Recording: Powershell Paranoia

Post to Twitter Post to Facebook Post to StumbleUpon

Amy, Susan welcomed Carlos Perez to join us for this webinar about Powershell. Carlos enlightened and frightened us with his walk through out hackers, virus and pen testers are using powershell to manipulate their way into networks. This is an intense session. Toward the end he also covers some defense and detection techniques.  This isn’t your typical how to use powershell session. This is about how people are using and abusing powershell.

Carlos currently works as the Director of Reverse Engineering at Tenable Network Security. In his spare time he contributes and develops several Open Source security projects. He is also a Microsoft MVP on PowerShell and is one of the co-hosts of the Paul Security Weekly podcast and a member of the PTES (Penetration Test Execution Standard).

Amy Babinchak is the owner of Third Tier and Harbor Computer Services (an MSP). She is also a Microsoft MVP in Small and Medium Business Server. Susan Bradley is a Microsoft Enterprise Security MVP and forensic accountant. Both Amy and Susan have a passion for excellence in small business IT. These webinars will be chatty with each bringing their experience and technical expertise to the table.

Download and listen to the recording

Here is also a copy of the chat log.

You@All: The dreaded mark of the Internet

You@All: I used -executianpolicy to run a command to Azure the other day. Once you use that you can run anything at all

Viewer 40@All: Where do I turn on Powershell logging in Win 7 / 2008 /2012 ?

You@All: So if we download a script to use for some purpose and we see “invoke-Expression” in there should we automatically consider the source suspect?

Larry Struckmeyer@All: Afraid I had to take a call and missed how to prevent commands from running unless encoded script. That is to ask…if I encode all my scripts how to prevent an intruder from running commands from the PS shell CLI If in slides will we get copy?

KenS@All: How can code that has been injected into memory and executed be discovered?

You@All: Is there any way to proactively monitor for this kind of thing?

Susan Bradley@All: btw Carlos has some great videos on the web from Derbycon –

Viewer 40@All: Where do we get Process Tree

Susan Bradley@All: debug video

You@All: Also I’ve noticed that in windows 10 the process list in Task Manager breaks down processes so you can see what is running under them. Hopefully that will stay in the final version.

Susan Bradley@All: I think this is process tree –

You@All: We’re started into the Defenses now

Susan Bradley@All:

Susan Bradley@All:

Viewer 40@All: How would you tell if PowerShell was running on workstations in a network?

Hilton Wookie@All: Looks like, realistically, we need to run Sysmon to keep looking at events, and spend a lot of time looking thru logs to see who’d hacking at the huge holes Microsoft left in PS?

Susan Bradley@All:

Viewer 40@All: What arguments would you use to set up Sysmon?

Viewer 40@All: What whitepaper is that?

Susan Bradley@All:

Susan Bradley@All: first hit in google

Viewer 27@All:

Hilton Wookie@All: Thanks Amy and Carlos – much appreciated

KenS@All: FANTASTIC!!! Thanks Amy, Susan and Carlos!!!

Hilton Wookie@All: … and Susan, of course, yeah

JimMuglia@All: Congratulations Amy on your cover of Channel pro.

JimMuglia@All: I feel like such a newbie after this presentation.

Randy Spangler@All: +1

You@All: thanks Jim

Susan Bradley@All:

You@All: It was quite an honor. I didn’t know about the 20/20 visionary thing. They held that back from me.

You@All: So may all future hacks and nasty encrypting virus are going to start using powershell

Susan Bradley@All:

JimMuglia@All: Amy, you definitely deserver the recognition.

Carlos Perez@All:

Randy Spangler@All: What is the best way to quickly get up to speed with PowerShell?

Susan Bradley@All:

Susan Bradley@All: Don Jones

You@All: free ebooks

Jody MacKercher@All: Read the “Hey, Scripting Guy!” blog

Susan Bradley@All:

Susan Bradley@All:

Randy Spangler@All: Thanks guys!


Not a Third Tier customer yet? Let me introduce:  We’re Third Tier. We provide advanced Third Tier support for IT Professionals and MicroStaffing for IT consulting firms. Come on over, create an account (no charge) and follow our social media locations. Attend our next chat or webinar:

Third Tier Get Support BlogFeed Blog Twitter Twitter Facebook Facebook LinkedIn LinkedIN

Leave a comment

Your email address will not be published. Required fields are marked *

This blog is kept spam free by WP-SpamFree.