PowerShell Exploitation - PowerSploit - Bloodhound - PowerShellMafia - Obfuscation

Explore PowerShell exploitation techniques, including PowerSploit, Bloodhound, and PowerShellMafia, in this 50-minute conference talk from ShowMeCon 2018. Delve into PowerShell security, event logging, and malware detection methods. Learn about obfuscation techniques, base64 encoding, and script block logging. Discover how to filter logs, create email alerts, and effectively hunt for malicious PowerShell activity. Gain insights into PowerShell versions, audit logging, and best practices for securing your environment against PowerShell-based attacks.

Intro
PowerShell Exploitation
What is set? What version?
Audit with LOG-MD
PS Event IDs - Windows PowerShell
PS Event IDs - PowerShell/Operational
What is Malware Using?
Exploit Kits
Typical Malware launching PowerShell
Did that look normal?
They do this to hide what you see
PowerShell Logs show it too
Base64 Encoded
Manual Translation
PS Base 64 blob
4104 Decodes Base64 blobs
Obfuscation - Odd stuff - 4688
Script Blocks are labeled
This is a normal Script Block
WARNING !!!!
4100 - Executing Pipeline
PS v2 - 500 Events
Filtering out the good, to find the bad
Code your PowerShell for exclusion
Create Email Alerts
PowerShell Log Goodness
Security Log
PowerShell v5
How do I hunt for PS?
Summary
Resources
Questions?