PowerShell is like nuclear fission—it's powerful, and it can be used for good and evil. The bad guys love to exploit PowerShell for at least three reasons:
- It's already installed on most versions of Windows. However, you can configure PowerShell to be less friendly to bad guys, and this is increasingly becoming part of the out-of-the-box (OOBE).
- It's powerful. You really can do just about anything in PowerShell—even call into the Win32 API if enabled.
- There are no EXEs or DLLs to upload. As bad guys increasingly move to a “living off the land” approach, they need the ability to do low-level stuff without uploading the executable files that we are getting better at detecting.
Lee Holmes (Microsoft's PowerShell extraordinaire) will be joining me to show you how to catch intruders exploiting PowerShell to their own ends.
First, we will provide a brief overview of PowerShell security capabilities especially enhancements in PowerShell 5.0 which Lee Holmes is excited to talk about. There are some really good preventive steps you can take to limit your exposure to PowerShell-related risks. And PowerShell 5.0 is available on Windows 2008 R2 SP1 and Windows 7 SP1 and up, so this isn't vaporware.
Then we will zero in on the auditing capabilities in PowerShell. We'll show you how to enable PowerShell logging so that you get events for every script block executed. This allows you to see exactly what PowerShell commands are being run. We’ll show you sample events and discuss how to interpret them, how to filter the noise and more. PowerShell can also log full transcripts of every PowerShell session to a central shared folder. We'll show you how to enable transcripts via group policy and explore the files created.
I'll also briefly point out some less powerful, but easy-to-implement techniques for just detecting the use of PowerShell itself using Process Tracking events. This can be useful for highly controlled endpoints where use of PowerShell at all is very limited and easy to recognize if PowerShell is being used in an unusual way.
Of course producing valuable audit data is one thing. Collecting, analyzing and alerting on it is another. And that's where our sponsor, LogRhythm, comes in. The security experts at LogRhythm have been following the increased exploitation of PowerShell by the bad guys and been publishing their own tips on how to combat. Greg Foss will briefly demonstrate LogRhythm's built-in knowledge of PowerShell and its ability to correlate PowerShell events with all the other security intelligence LogRhythm collects from your enterprise.
Please join me for this in depth, real training for free ™, event. Register now!