Investigating PowerShell Attacks - Black Hat
Investigating PowerShell Attacks
Black Hat USA 2014 August 7, 2014
PRESENTED BY: Ryan Kazanciyan, Matt Hastings
? Mandiant, A FireEye Company. All rights reserved.
Background Case Study
Attacker Client
Victim VPN
WinRM, SMB,
NetBIOS
Victim workstations, servers
? Fortune 100 organization ? Compromised for > 3 years
? Active Directory ? Authenticated access to
corporate VPN
? Command-and-control via
? Scheduled tasks ? Local execution of
PowerShell scripts ? PowerShell Remoting
? Mandiant, A FireEye Company. All rights reserved.
2
Why PowerShell?
It can do almost anything...
Execute commands Reflectively load / inject code
Enumerate files Interact with services Retrieve event logs
Download files from the internet Interface with Win32 API Interact with the registry Examine processes Access .NET framework
? Mandiant, A FireEye Company. All rights reserved.
3
PowerShell Attack Tools
? PowerSploit
? Reconnaissance ? Code execution ? DLL injection ? Credential harvesting ? Reverse engineering
? Nishang
? Posh-SecMod ? Veil-PowerView ? Metasploit ? More to come...
? Mandiant, A FireEye Company. All rights reserved.
4
PowerShell Malware in the Wild
? Mandiant, A FireEye Company. All rights reserved.
5
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- powershell for pen tester post exploitation cheat sheet
- sans powershell cheat sheet
- kusto query internals azure sentinel reference
- powershell convert base64 to pdf
- 1 2 https 200y3w
- muddywater udurrani
- decode base64 string to pdf file
- encode text to base64
- a hunting story recorded future
- investigating powershell attacks black hat
Related searches
- new york hat cap
- pull names out of a hat online
- red hat linux command list
- red hat linux command reference
- red hat linux commands pdf
- red hat linux 7 commands
- red hat linux 7 download
- ww2 german hat insignia
- ww2 military hat insignias
- us army hat insignia
- us military hat insignia
- fbi investigating psa card company