This Saturday at BSides DC, I am presenting on the current state of PowerShell security in a talk called, “PowerShell Security: Defending the Enterprise from the Latest Attack Platform.”
I cover some of the information I’ve posted here before:
- PowerShell Version 5 Security Enhancements
- PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection
- Detecting Offensive PowerShell Attack Tools
On Saturday, October 21st, 2016, I am speaking at BSides DC in Track 2 (“Grand Central”) at 1:30pm.
Here’s the talk description from the BSides DC website:
PowerShell is a boon to administrators, providing command consistency and the ability to quickly gather system data and set configuration settings. However, what can be used to help, can also be used for less altruistic activities. Attackers have recently learned that leveraging PowerShell provides simple bypass methods for most defenses and a platform for initial compromise, recon, exploitation, privilege escalation, data exfiltration, and persistence.
With the industry shift to an “Assume Breach” mentality, it’s important to understand the impact of defending against an attacker on the internal network since this is a major shift from the traditional defensive paradigm. In its default configuration, there’s minimal PowerShell logging and nothing to slow an attacker’s activities. Many organizations seek to block the PowerShell executable to stop attacks. However, blocking PowerShell.exe does not stop PowerShell execution and can provide a false sense of security. Simply put, don’t block PowerShell, embrace it. The key is monitoring PowerShell usage to enable detection of recon and attack activity. As attack tools like PowerSploit (Invoke-Mimikatz) and the recently released PowerShell Empire become more prevalent (and more commonly used), it’s more important than ever to understand the full capabilities of PowerShell as an attack platform as well as how to effectively detect and mitigate a variety of PowerShell attack methods.
The presentation walks the audience through the evolution of PowerShell as an attack platform and shows why a new approach to PowerShell attack defense is required. PowerShell recon & attack techniques are shown as well as methods of detection & mitigation. Also covered are the latest methods to bypass and subvert PowerShell security measures including PowerShell v5 logging, constrained language mode, and Windows 10’s AMSI anti-malware for scanning PowerShell code in memory.The final part of the presentation explains why PowerShell version 5 should be every organization’s new baseline version of PowerShell due to new and enhanced defensive capability.
This talk is recommended for anyone tasked with defending and testing the defenses for an organization as well as system administrators/engineers.
This presentation outlines that capability of the current PowerShell version and how current attacks are leveraging PowerShell, including how current PowerShell security (& logging) can be bypassed!
The talk wraps up with a summary of the defensive recommendations provided throughout the presentation.
For the curious, here’s an outline of the talk*:
- Quick PowerShell Overview
- PowerShell v5
- AMSI (Windows 10)
- Just Enough Administration (JEA)
- PowerShell as an Attack Platform
- Real World Attack Code Analysis
- Bypassing PowerShell Security & Mitigation
- Executing PowerShell code without calling PowerShell.exe
- Playing with PowerShell versions
- PowerShell obfuscation (Invoke-Obfuscation)
- Defense Summary
- Detecting “evil” code
* subject to updates prior to talk.
I think the talk is being recorded, but follow @BSidesDC on Twitter for more information.