellMafia, in this 50-minute conference talk from ShowMeCon 2018. Delve into PowerShell security, event logging, and malware detection methods. Learn about obfuscation techniques, base64 encoding, and script block logging. Discover how to filter logs, create email alerts, and effectively hunt for malicious PowerShell activity. Gain insights into PowerShell versions, audit logging, and best practices for securing your environment against PowerShell-based attacks.

PowerShell Exploitation - PowerSploit - Bloodhound - PowerShellMafia - Obfuscation

Add to list

#Conference Talks #Computer Science #Information Technology #Windows Systems Administration #Windows Server #Active Directory #Active Directory Security #BloodHound

0:00 / 0:00