Investigating PowerShell Attacks - Black Hat - Powershell write output encoding

Investigating PowerShell Attacks

Black Hat USA 2014 August 7, 2014

PRESENTED BY: Ryan Kazanciyan, Matt Hastings

? Mandiant, A FireEye Company. All rights reserved.

Background Case Study

Attacker Client

Victim VPN

WinRM, SMB,

NetBIOS

Victim workstations, servers

? Fortune 100 organization ? Compromised for > 3 years

? Active Directory ? Authenticated access to

corporate VPN

? Command-and-control via

? Scheduled tasks ? Local execution of

PowerShell scripts ? PowerShell Remoting

? Mandiant, A FireEye Company. All rights reserved.

2

Why PowerShell?

It can do almost anything...

Execute commands Reflectively load / inject code

Enumerate files Interact with services Retrieve event logs

Download files from the internet Interface with Win32 API Interact with the registry Examine processes Access .NET framework

? Mandiant, A FireEye Company. All rights reserved.

3

PowerShell Attack Tools

? PowerSploit

? Reconnaissance ? Code execution ? DLL injection ? Credential harvesting ? Reverse engineering

? Nishang

? Posh-SecMod ? Veil-PowerView ? Metasploit ? More to come...

? Mandiant, A FireEye Company. All rights reserved.

4

PowerShell Malware in the Wild

? Mandiant, A FireEye Company. All rights reserved.

5

................
................

In order to avoid copyright disputes, this page is only a partial summary.

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Investigating PowerShell Attacks - Black Hat

To fulfill the demand for quickly locating and searching documents.

Related download

Related searches