►
From YouTube: PSS: Defending Against PowerShell Attacks with Jon Fox
Description
PowerShell Saturday is a training event for all things PowerShell. The event was held in Raleigh North Carolina and hosted by Research Triangle PowerShell User Group.
In this session Jon Fox discusses how attackers can use PowerShell against you, and things you need to think about to protect from these attacks.
The files for Jon's slides and code can be found on our github page:
https://github.com/rtpsug/PowerShell-Saturday/tree/master/2019-NC.State
A
Sometimes
it's
application
compatibility
requirements
other
times
it's
just
ignorance
and
it's
not
until
something
bad
happens
that
they
decide
that
they
need
to
do
something
after
the
fact-
and
that's
that's
really
really
unfortunate.
I'm
gonna
start
with
my
favorite
example.
How
many
of
you
see
one
of
these
in
real
life?
Well,
shame
on
you
opened
it
up.
You
should
have
never
opened
the
documents
if
we
do
it,
but
it's
amazing
how
people
just
click
through
those
prompts
I.
Don't
care
I,
don't
care
I,
don't
care!
It's
like
a
kid
want
to
play
a
game
online.
A
Just
get
rid
of
the
pop-up
I,
don't
care
what
I'm
clicking
I'm
just
going
to
make
it
show
up
because
I
like
getting
attachments
from
like
the
Ministry
of
Defense
of
remaining
or
something
and
that's
exactly
what
I
work
with
on
a
daily
basis.
But
you
know
there
are
some
protections
that
are
built-in,
unfortunately,
there's
their
speed,
bumps
that
nothing
more
than
that
you
can
dial
the
dials
a
little
bit
to
to
limit
the
potential
impact
or
the
opportunity
that
may
be
there,
but
this
should
be
a
big
big,
big
warning.
A
What
I'm
going
to
start
off
with
this
yeah
talk
about
phishing
emails
and
the
things
that
come
into
what
in
the
form
of
office
attachments?
Because,
what's
going
on
behind
the
scenes
of
this,
it's
a
little
bit
uglier
and
it
comes
in
a
couple
different
formats
and
apologies.
If
this
is
too
small,
some
of
you
might
be
able
to
quickly
grab,
what's
happening
in
this
little
VBA
or
basic
Visual
Basic
for
applications.
It's
a
macro.
A
So
this
is
the
beginning
of
the
where
if
the
system
is
connected
to
the
Internet
and
it's
hopefully
it's
not
an
admin
account,
because
that's
really
really
worse,
because
now
we've
got
things
that
are
gonna,
probably
go
somewhere
in
the
system.
It's
really
bad,
but
this
is
a
stage
one
download
you
know
going
to
talk
out
to
a
command-and-control
and
RC
two
endpoints
on
pipe
and
bad
things
will
happen
unfortunate.
This
is
not
how
a
lot
of
things
are
happening
anymore
because
of
all
those
protections
that
went
on
at
the
network
layer.
A
Well
now
we
got
proxies
or
firewalls
and
things
or
maybe
we're
actually
doing
a
little
cleaning
of
the
attachments
or
looking
at
the
code.
So
the
evolutionary
next
step
in
things.
Well,
let's
just
embed
the
bad
stuff
directly.
So
now
we've
got
the
code,
that's
obviated
as
a
bunch
of
gobbledygook
I,
don't
have
to
go,
get
the
executable,
because
the
the
network
has
been
somewhat
hardened.
The
clients
still
wide
open
enforcement
and
users
are
still
ignorant
because
they're
still
opening
them
up
and
clicking
on
them.
A
It's
even
deeply
signed,
which
is
great,
so
we
don't
have
to
be
tampered
with,
and
so
the
the
adversaries
get
a
little
bit
smarter
with
what's
going
on,
but
there's
no
real
difference
between
the
fur.
Second
one.
This
one
just
doesn't
require
that
extra
step
of
going
through
the
network
or
touching
something
in
the
outside
world
and
yeah.
A
A
But
bad
people
are
using
these
things
apts.
Hopefully
you
never
have
to
experience
any
of
these,
but
the
little
example
here
from
32
and
10
and
30
for
known
users
of
Excel
documents
and
work
documents
with
these
types
of
attachments
that
are
on
there.
They
go
after
financial
institutions
for
a
pretty
common
reason.
There's
there's
a
need
to
get
money
to
get
funding,
because
these
apts
are
not
directly
nation
state,
backed
in
to
some
degree,
unlike
Russians
and
the
Chinese,
where
they
have
all
the
funds
in
the
world
to
play
with.
A
A
This
is
a
PT's
or
a
constant
barrage
trying
to
get
these
things
seen
it
into
the
environment,
trying
to
get
things
to
happen,
and
if
you
look
at
some
of
the
research
that's
been
produced
by
various
organizations,
I
like
picking
with
the
Palo
Alto
and
far
I.
They
have
a
lot
of
good
research
and
they're,
very,
very
public
about
the
things
that
they
find
and
sharing
information.
This
is
a
little
dated,
but
it
was
the
most
recent
version.
A
A
If
you
look
at
some
of
the
things
that
happen
after
the
fact
when
it
comes
to
the
reconnaissance
or
the
lateral
movement
opportunities
that
exists
in
a
given
environment,
you
know
for
those
who
played
with
Metasploit
or
powersploit,
which
is
a
Power
Cell
module
version
of
some
things
that
are
admissible.
Then
of
course,
you've
got
Empire
and
some
things
that
are
that
are
fun
and
there's
some
direct
packaging
power
shields.
Not
the
only
thing,
there's
lots
of
opportunities
for
leveraging
various
api's
and
components
about
net
components
or
providers.
A
They
have
an
existent
system,
but
it
just
becomes
kind
of
the
go-to
for
a
lot
of
the
adversaries,
but
calls
of
the
name
itself.
That's
pretty
powerful.
It
can
do
a
lot.
People
are
local
admins.
Then
it's
really
kind
of
an
unrestricted
pathway
to
doing
along
things
not
only
in
getting
presents
into
the
environment,
but
also
performing
these
posts.
A
A
A
Which
is
really
unfortunate
because
we
know
what
this
really
really
means
for
the
answers.
It
means
this
because
there's
so
many
ways
around
it
if
users
are
still
admits
or
if
PowerShell
is
not
propelled
in
some
way
on
the
system
to
change
this
default
behavior,
it
really
just
becomes
a
slowdown
and
I
like
using
these
wonderful
examples.
A
It
it
doesn't
really
get
rid
of
the
problem.
The
problem
is
privileged
or
credential
hygiene,
really
poor,
critical
hygiene
not
doing
things
with
the
appropriate
set
of
permissions
least
privilege
lease
functionality
as
I
should,
but
also
not
even
controlling
the
opportunities
that
do
exist
with
PowerShell,
especially
things
that
have
been
introduced.
Since
you
know
version
5
is
living
forward
with
in
the
form
of
the
logging
and
the
controls
that
you
actually
have
from
a
management
perspective.
So
you
take
away
probably
not
only
the
most
powerful
tool
for
admin.
A
You
also
take
away
one
of
the
most
powerful
tools
for
understanding,
what's
going
on
in
your
environment
and
reporting
on
the
systems
and
even
in
some
cases
managing
it
through
using
my
PFC
and
things
like
that,
what
we
see
in
environments,
where
they've
done
the
magic
button
of
removing
PowerShell,
is
they
end
up?
Turning
on
more
vulnerable
management
opportunities
like
RDP
interesting,
what's
happened
with
RDP
over
the
last
few
months
and
the
weaponization
of
some
things
there?
A
Yes,
we've
heard
some
things
with
some
patches,
but
they're
all
fixed
now,
BBA
still
gots
apprentice
not
going
on
with
that,
but
you
took
away
something
that
the
blue
teamers
of
the
world
could
really
really
leverage
and
take
use
of
if
it's
still
present,
in
fact,
there's
some
really
nice
things
that
could
be
done
even
the
Power
Cells
not
allowed
by
using
PowerShell
on
other
systems.
But
again
it's
really
done
nothing
more
than
create
a
speed
bump
in
the
world
of
things.
A
So
you
you
took
away
essentially
the
most
secure
administration,
as
well
as
the
transparent
security,
transparent
management
tool.
That's
out
there
how
many
familiar
with
the
the
mitre
attack
framework.
It
looks
something
like
this
I
had
to
shrink
it
down
to
get
it
all
in
one
page,
just
it's
evolved
over
the
years
now
ten
years
ago
and
only
had
like
five
or
six
columns.
Now
it's
got
a
ton.
This
is
basically
what
happens
when
you
turn
a
PowerShell,
go
to
little
red
squares
or
rectangles.
A
That's
all
that
goes
away,
so
you
still
have
all
these
other
forms
of
enumeration
and
footprinting
and
escalation
and
lateral
movement
and
execution
and
and
so
on,
and
so
forth,
really
really
bad
things.
That's
all
that
happened.
But
yes,
there
are
solo
security,
Ivins,
really
we're
good
we're
safe.
Now,
no
youyou
eventually
hurt
the
environment
more
than
you
that
you've
helped
it.
Yes,
oh
so
you've
got
Windows
PowerShell
over
here
yeah,
which
is
basically
an
execution
and
then
over
here
my
little
movement.
A
This
is
Windows
remote
management,
yeah
yeah,
again
apologies
for
the
teenis
of
what's
up
there,
but
here's
the
kicker
people,
don't
realize
it.
When
you
turn
this
off,
you
don't
turn
off.
This
PowerShell
is
more
than
PowerShell
dot.
Exe,
it's
an
engine!
It's
a
dll
file!
This
is
Windows
automation
that
that's
behind
each
of
those
things.
That's
what
so
many
other
powerful
things
that
exists
in
PowerShell
are
kind
of
built.
A
A
I've
seen
it
quite
a
few
times
from
customers
that
are
looking
to
somehow
magically
secure
of
Windows
Server
2012,
not
r2,
2012
can
I
remove
net
from
though
LS
we
kind
of
need
that
you
know
service,
hose
kind
of
depends
on
you've
got
a
bunch
of
services
that
you
service
ups
that
need
that
dotnet
component.
So
yeah
this
sorry,
it's
not
there
Oh
have
you
ever
heard
of
Lua
Lu
a
as
another
wonderful
thing,
so
this
is
an
example
of
how
to
embed
X
so
I
can
these
are
applications
again?
It's
very
tiny.
A
Clothes
are
pulling
for
the
Wikipedia
page
of
all
these
third-party
vendor
applications
and
systems,
all
of
their
network
appliances
that
basically
have
a
l,
ua
employee.
You
can
send
something
to
with
my
favorite
in
math,
so
I,
don't
necessarily
have
to
worry
about.
What's
going
on
from
a
PowerShell
perspective,
I
can
use
one
of
those
other
languages,
that's
out
there
and
it's
just
a
matter
of
doing
a
little
research
find
out
what
can
be
done.
I
go
and
look
at
maybe
the
people
password
list
or
I.
A
It's
a
remote
execution
for
calculator
and
you
can
do
a
lot
worse
things
than
calculator.
Just
let
you
know.
This
is
just
an
example:
that's
not
going
to
hurt
anyone's
feelings,
but
that's
what
can
be
done
and
if
you've
never
played
within
map.
Like
this,
all,
you
are
missing
some
funding,
because
there's
some
really
cool
things
you
can
do
with
with
other
systems,
depending
on
what
that
little
port
number
is
and
what
that
application
or
service
happens
to
be
on
the
back
end.
A
It
might
just
process
the
bits
and
do
exactly
what
it
is
that
you
you
wanted
to
do.
The
other
thing,
too,
is
when
you
turn
a
PowerShell:
it's
not
an
effective
control,
that's
just
a
part
of
it.
You
know
you're
looking
at
something.
That's
you
know
down
in
that
application,
whitelisting
sort
of
not
really,
but
just
be
aware
that
controls
come
in
multiple
flavors.
You've
got
things
that
are
obviously
preventative
in
nature
plays
that
you
should
be
doing
all
the
time.
A
I
can't
beat
the
strong
part
enough
from
the
Microsoft
perspective
patch
patch
and
keep
patching.
If
we
break
it
will
regress
it
don't
worry.
Antivirus
we'd
have
something
built
in
is
pretty
powerful.
I'll
go
sell
it
to
you,
but
it's
pretty
good,
especially
when
it
comes
to
things
like
that,
are
embedded
in
documents
and
seen
on
the
first
signal.
But
then
you
kind
of
increase
the
security
postures.
You
go
up
this
magic
triangle
here.
A
Looking
at
things
you
explicitly
don't
want
to
allow
in
the
environment
just
be
aware
that
you're
never
going
to
know
all
the
things
you
don't
want,
it's
much
easier,
believe
it
or
not
to
whitelist
the
things
that
you
do
want
to
allow.
These
are
explicitly
required
from
the
operational
perspective
of
that
of
that
given
system
you
should
always
have
already
implied.
A
You
know,
there's
there's
nothing
wrong
with
a
lot
of
data
other
than
where
do
I
stick
it
and
how
do
I
consume
it,
but
all
living
of
the
protections
make
sure
they're
in
place
as
well
as
what
is
happening.
I'm
going
to
dive
into
this
aspect,
much
deeper,
of
course,
the
end
of
this
and
then,
of
course,
how
can
I
look
at
what
has
happened
when
we
get
into
their
remediation
or
the
detection
kind
of
a
gray
area?
A
There
I
want
to
be
able
to
have
something
that,
from
a
forensics
perspective,
is
going
to
be
a
tale
that
something
has
happened
or
what
something
is
doing
on
the
given
system
and
I'm,
storing
it
somewhere
and
then,
if
I,
have
the
ability
to
apply
some
form
about
analytics
to
that
signal,
that's
even
better,
with
with
my
customer
they're
slowly
becoming.
We
would
finally
finish
this
project.
There'll
be
the
largest
users
of
JIT
jia,
outside
of
microsoft
and
azure
in
the
world.
All
administration
and
all
ITSM
type
of
activities
are
going
to
be
PowerShell
through.
A
You
know,
RTP
on
any
servers
anymore,
something
they
were
already
doing
in
the
linux
world.
Now
they
basically
take
them
the
knobs
that
they
learn
and
the
operational
aspects
of
what
they
learned
from
the
Linux
UNIX
world
and
are
bringing
it
to
the
windows
side.
You
have
to
have
a
serious
business
case
to
get
a
server
with
GUI
now
from
2016
forward.
Everything
is
done
on
core
2019
makes
a
little
bit
easier
and
they
don't
know
remediation
side
things,
capturing
of
memory
based
artifacts.
A
A
We've
been
listening
to
things
since
the
last
decade,
or
so
as
far
as
what
should
be
done
from
a
security
perspective.
These
are
all
the
different.
You
know,
engines
that
happen
to
exist.
On
the
left-hand
side,
there,
the
various
capabilities
within
that,
as
far
as
what
it
can
do-
event,
logging
and
encryption,
and
things
of
stored
memory,
protection,
you'll
notice,
there's
a
shiny,
green
bar
across
the
middle
there
that
happens
to
be
PowerShell.
A
A
As
far
as
what
can
be
done
from
the
forensics
perspective
and
protection
since
I
mentioned
gee
I
want
to
dive
into
exactly
what
G
is
for
those
who
have
never
seen
this
or
definitely
not
using
it
yet
which
are
great
for
for
administration.
This
is
a
simple
exercise.
Example,
I,
don't
know
who
this
I
think
is
somebody
famous.
This
is
one
of
these
slides
I
stole
from
Lee
Holmes.
That
tells
the
story
guilty.
You
will
see
someone
who
probably
recognize,
if
you're
a
PowerShell
person
and
in
a
minute
here.
A
So
what
I
want
to
do
is
I
want
a
Remote
Desktop
into
a
server,
so
the
good
old
fashioned,
msg
SC,
maternal
server,
clients
and
I
get
it
access
denied,
no
already
Pete
crap.
Well,
how
do
I
get
in
so
hey
Geoffrey
I
really
want
to
be
admitted
server
one
so
that
I
can
restart
DNS,
because
you
should
totally
be
full
admin
on
the
server
just
to
restart
DMS
a
lot
of
organizations.
Do
it
this
way.
You
know
your
server
operator
OOP
go
in.
They
forget
about
DNS
admin
like
that.
A
So
no
sympathy,
we
I
guess
this
is
supposed
to
be.
You
have
to
use
PowerShell,
it
can
conserve
it.
Alright,
so
I'll
enter
a
PS
session
go
into
server.
One
and
I
can
restart
service,
DNS
and
everything's
happy,
but
I
can't
do
anything
else.
That's
basically
what
Jia
does
Jia
gives
you
a
configuration
of
prescribed
Commandments,
even
the
syntax,
the
parameterization,
even
sometimes
the
values
of
the
parameters.
A
I
can
even
preload
my
configuration
with
functions
that
replace
default
commands
that
may
be
used
in
the
console
or
other
things
that
may
be
more
powerful,
so
I
could
issue
like
a
restart
computer,
and
it
will
tell
me
no,
you
know,
that's
the
night
or
I
could
try
to
use
a
native.
You
know
utility,
like
ping,
and
it
tells
me
that
ping
is
denied
because
I
put
a
little
function
in
there.
That
replaces
that
executable
with
the
message.
A
So
when
we
do
this
that
I,
you
know
the
admin
wins
and
basically
is
in
control
of
what's
happening
on
the
system,
and
this
is
really
really
really
should
be
kind
of
step,
one
on
things,
because
the
administrative
model
is
pretty
definite,
I
mean
this
is
this:
is
security
exposure
101
I've
got
capability
is
whatever
my
you
know?
Cribbage
allows
for
and
a
lot
of
environments.
These
are
static,
type
memberships,
I'm
in
the
server
operators,
I'm
a
local
administrator.
A
So
therefore,
my
time
that
is,
whenever
I'm
connected
and
I'm
actually
holding
that
privilege
at
all
times,
if
someone
can
take
advantage
of
my
credential,
then
they
have
whatever
I
have
and
they
can
kind
of
use
it
unrestrained
and
it
may,
even
if
they're
smart
enough,
may
be
able
to
leverage
this
in
a
fashion
that
looks
like
it's
normal
behavior.
They
even
get
really
advanced
and
generate
some
tickets
that
are
fictitious
and
have
me
work
on
things
as
an
emissary.
What
we're
doing
with
G
is
basically
this.
A
Are
you
know
or
I
should
say
to
you
if
we,
if
we
want
to
hard
things
a
little
bit,
we
do
something.
That's
more
time-based,
so
I
still
have
the
capability,
but
it's
confined
to
a
window
of
time,
and
this
gets
into
combining
the
capabilities
of
PowerShell
into
you
know
privileged
Identity,
Management,
Pam
or
Pam,
if
you're
doing
it
from
an
azure
perspective.
A
There's
other
things
that
exist
with
third-party
vendors
I've
are
the
Peconic
and
Lieberman
that
do
a
very
similar
thing,
so
that
now
I
am
all-powerful,
but
only
for
a
little
bit
time
or
in
some
cases
only
for
a
particular
session
that
one
time
that
I
hit
RPF
session
and
go
to
a
system
and
combining
the
two
together
or
maybe
even
limiting
it
in
the
GA
perspective.
So
my
capability
is
bound
only
to
a
specific
role
or
function
on
that
given
system.
A
The
intersection
of
those
two
is
the
JIT
geomod,
so
I
have
prescribed
capabilities
things
that
are
known
to
be
executed
or
done,
or
maybe
maybe
even
fully
automated
through
some
type
of
ITSM
tool.
But
then
they
can
only
occur
within
a
time
window
on
a
given
system
or
within
a
given
session,
and
that's
really
where
we'd
like
to
see
people
get
to
with
things
and
not
hear
these
horrible
Ransome
things
that
happen.
If
every
municipality
in
the
world,
what
it
looks
like,
yes,
Oh
that'd,
be
even
better
yeah.
A
Yeah
so,
depending
on
the
pimp
system,
the
question
was
about
you
know
the
the
time
aspects
of
it.
I'll
use
our
men
Pam
as
an
example,
the
mics
up
at
any
manager
within
that
you
get
a
time
frame,
a
token
or
certificate
that
may
have
a
four-hour
limit
and
I
said,
or
if
it's
really
locked
down
it's
a
connection
string
that
only
allows
the
session
at
one
time
so
I
can
connect.
I
can
work
indefinitely,
but
as
soon
as
that
times
out
or
I
close,
my
PS
session
privilege
is
gone.
Yes,
it's
wiped
even
better.
A
If
that's
not
a
static
group
membership
either
with
dynamic
in
nature.
This
group
stay
empty
and
protected
that
question.
So
here's
what
it
has
very
very
simple
role
capability
file,
looks
like
this
is
really
dumped
there
there's
a
lot
more.
That
should
be
done
within
this,
but
basically
you
can
control
what's
needed,
give
a
description.
So
people
know
what
that
happens
to
be
if
they're
reading
this
after
the
factory
to
get
hit
by
the
proverbial
bus
or
un
water.
A
What
modules
are
required
during
the
session
so
that
they're
there
that
I
have
the
capability
to
do
whatever?
That
prescribed
task
happens
to
be
within
that
role?
Capability
I
have
my
visible
Commandments
everything
else
from
all
the
providers
and
anything
that's
there
in
PowerShell
is
not
available.
I
only
have
these
commands
now
you
can
go
further
and
even
provide
you
know
things
like
parameters
that
are
valid
and
even
the
values
for
the
parameters
like
whole
to
make
sure
they
stay
on
localhost
or
loop
backs,
and
things
like
that.
A
I
can
even
put
that
into
these,
but
you
listen.
They
gave
me
the
things
that
are
probably
sonam's
with
someone
who's
doing
some
DNS
madness.
I've
got
the
ability
to
get
a
list
of
services.
I
can
interact
with
the
DNS
service,
specifically
because
I'll
need
to
restart
service
and
get
you
know,
sort
of
Cashman
clear.
The
cache
show
Deana
server
cache
for
whatever
reason,
if
I'm
working
on
a
Ford
or
maybe
and
I
order,
I'll
see
what
may
be
working
on
system
and
then
they've
also
done
some
function.
A
Definitions,
I
can
use,
Who
am
I,
so
the
function
is
representing
a
default
command
that
may
be
available
in
the
windows
console.
So
if
I
run,
Who
am
I,
it's
really
going
to
run
a
strip
block.
You
know
the
PS
in
your
info
and
throw
that
back
functions,
replace
the
behavior
of
those
embedded
or
default
commands
so
that
I
can't
use
them
in
bad
ways.
If
you
look
at
the
execution
order
that
exists
within
power,
shop
functions,
override
native
commands,
native
commands
are
way
at
the
end.
A
Functions
override
scripts
override
a
bunch
of
other
things
of
balance,
so
they
always
come
first,
and
if
you
do
this,
this
is
what
I
think
I
had
to
find
out
the
order
a
little
bit.
But
this
is
this:
is
the
intersection
of
jetan
Jia
so
place,
but
you've
got
capability,
that's
prescribed
in
a
configuration
I.
Do
this
very
securely,
with
a
lot
of
dials
turned
up
which
I'm
going
to
show
about
the
logging
and
the
forensics
aspects
behind
it,
and
then
it's
only
available
at
a
particular
time
phone
system.
This
is
security.
A
Ministration
at
its
finest
and
I
didn't
have
to
turn
off.
Powershell
PowerShell
still
all-powerful,
underneath
it
all
fact.
If
you
can't
wait
on
functional
anyway,
it's
because
embedded
programs
and
things
that
use
the
automation
deal
I
understand,
and
this
is
what
I
mean,
and
this
is
do
it
there.
You
know
what
what
should
be
happening-
and
this
is
a
very
slow
to
evolve
conversation
with
a
lot
of
customers,
no
matter
how
many
advisory
calls
I
have
is
that
you've
got
this
thing
that
gives
you
so
much
information
about
what's
happening
in
the
environment.
A
You
just
have
to
know
how
to
attain
it
and
how
to
use
that
that
information.
So
you
know,
I've
got
the
ability
to
the
control
in
a
very
effective
manner,
across
the
entire
enterprise,
module
logging
or
script
logging,
which
is
great
transcripts
across
systems.
I
can
do
this
securely,
where
users
can't
just
read
the
secrets
that
around
I'm
gonna
show
that
and
also
integration
with
Adam
our
fantasy
or
anti-malware
scan
interface,
and
you
don't
have
to
use
defender.
You
can
use
third
parties
that
are
tapped
into
that
API.
We
did
open
it
up.
A
Finally,
so
that
the
other
big
players
in
security,
not
so
much
authority-
can
can
interact
with
the
signals
that
are
going
on
there,
but
what
you
get
in
the
modern
sense
of
PowerShell
is
the
effective
management
you
can
leverage
for
policy
to
control
all
these
things
and
should
be
using
these
things.
You
will
see
them
in
Stig's
and
in
baselines
and
things
that
nature
at
theta
C
is
actually
turns
up
a
couple
of
things,
but
you
should
turn
these
things
on
now.
A
You,
you
have
to
be
careful
when
you
turn
these
things
off,
you
don't
control
how
you
implemented
it
then
you're
gonna
have
a
big
problem.
You
want
to
have
something:
that's
going
to
collect
the
logs,
you've
got
levels
or
if
the
built-in
Windows
8
in
40,
which
is
great
believenot
Windows,
has
a
seam.
A
We
also
have
one
in
Azure
that
can
take
this
thing,
but
if
you're,
using
this
block
or
log
read
them
all,
those
are
things
you
want
to
pull
this
data
somewhere
and,
in
more
importantly,
maybe
apply
some
analytics
to
it.
You
don't
have
to
record
screen
sessions
or
typing
anything
like
that,
but
maybe
have
some
kind
of
logic
that
is
looking
through
this,
which
I'm
going
to
go
until
a
bit
deeper,
because
we
build
some
tools
to
help
you
with
that.
Yes,.
A
You'll
be
able
to
tell
the
session,
but
you'll
be
able
to
tell
what
that
the
interaction
agent
was
yes,
yeah
if
it
was
coming
from.
If
it's
coming
from
a
session
like
configuration
versus
how
shall
you
say?
Yes?
Yes,
that's
present
how
many
of
you
ever
seen,
Mozilla
or
skirt
backlog.
What
that
looks
like
okay
good,
so
this
should
look
to
none
for
nature.
You
get
a
lot
of
detail,
and
sometimes
that's
that's.
A
You
know,
maybe
not
the
best,
but
it
really
is
believe
or
not
a
lot
of
transparency
as
far
as
what's
happening,
and
it's
not
just
what's
going
on
interactively,
it
will
log
the
things
that
are
happening
like
in
the
background
of
that
Excel
document,
or
the
word
document
that
you
got
from
the
Ministry
of
Defense
in
Romania
transcripts
are
very,
very
important
as
well
transcripts
will
capture
the
interactive
details
of
everything.
That's
happening.
A
You've
got
to
be
a
little
bit
careful
with
this,
though,
because
it
will
capture
things
that
you
might
not
want
everyone
seen
in
larger
environments,
where
there's
a
well-defined
sock,
sometimes
security
operations
that
are,
you
know,
they're
the
ones
that
are
really
ingesting.
These
logs,
these
can
be
encrypted.
They
have
the
key
that
can
open
it
up.
Things
are
basically
logged
or
transcribed
with
the
public
key.
They
have
they're
the
holders
of
the
private
key,
so
therefore
they
have
access
to
it.
A
You
can
keep
the
logs
locally
on
system
or
you
could
Ford
them
to
a
centralized
container
of
some
type
again,
depending
on
what
your
scene
approach
is
or
logging.
The
approach
happens
to
be
the
environment.
There
are
some
customers
that
I
sleep
with
that
actually
feed
these
types
of
transcripts
and
the
logs
from
script
and
module
perspective
into
a
truth
system
that
basically
scans
them
in
real
time
and
flags
things
for
suspicious
behavior,
which
is
that's
very
high
up
on
the
evolutionary
scale
of
PowerShell
security.
Those
things
are
happening.
A
We
use
the
system
within
a
show
that
does
that.
So,
if
there's
some
type
of
interaction
between
Microsoft
and
the
customers
environment,
a
tenant,
everything
that
we're
doing
is
going
through
one
of
those
truth
systems
and
we'll
flag
security,
if
we're
doing
some
or
not
supposed
to
be
doing,
which
is
very,
very
nice
what
if
things
are
encoding?
This
is
this?
Usually
is
question
number
one
someone's
doing
encoded
commands
or
they
got
the
gobbledygook.
That's
packaged
up
into
a
document
of
some
type
or
the
payload
is
obfuscated
in
some
ways.
A
It
just
oh
there's
no
way
of
turning
this
back
into
it's
it's
clear
text.
If
we
were
to
take
this
hash
and
it's
kind
of
real
format-
and
it
looks
like
this-
this
is
another
form
of
obfuscation.
You
know
it's
a
little
difficult
to
read.
It's
a
lot
of
a
you
know:
appendage,
that's
going
on,
which
was
what's
happening
with
that
execution.
The
reality,
though,
in
the
markup
log,
is
that
even
though
you'll
get
this
event,
this
particular
4104.
You
also
get
this
4104
with
it.
A
So
you
see
it
in
its
how
it
was
executed,
but
then
you
also
see
it
how
it
was
actually
interpreted
by
the
engine
which
is
in
the
clear
text.
You
can't
hide
from
this
anymore,
and
that
was
like
one
of
the
powerful
tools
adversaries
were
leveraging
was
the
fact
that
oh
I,
couldn't
use,
obfuscation
or
I
can
encrypt
it
in
some
given
way
and
do
some
some
some
trickery
within
my
script
that
that
decodes
it
and
execute
it
in
memory.
A
Well,
in
this
case,
this
is
logging.
So
this
is
script.
Block
logging,
yep,
so
transcripts
not
required
for
this
one
yeah
and
I'm
going
to
actually
go
through
the
again
IDs
that
are
important.
That
are
very,
very
helpful,
alcohols
on
that
slide
for
a
little
bit
longer.
So
what
about
things
that
are
malicious
and
make
someone's
doing
pen
testing
so
they're
on
their
Kali
Linux?
You
know
very
expert
and
they're
gonna.
Basically,
you've
run
something.
That's
going
to
feed
this
into
it,
so
I've
got
PowerShell
with
all
of
the
known
dials.
A
You
know
turn
to
eleven
for
how
to
get
around
all
the
execution
protections
believenot.
This
does
work.
So
you've
got
the
you
know.
You
know
him
no
profile
non,
interactive
and
coded
command.
There's
some
other
things
that
are
in
there
that
are
encoded,
that
have
additional
parameters
for
execution
bypass
and
whatnot.
Look
it's
ugly!
Well
in
the
case
of
vamp,
see
something
like
this
happens.
Let's
say
that
was
something
being
fed
through
a
document.
There's
kind
of
shifting
gears
a
little
it's
not
from
a
command
line.
A
Well,
number
one
I'm
going
to
log
it
that
I
had
the
macro
and
I
had
this
code
and
it's
yucky
form
VBA
is
going
to
do
a
trigger
for
agency,
which
antivirus
is
going
to
scan
and
again
this
used
to
be
us
only
and
defender,
but
we've
opened
that
up
and
she
is
available
to
some
other
participating
partners
and
then,
if
it
generates
alert,
then
that
goes
back
in
blocks
or
it's
at
least
going
to
create
a
signal
in
the
case
of
defender
ATP.
This
is
basically
block
on
site.
A
First
time
no
one
else
gets
ransomed
or
whatever
in
the
environment.
You
might
lose
a
sheet,
but
you
don't
lose
the
flock.
You
definitely
lose
any
Shepherds
to
use
that
analogy
and
as
things
happen,
of
course,
you
get
the
you
know
some
evidence
fine
as
well
when
it
comes
to
protecting
those
events.
As
I'd
mentioned
there,
there
is
an
opportunity
for
encryption.
A
What's
going
on
on
the
gaming
system,
useful
events
to
be
aware
of
I
kind
of
put
this
into
my
collector
and-
and
this
is
another
slide
taken
from
link
homes
as
far
as
what
you
should
be
looking
for
when
you've
dialed
up
the
forensic
aspects
of
PowerShell.
These
are
the
Vince
that
should
go
into
something
that
gives
you
some
visibility
as
to
what's
going
on
system
log
got
a
104
which
is
hanging
so
try
to
clear
the
Mohawk.
A
That's
always
important
one
that
should
be
on
everyone's
default
list
of
things
on
the
security
log,
basically
already
configured
for
partial
profiles,
so
46,
56,
anytime,
a
profile
or
modification
of
any
configuration
PowerShell
is
touched.
You
get
an
event
that
describes
the
who
the
what
the
win.
Where
of
that
activity.
Powershell
all
the
400
and
800
basically
start
up
hosting
application
to
version.
This
is
where
it
maps
back
to.
How
was
it
run?
It
was
it
embedded.
Was
it
from
the
shell
things
like
that
the
800
is
the
actual
command
and
parameter
logging.
A
Whatever
was
passed,
you'll
get
the
raw
format
if
it's
obviated
it's
ugly
and
then,
of
course,
the
interpreted
or
their
realistic
aspects
of
that
execution.
And
then
you
have
the
4104
warning
or
verbose
on
how
that's
turned
on,
and
the
script
block
automatic
or
detailed
verbose
logging
of
script
blocks
and
then
the
last
two
big
number
53
507
operational
law.
That's
if
the
debuggers
attach
to
a
process,
we're
doing
things
in
memory
and
then
91
user
connected
system
with
PowerShell
remoting,
which
I
think
is
the
next
session.
A
A
Yeah
Oh
was
just
the
warning
once
we're
both
so
depends
on
to
what
level
you
have
it
set
in
great
Street
yeah,
where
the
default
is
just
a
warning
where
the
boss
is
I,
mean
you
get
a
lot
more,
you
get
what
was
in
that
screenshot
from
the
from
PowerShell
console.
That
was
that
blue
that
had
everything.
A
Sometimes
things
get
really
really
out
of
them.
This
is
some
nice
trickery.
You
know,
if
someone's
doing
invoke
pops
obfuscation
or
is
trying
to
hide
things
in
very,
very
cryptic
ways,
starting
in
version
five.
This
goes
away
yeah.
This
still
runs
in
this
fashion.
These
will
these
are
still
valid,
but
what
you
get
in
the
logs
is
clear.
It
is
what
the
result
actually
was.
So
there's
no
barrier
from
from
intelligence
perspective
from
the
fringe
standpoint
of
trying
to
figure
out
what
these
things
mean
or
putting
them
into
other
tools
to
try
to
decipher.
A
A
Okay,
how
many
beware
the
ast,
or
have
heard
of
the
AST
abstract
syntax
tree
all
right?
This
is
super
advanced,
so
there's
some
rules,
believe
it
or
not.
Behind
the
scenes
of
things
and
the
rules
is
what
those
truth
systems
are
using
when
they're
deciphering
they're
trying
to
look
at
the
analytical
aspects
of
execution.
A
Is
this
something
that's
normal,
Lee
Holmes
and
some
others
put
together
a
wonderful
little
tool
that
will
detect
scripts
and
whether
or
not
they're,
reliable
or
something
that
should
be
trusted
and
what
it
does
is
it
scans
through
the
ossification,
and
it
looks
for
things
that
gives
you
some
basic
reports.
This
is
a
free
tool,
I'm
going
to
point
to
it
a
little
bit
later,
the
South
there's
been
available
in
the
tech
community
from
PowerShell
for
quite
some
time.
A
Oh
is
this
right,
but
it's
a
it's
a
it's
a
great
way,
especially
if
you're
scanning
attachments
that
are
coming
into
the
environment
with
this
tool.
It'll
tell
you
if
it's
bad
or
not,
if
it's
doing
legitimate
things
or
not
so
legitimate
things
and
there's
an
important
reason
behind
that,
and
this
was
done
with
Daniel
Bohannon
and
Emily
Holmes
derbycon
last
year
they
did
a
talk
at
blackhat
another
with
Def
Con
as
well
related
this
you
can
watch
those
YouTube's
fire.
I
even
did
a
reproduction
of
it
because
Daniels
with
fire
art.
A
This
is
the
reason
behind
it.
No
matter
what
you
do
until
people
to
stop
doing
or
trying
to
hit
not
do
theirs.
They're
gonna
find
a
way,
though,
to
make
it
happen,
and
it's
just
the
reality
of
things.
I
know
the
worst
offenders
from
a
security
perspective.
20
waters
are
the
admins.
You
know,
I,
don't
want
anything
to
get
in
my
way.
I
should
be
admin
all
the
time
and,
as
the
system
gets
more
and
more
locked
down,
I
have
to
find
ways
to
get
around
those
controls.
A
In
this
case
they
learn
how
to
ride
a
unicycle,
but
just
a
really
really
ugly
reality.
One
of
the
things
that's
also
important
is
you
know,
device
star
and
application.
Whitelisting
are
really
the
way
to
capture
those
offenders,
the
ones
that
know
what
the
signs
are
and
what
the
blockers
are,
but
they
know
the
way
around
it.
A
There
should
be
something
that's
keeping
them
really
on
the
rails,
no
matter
what
and
I've
seen
a
fashion
where
they
can't
advert
the
execution
device
card
is
going
to
imply
something
called
constrain
language
mode,
I'm
even
heard
of
this
yeah,
so
it
basically
gets
rid
of
things
that
are
not
in
standard
or
built-in
for
the
most
part,
and
if
you
have
some
Kerberos
errors
in
your
environment,
you're-
probably
getting
this
by
that.
Typically,
it
happens
over
a
trust,
that's
broken
in
some
give
it
away.
A
So
I
can
do
things
or
I
tried
to
do
things
there
that
trust
the
script
is
not
trusted
at
all.
It
can't
execute
and
I
encourage
people
to
try
it
kind
of
get
a
little
better
understanding
of
what
constraint
language
mode.
Does
it's
something
that
happens
for
anything,
that's
out
of
policy.
So,
if
you're
doing
GF
you're
just
gonna
get
constrained
in
some
cases,
Interactive
PowerShell
commands
that
you
try
to
execute
are
going
to
go
in
constraint.
A
Language
mode,
which
means
sorry,
they
can't
call
things
that
you're
not
supposed
to
in
the
environment,
things
that
are
in
policy,
whether
that
policy
happens
to
be
from
device
guard
perspective
or
gonna
run
in
full
language.
So
it's
really
just
you
can
do
what
you're
supposed
to
do
and
nothing
else,
regardless
of
who
do
you
think
you
have
to
debate
the
restrictions
for
this?
This
is
more
just
a
reminder
of
what
what
it
gets.
A
They
there's
restrictions
with
constrain
language
mode
and
again
supposed
to
keep
things
nice
and
safe.
Nothing,
though,
is
more
important
than,
and
this
is
the
devops
piece,
secure
coding
and
then
the
SDL
side
of
things.
You
should
always
always
write
scripts
if
they're
going
to
be
production
quality
in
a
fashion,
that's
going
to
keep
things
safe
and
because
of
that
wonderful
world
of
the
of
the
syntax
tree,
believe
it
or
not,
there's
a
way
to
check
your
scripts.
A
There
is
something
that
can
be
used
to
review
code
and
check
on
these
things.
Most
people
never
seen
it.
They
created
a
hunting
tool,
that's
based
on
the
AST.
This
is
a
sample
script
from
from
way
homes.
That's
out
there
just
looking
for
something
and
I
know:
I've
got
time
so
I
gotta
pop
over
to
this,
because
this
is
probably
more
important.
I
encourage
you
to
go.
Read
this
one.
The
link
is
huge,
hopefully
we'll
share
this
I,
don't
have
an
AKM
s
shortly,
for
it,
and
I
should
have
made
one
for
this
presentation.
A
This
is
a
very,
very
powerful
tool.
This
is
actually
embedded
into
some
of
the
tools
that
I've
seen
in
use
of
big
enterprises
that
are
scanning
scripts
to
make
sure
that
things
are
done
in
proper
fashion.
The
script
analyzer
there
is
an
old
old
script
and
large
there
was
a
plug
in
for
the
ISE.
This
is
a
vs
code,
it's
a
Visual
Studio
code,
add-on
or
tool,
and
it
can
be
used
to
scan
entire
repositories.
A
I
mean
you
can
do
things
in
masse
with
this,
take
them
a
look
at
what's
being
used
and
how
things
should
be
updated.
I
had
to
grab
a
new
screenshot
because
they
updated
it
not
too
much
super
far
far
back,
but
it's
a
wonderful
wonderful
extension
and
the
power
that
it
gives
you
oh
how
much
anybody
else
needs
a
picture,
but
hopefully
they
make
this
available.
Here
is
we're
also
looking
like
the
injection
higher.
This
is
another
wonderful
tool.
A
It
has
been
a
basis
last
year,
but
it
kind
of
got
it
right
on
the
third
try.
Everyone
knows
what
injection
is
right.
We
hear
bad
things
on
sequel,
you
know,
disability
to
append
arbitrary
code
and
do
other
things
in
a
parameterised
way
that
makes
it
work,
even
though
it's
not
supposed
to
happen.
So
this
is
a
way
of
you
know
going
through
and
scanning
items
to
see.
A
If
there
is
a
potential
for
power,
shell
injection
make
your
script
safe,
I,
don't
think
power
cell
injection
is
going
to
be
the
next
thing
to
replace
you
know:
sequel,
injection
or
loss,
but
it's
not
applicable,
but
it's
it's
really
important
and
these
things
are
available
for
studio
code
and
can
run
in
real
time.
So
it's
analyzing
things
as
you
open
them
up
or
as
you're
writing
them
out.
You'll
get
the
nice
warnings
and
errors
so
use
it.
It's
free!
You
don't
have
to
have
Visual
Studio,
a
big
crime.
A
You
can
just
have
the
baby
one
and
it
works
great.
In
fact,
I
teach
PowerShell
classes
all
over
the
country
and
I
only
teach
using
code.
Now
the
IC
is
done,
I'm,
tired
of
IFC
and
some
of
the
add-ons
and
all
the
things
after
load
to
make
it
look
like
this,
not
to
mention
all
the
development
is
going
into
this
area
anyway.
It's
a
lot
easier
move
from
this
into
some
of
the
other,
bigger
tools
that
are
after
so
at
this
point
you
got
to
be
thinking.
Hopefully,
we've
got
everything
right.
A
Unfortunately,
don't
these
are
three
great
things
that
should
be
in
place.
You
know,
you've
got
logging,
hopefully
that
device
card
turned
on
when
the
system
as
well
to
kind
of
help
with
the
debate
Edmunds
get
in
and
you've
got
something
that's
doing,
script
analysis
for
actively
or
at
least
scanning
after
the
fact
of
what
may
be
going
off,
we
went
from
a
fringe
perspective,
but
that's
not
everything.
A
A
This
is
just
one
that
I
grabbed
from
that
grave.
They
say
the
transparency
in
the
opportunity
from
a
forensic
perspective
for
power
shows
you
can't
hide
now
using
PowerShell.
For
those
who
are
doing
investigations
are
basically
going
to
be
discovered.
It
can
be
undone.
You
know
you
can
draw
the
map
of
the
bread
crumbs
of
Tears
to
what
actually
was
done.
If
you
have
these
things
turned
up.
So
PowerShell
is
a
it's
a
built-in
honeypot,
more
or
less.
It
has
the
capabilities
to
capture
everything
that
is
going
on.