Investigating PowerShell Attacks

Delve into the world of PowerShell attacks and their forensic investigation in this comprehensive conference talk from BruCON 0x06. Explore how targeted attackers leverage PowerShell for command-and-control operations in compromised Windows environments, focusing on common attack patterns such as lateral movement, remote command execution, reconnaissance, file transfer, and persistence establishment. Learn to collect and interpret forensic artifacts both on individual hosts and across enterprises, with real-world incident examples and recommendations for limiting exposure. Discover investigation methodologies, including memory analysis, event log examination, and WMI object enumeration. Gain insights into PowerShell versions, WinRM process hierarchy, and various logging techniques. Understand attacker assumptions, evidence longevity, and the intricacies of PowerShell persistence mechanisms. Equip yourself with valuable lessons learned and enhance your ability to detect and respond to PowerShell-based threats in your organization's Windows infrastructure.

Intro
Background Case Study
Why PowerShell?
PowerShell Attack Tools
PowerShell Malware in the Wild
Investigation Methodology
Attacker Assumptions
Version Reference
WinRM Process Hierarchy
Remnants in Memory
How Long Will Evidence Remain?
Example - Simple Command
Example-Encoded Command
What to Look For?
Memory Analysis Summary
PowerShell Event Logs
Local PowerShell Execution
Remoting (Accessed Host)
PS Analytic Log: Decoded Input
PS Analytic Log: Encoded I/O
PS Analytic Log: Decoded Output
Logging via PowerShell Profiles
Logging via AppLocker
PowerShell 3.0: Module Logging
Module Logging Example: File Listing
Module Logging Example: Invoke-Mimikatz
PowerShell Persistence
Common Techniques
Persistence via WMI
Event Filters
Event Consumers
Enumerating WMI Objects with PowerShell
PS WMI Evidence: File System
PS WMI Evidence: Registry
PS WMI Evidence: Other Sources
Other Sources of Evidence
Lessons Learned
Acknowledgements
Questions?