Tweet
Title: (Intermediate) Detecting The Not-PowerShell Gang
Description:
Since the advancement of security features released in PowerShell version 5, Red Team folks are forced to not use PowerShell to have successful and undetectable engagements. Some of them even push the boundary and created their own Not-PowerShell tools and released it to the public. As a Blue Teamer, this means we need to reinforce our perimeter against these tools. This talk will uncovers some of the popular Not-PowerShell tools followed by how the blue teams can still spot these tools and build detection on it.
This talk will look into several not-powershell tools and craft several detection tactics based on their mechanism. We will utilize common logging tools, Sysmon and Windows Logs (Integrated to SIEM).
We will start with Introduction and will quickly go through the common mechanism used by the not-powershell tools
Tools we are going to look at are:
- InvisiShell
- NoPowerShell
- PowerShdll
- PowerLessShell
- And some other tools with similar mechanism
After getting familiar with the mechanisms, we will put our blue hat back and see what artifacts left by these tools and build reliable detection for each mechanisms leaving small room for false positives. At the end of the day, the blue team will be awarded with some queries (also known as rules or use cases) that they can use and deploy at their own SIEM solution.
Speaker(s): Mangatas Tondang
Location: Blue Team Vlg / Blue Team Vlg - Talks Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-07 16:00 (04:00 PM) PDT (UTC -07:00)
Event ends: 2020-08-07 16:30 (04:30 PM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-02T22:52 (UTC).
Description:
Since the advancement of security features released in PowerShell version 5, Red Team folks are forced to not use PowerShell to have successful and undetectable engagements. Some of them even push the boundary and created their own Not-PowerShell tools and released it to the public. As a Blue Teamer, this means we need to reinforce our perimeter against these tools. This talk will uncovers some of the popular Not-PowerShell tools followed by how the blue teams can still spot these tools and build detection on it.
This talk will look into several not-powershell tools and craft several detection tactics based on their mechanism. We will utilize common logging tools, Sysmon and Windows Logs (Integrated to SIEM).
We will start with Introduction and will quickly go through the common mechanism used by the not-powershell tools
Tools we are going to look at are:
- InvisiShell
- NoPowerShell
- PowerShdll
- PowerLessShell
- And some other tools with similar mechanism
After getting familiar with the mechanisms, we will put our blue hat back and see what artifacts left by these tools and build reliable detection for each mechanisms leaving small room for false positives. At the end of the day, the blue team will be awarded with some queries (also known as rules or use cases) that they can use and deploy at their own SIEM solution.
Speaker(s): Mangatas Tondang
Location: Blue Team Vlg / Blue Team Vlg - Talks Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-07 16:00 (04:00 PM) PDT (UTC -07:00)
Event ends: 2020-08-07 16:30 (04:30 PM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-02T22:52 (UTC).