Amy, Susan welcomed Carlos Perez to join us for this webinar about Powershell. Carlos enlightened and frightened us with his walk through out hackers, virus and pen testers are using powershell to manipulate their way into networks. This is an intense session. Toward the end he also covers some defense and detection techniques. This isn’t your typical how to use powershell session. This is about how people are using and abusing powershell.
Carlos currently works as the Director of Reverse Engineering at Tenable Network Security. In his spare time he contributes and develops several Open Source security projects. He is also a Microsoft MVP on PowerShell and is one of the co-hosts of the Paul Security Weekly podcast and a member of the PTES (Penetration Test Execution Standard).
Amy Babinchak is the owner of Third Tier and Harbor Computer Services (an MSP). She is also a Microsoft MVP in Small and Medium Business Server. Susan Bradley is a Microsoft Enterprise Security MVP and forensic accountant. Both Amy and Susan have a passion for excellence in small business IT. These webinars will be chatty with each bringing their experience and technical expertise to the table.
Here is also a copy of the chat log.
You@All: The dreaded mark of the Internet
You@All: I used -executianpolicy to run a command to Azure the other day. Once you use that you can run anything at all
Viewer 40@All: Where do I turn on Powershell logging in Win 7 / 2008 /2012 ?
You@All: So if we download a script to use for some purpose and we see “invoke-Expression” in there should we automatically consider the source suspect?
Larry Struckmeyer@All: Afraid I had to take a call and missed how to prevent commands from running unless encoded script. That is to ask…if I encode all my scripts how to prevent an intruder from running commands from the PS shell CLI If in slides will we get copy?
KenS@All: How can code that has been injected into memory and executed be discovered?
You@All: Is there any way to proactively monitor for this kind of thing?
Susan Bradley@All: btw Carlos has some great videos on the web from Derbycon – http://www.irongeek.com/i.php?page=videos/derbycon4/t105-abusing-active-directory-in-post-exploitation-carlos-perez
Viewer 40@All: Where do we get Process Tree
Susan Bradley@All: http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-63-Windows-81-SDK debug video
You@All: Also I’ve noticed that in windows 10 the process list in Task Manager breaks down processes so you can see what is running under them. Hopefully that will stay in the final version.
Susan Bradley@All: I think this is process tree – http://www.softwaredirections.com/ptree/
You@All: We’re started into the Defenses now
Susan Bradley@All: http://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon
Susan Bradley@All: https://technet.microsoft.com/en-us/sysinternals/dn798348
Viewer 40@All: How would you tell if PowerShell was running on workstations in a network?
Hilton Wookie@All: Looks like, realistically, we need to run Sysmon to keep looking at events, and spend a lot of time looking thru logs to see who’d hacking at the huge holes Microsoft left in PS?
Viewer 40@All: What arguments would you use to set up Sysmon?
Viewer 40@All: What whitepaper is that?
Susan Bradley@All: https://www.google.com/search?q=nsa+catching+attackers&sourceid=ie7&rls=com.microsoft:en-US:IE-Address&ie=&oe=&safe=strict&gws_rd=ssl#safe=strict&rls=com.microsoft:en-US:IE-Address&q=nsa+catching+attackers+whitepaper+spotting+the+adversary
Susan Bradley@All: first hit in google
Hilton Wookie@All: Thanks Amy and Carlos – much appreciated
KenS@All: FANTASTIC!!! Thanks Amy, Susan and Carlos!!!
Hilton Wookie@All: … and Susan, of course, yeah
JimMuglia@All: Congratulations Amy on your cover of Channel pro.
JimMuglia@All: I feel like such a newbie after this presentation.
Randy Spangler@All: +1
You@All: thanks Jim
You@All: It was quite an honor. I didn’t know about the 20/20 visionary thing. They held that back from me.
You@All: So may all future hacks and nasty encrypting virus are going to start using powershell
Susan Bradley@All: https://github.com/davehull/Kansa/
JimMuglia@All: Amy, you definitely deserver the recognition.
Carlos Perez@All: http://www.powershellmagazine.com/tag/security/
Randy Spangler@All: What is the best way to quickly get up to speed with PowerShell?
Susan Bradley@All: http://www.cbtnuggets.com/
Susan Bradley@All: Don Jones
You@All: http://www.powershell.com free ebooks
Jody MacKercher@All: Read the “Hey, Scripting Guy!” blog
Susan Bradley@All: http://www.cbtnuggets.com/it-training/microsoft-windows-powershell-2-3-4
Randy Spangler@All: Thanks guys!
Not a Third Tier customer yet? Let me introduce: We’re Third Tier. We provide advanced Third Tier support for IT Professionals and MicroStaffing for IT consulting firms. Come on over, create an account (no charge) and follow our social media locations. Attend our next chat or webinar: http://www.thirdtier.net/event