Powershell is DEAD – Epic Learnings! presented at BSidesLondon 2019

by Ben Turner,

Summary : Powershell is Dead……mibs! It probably is if you want to limit your attack tooling, but trush be told its very environment specific......from running no Powershell using the System.Management.Automation.dll, loading .NET v2 binaries to disabling defensive capabilities like AMSI, there are many ways to pilfer and remain undetected in an environment based on the maturity of the defensive capability. Is powershell Dead? Absolutely maybe.....The talk is designed to share information about the latest techniques (both defensive and offensive) that we have to face to emulate threat actors with various motivates and tactics. We will talk in depth about the current attack surface, technologies in play on Windows endpoints and some of the pitfalls of EDR products and how the offensive teams role is getting much harder. This will go into the depths of the ‘System.Management.Automation.dll’ including commonly used techniques such as ‘Add-Type’ and ‘Assembly.Load’ in the .NET world. We will also cover some tips relating to process injection methods and tooling which can help detect such activities on an endpoint.The talk will also dive into some of the specific tooling involved including various alterations to PoshC2 and its C# implant, common opsec pitfalls we have been learnt along the way and how easy it can be to detect malicious actors depending on their capability. We will also look at what the world of Red Teaming will look like over the next 12-18 months and discuss the future of memory resident malware and the challenges facing both Red and Blue.