BSidesCLT 2021: PowerShell’s Return to Power - Dahvid Schloss

Over the past few years, we saw the rise of popularity of offensive C# over PowerShell. This sparked a plethora of new OffSec focused C# tools and executables bypassing the watchful eye of the security community. However, this shift of focus has allowed attackers to garner new techniques on how to bypass and defeat the organic controls that Microsoft has put into place to protect the scripting application. We believe that PowerShell exploits and attack methods are still alive and well. With PowerShell still being deployed on every machine by default, there is still a massive security hole for your organization that could allow an attacker to navigate your environment without ever needing to place an executable “on disk.” Using our own Red Team PowerShell scripts as examples, please join Dahvid as he discusses the following concepts:

- Advantages of PowerShell for an attacker

- AMSI and “signed script execution” bypassing

- Whitelist application bypassing

- Malware deployment / Shellcode loading

- How to prevent and detect these methods