Overview
Syllabus
Intro
Background Case Study
Why PowerShell?
PowerShell Attack Tools
PowerShell Malware in the Wild
Investigation Methodology
Attacker Assumptions
Version Reference
WinRM Process Hierarchy
Remnants in Memory
How Long Will Evidence Remain?
Example - Simple Command
Example-Encoded Command
What to Look For?
Memory Analysis Summary
PowerShell Event Logs
Local PowerShell Execution
Remoting (Accessed Host)
PS Analytic Log: Decoded Input
PS Analytic Log: Encoded I/O
PS Analytic Log: Decoded Output
Logging via PowerShell Profiles
Logging via AppLocker
PowerShell 3.0: Module Logging
Module Logging Example: File Listing
Module Logging Example: Invoke-Mimikatz
PowerShell Persistence
Common Techniques
Persistence via WMI
Event Filters
Event Consumers
Enumerating WMI Objects with PowerShell
PS WMI Evidence: File System
PS WMI Evidence: Registry
PS WMI Evidence: Other Sources
Other Sources of Evidence
Lessons Learned
Acknowledgements
Questions?
Taught by
BruCON Security Conference