Slides Here: https://www.defcon.org/images/defcon-22/dc-22-presentations/Kazanciyan-Hastings/DEFCON-22-Ryan-Kazanciyan-Matt-Hastings-Investigating-Powershell-Attacks.pdf
Investigating PowerShell Attacks
Ryan Kazanciyan TECHNICAL DIRECTOR, MANDIANT
Matt Hastings CONSULTANT, MANDIANT
Over the past two years, we’ve seen targeted attackers increasingly utilize PowerShell to conduct command-and-control in compromised Windows environments. If your organization is running Windows 7 or Server 2008 R2, you’ve got PowerShell 2.0 installed (and on Server 2012, remoting is enabled by default!). This has created a whole new playground of attack techniques for intruders that have already popped a few admin accounts (or an entire domain). Even if you’re not legitimately using PowerShell to administer your systems, you need to be aware of how attackers can enable and abuse its features.
This presentation will focus on common attack patterns performed through PowerShell – such as lateral movement, remote command execution, reconnaissance, file transfer, etc. – and the sources of evidence they leave behind. We’ll demonstrate how to collect and interpret these forensic artifacts, both on individual hosts and at scale across the enterprise. Throughout the presentation, we’ll include examples from real-world incidents and recommendations on how to limit exposure to these attacks.
Ryan Kazanciyan is a Technical Director with Mandiant and has ten years of experience in incident response, forensic analysis, and penetration testing. Since joining Mandiant in 2009, he has led incident response and remediation efforts for dozens of Fortune 500 organizations, focusing on targeted attacks, industrial espionage, and financial crime. He has also helped develop Mandiant’s investigative methodologies, forensic analysis techniques, and technologies to address the challenges posed by skilled intruders in complex environments. Prior to his work in incident response, Ryan led and executed penetration tests for both private and public-sector clients. His background included red-team operations in Windows and Unix environments, web application security assessments, and social engineering. As a lead instructor and content author for Mandiant’s incident response training, Ryan also regularly teaches classes for corporate security teams, federal law enforcement, and at industry conferences.
Matt Hastings is a Consultant with Mandiant, a division of FireEye, Inc. Based in the Washington D.C area, Matt focuses on enterprise-wide incident response, high-tech crime investigations, penetration testing, strategic corporate security development, and security control assessments; working with the Federal government, defense industrial base, financial industry, Fortune 500 companies, and global organizations.