filmov
tv
Unveiling the not-PowerShell cult (Mangatas Tondang)
Показать описание
Unveiling the not-PowerShell cult
The name of PowerShell is self explanatory, some sort of command-line shell with lot of super powers hidden under the hood. It’s heavily utilized by the SysAdmin, loved by the Red Team, exploited by the APTs and now also taken into consideration by the blue team because of the advanced logging and security features. More mature blue team started building detection against PowerShell and securing their perimeter using its features like Constrained Language mode, AppLocker and Script Block/Module logging.
Although PowerShell techniques fall under Execution tactic on MITRE ATT&CK, you can pretty much achieve all the other 11 Tactics just by using PowerShell, that’s why Red teamers love PowerShell! But the red teamers who use PowerShell as their main arsenal need to avoid using PowerShell after the release of version 5 armed the security features listed above. But of course, deep down they still crave those juicy PowerShell cmdlets functionality. That’s why numbers of offensive security researchers developed Not-PowerShell tools. These tools are using the libraries and system calls used by PowerShell (counterfeit PowerShell in a nutshell) while bypassing PowerShell security features.
This talk will uncovers some of the popular techniques used for development of these Not-PowerShell tools. We will finally meet the four members of the cult; InvisiShell, PowerShDLL, PowerLessShell and NoPowerShell. After the brief introduction on how they work, we will have little show of capabilities of these tools. Lastly and most importantly, we will completely turn 180 degree, pick up and wear our blue team hat. We will try to detect these tools using Windows logging systems, the Infamous Sysmon and last not least the Event Tracing for Windows (ETW).
Biography
Professionally, Tas is a (not advanced kind of persistent) Threat Hunter for one of the major Canadian Telecommunication company. As a blue teamers, he is passionate on learning and breaking the hacking tools to pieces and try to develop detection against them. He also love following and building detection from the recent intelligence report on different APT groups.
Coming from a school that taught him broad spectrum of Information Security, he also love exploring application security, reverse engineering, and create tools that can help him and his coworkers. He wouldn’t be here without community support, that’s why he love to give security training for other people and currently he is also a member of CTF challenge development team for his almamater.
The name of PowerShell is self explanatory, some sort of command-line shell with lot of super powers hidden under the hood. It’s heavily utilized by the SysAdmin, loved by the Red Team, exploited by the APTs and now also taken into consideration by the blue team because of the advanced logging and security features. More mature blue team started building detection against PowerShell and securing their perimeter using its features like Constrained Language mode, AppLocker and Script Block/Module logging.
Although PowerShell techniques fall under Execution tactic on MITRE ATT&CK, you can pretty much achieve all the other 11 Tactics just by using PowerShell, that’s why Red teamers love PowerShell! But the red teamers who use PowerShell as their main arsenal need to avoid using PowerShell after the release of version 5 armed the security features listed above. But of course, deep down they still crave those juicy PowerShell cmdlets functionality. That’s why numbers of offensive security researchers developed Not-PowerShell tools. These tools are using the libraries and system calls used by PowerShell (counterfeit PowerShell in a nutshell) while bypassing PowerShell security features.
This talk will uncovers some of the popular techniques used for development of these Not-PowerShell tools. We will finally meet the four members of the cult; InvisiShell, PowerShDLL, PowerLessShell and NoPowerShell. After the brief introduction on how they work, we will have little show of capabilities of these tools. Lastly and most importantly, we will completely turn 180 degree, pick up and wear our blue team hat. We will try to detect these tools using Windows logging systems, the Infamous Sysmon and last not least the Event Tracing for Windows (ETW).
Biography
Professionally, Tas is a (not advanced kind of persistent) Threat Hunter for one of the major Canadian Telecommunication company. As a blue teamers, he is passionate on learning and breaking the hacking tools to pieces and try to develop detection against them. He also love following and building detection from the recent intelligence report on different APT groups.
Coming from a school that taught him broad spectrum of Information Security, he also love exploring application security, reverse engineering, and create tools that can help him and his coworkers. He wouldn’t be here without community support, that’s why he love to give security training for other people and currently he is also a member of CTF challenge development team for his almamater.
0:49:27
0:49:27
0:31:35
2:01:21