Investigating PowerShell Attacks

Delve into the world of PowerShell attacks and their forensic investigation in this comprehensive conference talk from BruCON 0x06. Explore how targeted attackers leverage PowerShell for command-and-control operations in compromised Windows environments, focusing on common attack patterns such as lateral movement, remote command execution, reconnaissance, file transfer, and persistence establishment. Learn to collect and interpret forensic artifacts both on individual hosts and across enterprises, with real-world incident examples and recommendations for limiting exposure. Discover investigation methodologies, including memory analysis, event log examination, and WMI object enumeration. Gain insights into PowerShell versions, WinRM process hierarchy, and various logging techniques. Understand attacker assumptions, evidence longevity, and the intricacies of PowerShell persistence mechanisms. Equip yourself with valuable lessons learned and enhance your ability to detect and respond to PowerShell-based threats in your organization's Windows infrastructure.