Kazanciyan investigating PowerShell attacks - Black Hat

Investigating

PowerShell Attacks

Black Hat USA 2014

August 7, 2014

PRESENTED BY: Ryan Kazanciyan, Matt Hastings

? Mandiant, A FireEye Company. All rights reserved.

Background Case Study

Victim

VPN

Attacker

Client

WinRM,

SMB,

NetBIOS

Victim workstations,

servers

¡́? Fortune 100 organization

¡́? Command-and-control via

¡́? Scheduled tasks

¡́? Compromised for > 3 years

¡́? Active Directory

¡́? Authenticated access to

corporate VPN

? Mandiant, A FireEye Company. All rights reserved.

¡́? Local execution of

PowerShell scripts

¡́? PowerShell Remoting

2

Why PowerShell?

It can do almost anything¡­

Execute commands

Download files from the internet

Reflectively load / inject code

Interface with Win32 API

Enumerate files

Interact with the registry

Interact with services

Examine processes

Retrieve event logs

Access .NET framework

? Mandiant, A FireEye Company. All rights reserved.

3

PowerShell Attack Tools

¡́? PowerSploit

¡́?

¡́?

¡́?

¡́?

¡́?

Reconnaissance

Code execution

DLL injection

Credential harvesting

Reverse engineering

¡́?

¡́?

¡́?

¡́?

Posh-SecMod

Veil-PowerView

Metasploit

More to come¡­

¡́? Nishang

? Mandiant, A FireEye Company. All rights reserved.

4

PowerShell Malware in the Wild

? Mandiant, A FireEye Company. All rights reserved.

5

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Related download
Related searches

©2024 5y1.org, Inc. All rights reserved.