Explore the increasing use of PowerShell by targeted attackers for command-and-control in compromised Windows environments in this 25-minute Black Hat conference talk. Delve into common attack patterns performed through PowerShell, including lateral movement, remote command execution, reconnaissance, file transfer, and establishing persistence. Learn how to collect and interpret forensic artifacts left behind by these attacks, both on individual hosts and across the enterprise. Gain insights from real-world incident examples and discover recommendations for limiting exposure to PowerShell-based attacks. Understand the implications of PowerShell 2.0 being installed on Windows 7 and Server 2008 R2, as well as the default enabling of remoting on Server 2012.
Overview
Syllabus
Investigating PowerShell Attacks
Taught by
Black Hat