PowerShell Attack Scenarios: How Attackers Do It and How to Detect

Webinar Registration

For the past several years I've been beating the drum on detecting unauthorized EXEs and DLLs on your network. It looks like at least some of us have beefed up our defenses in that area because the bad guys are adjusting and ushering in a new phase of this ever escalating arms race. To evade detection, advanced attackers are switching to a “living off the land” strategy.

When you are an attacker “living off the land” you don’t bring in custom EXEs like remote administration tools which can be detected in short order if organizations know what to look for and are vigilant across all endpoints. In fact, really advanced attackers living off the land can almost completely avoid writing to disk and registry at all.

To live off the land attackers leverage standard tools included and enabled by default in Windows.

One of the most powerful tools at their disposal is PowerShell. In this real training for free ™ webinar Jason Garman, from our sponsor CarbonBlack, will join me to help explain 3 ways attackers use to exploit PowerShell in order to perform actions on objectives, dump credentials, and move laterally through target networks.

Ranging from easy to sophisticated:

  1. PowerShell set script policy to “unrestricted”
  2. Lateral movement via WinRM & PowerShell
  3. Reflective DLL injection via powershell (for example, mimikatz)

We will explain how each one of these techniques works and even demonstrate some aspects of them.

But then we will discuss how you can mitigate the risk of PowerShell-leveraged attacks through prevention and detection. As you will see your prevention options are fairly “ham-fisted” meaning you have to choose between disabling major pieces of functionality or remaining exposed.

On the other hand, detection is possible if you know what to look for. Jason will show you techniques and technologies Carbon Black have developed to detect and immediately respond to PowerShell-based attacks and more. For instance, Jason will explain how to detect PowerShell being started by a remote WMI session by correlating child and parent process IDs and executable names.

This real training for free ™ event reveals cutting edge attack techniques and how to defend against them. Don't miss it! Please register now.

First Name:   
Last Name:   
Work Email:  
Job Title:  
Zip/Postal Code:  

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.



Additional Resources