PSUG Weekend Attack!

We have a new event scheduled, with focus on Security.

Note: The event is on a saturday.

Morten Schenk and Jakob Heidelberg from ImproSec ApS will tell us about how to use PowerShell as an attack platform.

On the opposite side, Jared Atkinson (PowerShell MVP, Lead Dev on PowerForensics and PowerShell Conference speaker) from Veris Group will show how to use PowerShell to do defensaive work.

Session:

Powershell som angrebsplatform

Anvendelse af Powershell Empire til at gennemføre angreb mod organisationers infrastruktur, alt fra phishing og privilege escalation til Mimikatz og lateral movement. Powershell er en solid angrebs platform der er svær at begrænse og kan operere udelukkende i hukommelsen. I denne præsentation vises hvorledes angreb ved brug af Powershell kan gennemføres i et Active Directory domæne og hvilke måder der er at begrænse anvendelsen af Powershell.

and coming straight from PowerShell Conference EU, we have U.S. Based Jared Atkinson:

Jared Atkinson

is the Hunt capability lead with Veris Group’s Adaptive Threat Division. Before working for Veris Group, Jared spent 4 years leading incident response missions for the U.S. Air Force Hunt Team, detecting and removing Advanced Persistent Threats on Air Force and DoD networks.

Passionate about PowerShell and the Open Source community, Jared is the lead developer of the PowerForensics project, an open source forensics framework for PowerShell, Uproot, a WMI based IDS, and maintains a DFIR focused blog at www.invoke-ir.com.

Jared holds a Masters of Science in Information Assurance and Security and holds numerous industry certifications including GIAC Certified Forensic Analyst (GCFA) and GIAC Certified Windows Security Administrator (GCWN).

Session:

Taking Hunting to the Next Level: Hunting in Memory

The vast majority of threat hunting takes place on easily visible and accessible system artifacts. These include log entries, network data, command line histories, persistence locations, and many other locations on a system or in the environment. Thanks to rule-based approaches and more advanced data analytics, it is relatively easy to detect outliers, surface suspicious artifacts, and discover anomalies on and across endpoints. Current hunt methodologies do a good job finding intrusions and reducing dwell times in many cases, but it still isn’t good enough. Traditional hunting methods don’t address one essential area: in memory-only attacks. Today’s sophisticated adversaries are well aware of challenges in-memory only methods pose for defensive tools and methods (including threat hunting) and thus increasingly avoid disk during operations. It is generally not possible with today’s tools to perform signature-less analysis of memory at the large scale necessary for effective hunting. Current memory analysis methods usually require collection of very large amounts of data and entail intensive analysis. Memory is largely a place for forensics as opposed to a datasource for real threat hunting at the speed and scale necessary for effective detection. We can do better. In this talk, we will describe both common and advanced stealth malware techniques which evade today’s hunt tools and methodologies. Attendees will learn about adversary stealth and understand ways to detect some of these methods. Then, we will demonstrate and release a Powershell tool which will allow a hunter to automatically analyze memory across systems and rapidly highlight injected in-memory-only attacks across systems at scale. This will help move memory analysis from the domain of forensics to the domain of detection and hunting, allowing hunters to close the detection gap against in-memory threats, all without relying on without signatures.

Flip the Script: PowerShell Microsoft's Incident Response Language

What administration and automation tool do state-sponsored actors like APT 29, criminal actors like Phineas Fisher, and IT staff all rely upon heavily? PowerShell. Integrated into many offensive toolkits, PowerShell is gaining respect in offensive circles as “Microsoft’s Post-Exploitation Language”. In a quest to combat this perceived threat, many defenders attempt to disable PowerShell rather than realizing its defensive potential. In this talk, we will cover PowerShell defensive tools and techniques that you can effectively use to detect malicious activity without the need for a bloated host-based agent. Don’t be afraid of PowerShell! Fight back, instill fear in the attacker, and reclaim your enterprise! It’s time to acknowledge PowerShell as "Microsoft’s Incident Response Language"!

Agenda (May change a bit as we get closer to the event):

11:00 - 11:15 - Intro
11:15 - 12:15 - Jakob/Morten - Offensive PowerShell - PowerShell as attack platform.
12:15 - 12:45 - Lunch
12:45 - 13:45 - Jared - Taking Hunting to the Next Level: Hunting in Memory
13:45 - 14:00 - Break
14:00 - 14:45 - Jared - Flip the Script: PowerShell “Microsoft’s Incident Response Language”
14:45 - 15:00 - Outro & End