Completed
What to Look For?
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
Investigating PowerShell Attacks
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 Background Case Study
- 3 Why PowerShell?
- 4 PowerShell Attack Tools
- 5 PowerShell Malware in the Wild
- 6 Investigation Methodology
- 7 Attacker Assumptions
- 8 Version Reference
- 9 WinRM Process Hierarchy
- 10 Remnants in Memory
- 11 How Long Will Evidence Remain?
- 12 Example - Simple Command
- 13 Example-Encoded Command
- 14 What to Look For?
- 15 Memory Analysis Summary
- 16 PowerShell Event Logs
- 17 Local PowerShell Execution
- 18 Remoting (Accessed Host)
- 19 PS Analytic Log: Decoded Input
- 20 PS Analytic Log: Encoded I/O
- 21 PS Analytic Log: Decoded Output
- 22 Logging via PowerShell Profiles
- 23 Logging via AppLocker
- 24 PowerShell 3.0: Module Logging
- 25 Module Logging Example: File Listing
- 26 Module Logging Example: Invoke-Mimikatz
- 27 PowerShell Persistence
- 28 Common Techniques
- 29 Persistence via WMI
- 30 Event Filters
- 31 Event Consumers
- 32 Enumerating WMI Objects with PowerShell
- 33 PS WMI Evidence: File System
- 34 PS WMI Evidence: Registry
- 35 PS WMI Evidence: Other Sources
- 36 Other Sources of Evidence
- 37 Lessons Learned
- 38 Acknowledgements
- 39 Questions?
