PowerShell: Making everything old new again presented at BsidesAugusta 2015

by Andrew Cole, Rich Moulton,

Summary : In post-exploitation operations, using native OS capabilities is always preferred over custom tools to minimize attention from security products. As native OS capabilities go, none surpass Microsoft's PowerShell in providing complete access to the Win32 API.Better still, PowerShell allows us to compile code on-the-fly that will get us the functionality we want regardless of system architecture. In this presentation, we will show you several ways to leverage these capabilities to achieve classic hiding behaviors dynamically, and without regard to 32-bit or 64-bit environments, including hiding processes, files and registry entries.