PowerShell’s Return to Power
Over the past few years, we saw the rise of popularity and the use of offensive C# over PowerShell. This sparked a plethora of new offsec focused C# tools and executables bypassing the watchful eye of the security community. However, this shift of focus has allowed attackers to learn new techniques on how to bypass and defeat the organic controls that Microsoft has put into place to protect the scripting application. We believe that PowerShell exploits and attack methods are still alive and well. With PowerShell still being deployed on every machine by default, it still is a massive security hole for your organization that could allow an attacker to navigate your environment without ever needing to place an executable “on disk”. Using our own Red Team PowerShell scripts as examples please join me as we discuss the following concepts.
- Advantages of PowerShell for an attacker
- AMSI and “signed script execution” bypassing
- Whitelist application bypassing
- Malware deployment / Shellcode loading
- How to prevent and detect these methods
Dahvid is a Manager and lead in the Offensive Security service offering within Echelon. As an experienced professional with over 10 years of cyber-attack and defense experience, Dahvid has previously worked as a Red Team Operator with a Big 4 consulting firm leading and conducting Adversarial Emulation exercises as well as served in the military, leading, conducting, and advising on special operations offensive cyber operations. He has a wide background in cyber security including logical, social, and physical exploitation as well as incident response and system/network device hardening.
Dahvid has extensive experience assisting clients in developing strategic risk reduction strategies and activities. He has experience leading and managing adversarial emulation engagements and red team activities focusing on attack vectors from the perspective of an insider threat, financially motivated APTs, and nation state backed APTs. In these engagements, Dahvid has developed and leveraged a custom an in-memory post exploitation framework within PowerShell. He also has experience performing and leading physical and social engineering engagements with unique exploitation techniques. Dahvid also has extensive experience building and advising clients on their vulnerability management practices across the enterprise.