PowerShell+ 2019 - Malicious Payloads vs Deep Visibility: A PowerShell Story by Daniel Bohannon

For over a decade PowerShell has empowered administrators, DevOps practitioners and automation enthusiasts to accomplish significant tasks with relative ease. However, malicious threat actors have also harnessed PowerShell’s capabilities by writing extensive offensive tools and frameworks in PowerShell. The PowerShell team has countered these malicious trends with adding numerous defensive enhancements to PowerShell including extremely deep logging visibility (like ScriptBlock, Module and Transcription logging) as well as blocking capabilities and interfaces like the AntiMalware Scan Interface (AMSI). This talk draws from over four years of Incident Response experience to lay out a technical buffet of in-the-wild malicious PowerShell payloads and techniques. In addition to diving deep into the mechanics of each malicious example, this presentation will highlight forensic artifacts, detection approaches and the deep visibility that the latest versions of PowerShell provides security practitioners to defend their organizations against the latest attacks that utilize PowerShell. So if you are new to security or just want to learn about how attackers have used PowerShell in their attacks, then this talk is for you. If you want to see what obfuscated and multi-stage, evasive PowerShell-based attacks look like under the microscope of PowerShell deep inspection capabilities, this talk is for you. And if you want to see why these security advancements to PowerShell are causing many attackers to shift their tradecraft development away from PowerShell, this talk is for you. PowerShell Summit videos are recorded on a "best effort" basis. We use a room mic to capture as much room audio as possible, with an emphasis on capturing the speaker. Our recordings are made in a way that minimizes overhead for our speakers and interruptions to our live audience. These recordings are meant to preserve the presentations' information for posterity, and are not intended to be a substitute for attending the Summit in person. These recordings are not intended as professional video training products. We hope you find these videos useful - the equipment used to record these was purchased using generous donations from members of the PowerShell community.