Overview
Explore the evolving landscape of PowerShell and its role in cybersecurity through this in-depth conference talk from Security BSides London. Delve into the complexities of modern attack surfaces, Windows endpoint technologies, and the challenges faced by both offensive and defensive teams. Gain insights into advanced techniques involving System.Management.Automation.dll, .NET manipulations, and process injection methods. Examine the evolution of tools like PoshC2 and its C# implant, while learning about common operational security pitfalls and detection strategies. Discover the future of memory-resident malware and the changing dynamics of red teaming over the next 12-18 months. Through demonstrations and expert analysis, uncover the nuances of PowerShell's alleged demise and its continued relevance in specific environments.
Syllabus
Team Spicy Weasel
What is PowerShell & is it DEAD?
Evolution of Poshc2 2016 - 2019
Generic PowerShell Implant
Carbon Black / Tanium/ EDR
Defensive / Legacy Approach Reactive
Example Vendors
Attacker Thoughts
Avoidance - Carbon Black
Trickery
Parent PID Spoofing / Carbon Black
Detecting Parent Spoofing
EDR Hooking
Bringing Back The Good Times
Demo - Before
Demo - After
Migrating with COM into IE
The key to this? Junction folders
How can we use that
Shell windows
Getting the reg keys
EDR Summary
Future Predictions
Taught by
Security BSides London