Kazanciyan investigating PowerShell attacks - Black Hat
Investigating
PowerShell Attacks
Black Hat USA 2014
August 7, 2014
PRESENTED BY: Ryan Kazanciyan, Matt Hastings
? Mandiant, A FireEye Company. All rights reserved.
Background Case Study
Victim
VPN
Attacker
Client
WinRM,
SMB,
NetBIOS
Victim workstations,
servers
¡́? Fortune 100 organization
¡́? Command-and-control via
¡́? Scheduled tasks
¡́? Compromised for > 3 years
¡́? Active Directory
¡́? Authenticated access to
corporate VPN
? Mandiant, A FireEye Company. All rights reserved.
¡́? Local execution of
PowerShell scripts
¡́? PowerShell Remoting
2
Why PowerShell?
It can do almost anything¡
Execute commands
Download files from the internet
Reflectively load / inject code
Interface with Win32 API
Enumerate files
Interact with the registry
Interact with services
Examine processes
Retrieve event logs
Access .NET framework
? Mandiant, A FireEye Company. All rights reserved.
3
PowerShell Attack Tools
¡́? PowerSploit
¡́?
¡́?
¡́?
¡́?
¡́?
Reconnaissance
Code execution
DLL injection
Credential harvesting
Reverse engineering
¡́?
¡́?
¡́?
¡́?
Posh-SecMod
Veil-PowerView
Metasploit
More to come¡
¡́? Nishang
? Mandiant, A FireEye Company. All rights reserved.
4
PowerShell Malware in the Wild
? Mandiant, A FireEye Company. All rights reserved.
5
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- deploy applications to a windows virtual machine in azure with the
- executing a vb program with command line arguments
- creating a batch command file for executing sas with pharmasug
- powershell basic cheat sheet european sharepoint office 365 azure
- kazanciyan investigating powershell attacks black hat
- fileless malware execution with powershell is easier than you may
- how to remove virus
- powerpwning post exploiting by overpowering powershell def con
- replaces in your command line
- windowspowershell v1 0 virus
Related searches
- new york hat cap
- pull names out of a hat online
- red hat linux command list
- red hat linux command reference
- red hat linux commands pdf
- red hat linux 7 commands
- red hat linux 7 download
- ww2 german hat insignia
- ww2 military hat insignias
- us army hat insignia
- us military hat insignia
- fbi investigating psa card company