Defending against PowerShell Attacks

Explore defensive strategies against PowerShell attacks in this 40-minute conference talk from Derbycon 7. Delve into topics such as VBA, Win32 API, post-exploitation frameworks, and the MITRE Framework. Learn why PowerShell is commonly used and examine the challenges of blocking it. Discover PowerShell's role as a management engine and its security features, including Just Enough Administration, local sandboxing, and security transparency. Investigate advanced security measures like configuration module pipeline logging, system transcripting, and script lock logging. Analyze techniques such as Invoke-Obfuscation and Invoke-Expression, and explore antimalware solutions, protected event logging, and useful PowerShell events. Gain insights into PowerShell scripts, abstract syntax trees, and Device Guard application whitelisting to enhance your organization's security posture against PowerShell-based threats.

Introduction
VBA
Win32 API
PowerShell
Palo Alto Labs
Post exploitation frameworks
Why people use PowerShell
MITRE Framework
Lets Block PowerShell
PowerShell doesnt solve the underlying security problem
PowerShell is a management engine
You block PowerShell
Lua scripting language
Three stages in security
PowerShell security
Just enough administration
DNS administration
Administration
Gaea
Local Sandboxing
Security Exposure
PowerShell Security Transparency
Configuration
Module Pipeline Logging
System Transcripting
Script Lock Logging
Invoke Obfuscation
Invoke Expression
Antimalware
Protected Event Logging
Useful PowerShell Events
PowerShell Scripts
Abstract Syntax Trees
Device Guard Application Whitelisting
Raid Number
Fake Face