DEF CON 22 - Day 2

I attended a good amount of talks on this day but this was the only ones that I actually understood. I did also attend-Extreme Privilege Escalation On Windows 8/UEFI System but the whole thing was way over my head so I couldn't do it any justice.

Investigating PowerShell Attacks

Ryan Kazanciyan & Matt Hastings from Mandiant

his talks was given by two guys from Mandiant who were investigating how attackers were using powershell to accomplish horizontal transversal of an environment after they have access to one system in a network. This strategy was very effective because everything is run in memory. So once the system is rebooted all information is lost unless there is a paging file which may have very limited evidence. Ryan and Matt talked about analyzing the memory fragments to see if a system was compromised and if so what was done. Almost everything they were doing required an image of the memory. They also talked about how different versions of powershell left different fragments. I've linked a copy of an earlier version of their powerpoint if you're interested below.

Presentation - https://www.defcon.org/images/defcon-22/dc-22-presentations/Kazanciyan-Hastings/DEFCON-22-Ryan-Kazanciyan-Matt-Hastings-Investigating-Powershell-Attacks.pdf




comments powered by Disqus