PowerShell Security: Defending the Enterprise from the Latest Attack Platform presented at bsidesdc 2016

by Sean Metcalf,

Summary : PowerShell is a boon to administrators, providing command consistency and the ability to quickly gather system data and set configuration settings. However, what can be used to help, can also be used for less altruistic activities. Attackers have recently learned that leveraging PowerShell provides simple bypass methods for most defenses and a platform for initial compromise, recon, exploitation, privilege escalation, data exfiltration, and persistence.
With the industry shift to an "Assume Breach" mentality, it's important to understand the impact of defending against an attacker on the internal network since this is a major shift from the traditional defensive paradigm. In its default configuration, there's minimal PowerShell logging and nothing to slow an attacker's activities. Many organizations seek to block the PowerShell executable to stop attacks. However, blocking PowerShell.exe does not stop PowerShell execution and can provide a false sense of security. Simply put, don't block PowerShell, embrace it. The key is monitoring PowerShell usage to enable detection of recon and attack activity. As attack tools like PowerSploit (Invoke-Mimikatz) and the recently released PowerShell Empire become more prevalent (and more commonly used), it's more important than ever to understand the full capabilities of PowerShell as an attack platform as well as how to effectively detect and mitigate a variety of PowerShell attack methods.
The presentation walks the audience through the evolution of PowerShell as an attack platform and shows why a new approach to PowerShell attack defense is required. PowerShell recon & attack techniques are shown as well as methods of detection & mitigation. Also covered are the latest methods to bypass and subvert PowerShell security measures including PowerShell v5 logging, constrained language mode, and Windows 10's AMSI anti-malware for scanning PowerShell code in memory.The final part of the presentation explains why PowerShell version 5 should be every organization's new baseline version of PowerShell due to new and enhanced defensive capability.
This talk is recommended for anyone tasked with defending and testing the defenses for an organization as well as system administrators/engineers.