Explore a comprehensive conference talk on minimalist Windows defense strategies and "Living off the Land" techniques. Delve into PowerShell Remoting, WMI-based data collection, and intrusion detection using WMI events. Learn about ETW (Event Tracing for Windows) for incident response, and discover PowerForensics for digital investigations. Examine Device Guard, comparing it to AppLocker, and understand potential bypass strategies and mitigations. Gain insights from both defensive and offensive perspectives to enhance your Windows security knowledge.
Overview
Syllabus
Intro
Motivations for "Living off the Land"
Case for PS Remoting (WinRM)
PowerShell Remoting
WMI-based Data Collection
CimSweep - Introduction
Intrusion Detection
WMI Event Basics - Events
WMI Query Language via PowerShell
Uproot - Introduction
ETW Introduction
ETW Terminology
Common ETW Usage
ETW for Incident Response
ETW Capture Scenario
Investigation
PowerForensics - Introduction
Taking Ideas from the Bad Guys
Device Guard - Introduction
Device Guard vs. AppLocker
Device Guard Monitoring
Device Guard Bypass Strategies
Device Guard Bypass Mitigations
