Preventing and Detecting Modern PowerShell Attacks – MITRE ATT&CK T1059.001

Webinar Registration

PowerShell is powerful and ubiquitous. Without even executing powershell.exe or touching file system, attackers can leverage PowerShell to access any functionality on the Windows system – including the full Windows API. That means you as an attacker can code any amount of malicious functionality in PowerShell and have a variety of options at your disposal for obfuscation and stealth. In fact, entire offensive testing suites have been written in PowerShell such as Empire, PoshC2 and PowerSploit. MITRE ATT&CK devotes an entire sub technique to PowerShell: T1059.001.

Of course, those of us in the defense world know this about attackers and PowerShell, and years ago we started looking for indicators of PowerShell malware and attempting to lock down PowerShell against malicious use. But that has proven difficult.

In this real training for free event, we will show you how sophisticated attackers hide PowerShell code in plain sight to avoid detection and how they evade preventive controls designed to pre-empt malicious use of malware. Some of the techniques we’ll discuss include:

  • Encoding
  • Compression
  • Fileless PowerShell
  • Bypass of powershell.exe
  • Introspection
  • Reflection
  • Execution from Excel macros

Then we’ll shift into defense mode and first look at preventive controls including mitigations like:

  • Code signing
  • Disabling local and remote PowerShell
  • Execution prevention
  • Execute permission
  • AppLocker
  • PowerShell Constrained Language Mode

We will discuss how each of those preventive controls has its limitations and can potentially break other functionality needed by some environments.

Then we will move on to discussing detective controls for PowerShell. The good news is, Windows provides detailed auditing capabilities for PowerShell that allow you to see modules loaded and actual commands executed. But you have to turn on PowerShell auditing. I will show you how and introduce you to the logs it generates.

Next step is collection and analysis of all those logs. This is where our sponsor ManageEngine comes in. Vivin Sathyan from ManageEngine will briefly demonstrate how ADAudit Plus can collect PowerShell logs from your Windows servers and workstations and then alert you when it detects suspicious PowerShell activity.

Please join us for this real training for free session.

 
First Name:   
Last Name:   
Work Email:  
Phone:  
Organization:  
Servers & Workstations:
 

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.

 

 

Additional Resources