![]() ![]() Why PowerShell? We've had a couple of presentations already that have demonstrated how powerful PowerShell is. See if you can find them and if you want one, make sure that you stand up or raise your hands so that you can be seen. So, keep your eyes open for these Easter eggs. On account of the drinking, more than I usually lose.Ĭlose enough, close enough. Wait a minute, we got to demonstrate if this works.Ī lot, okay? We won't disclose it here. Can you tell me the last time you were in Vegas at the Cosmopolitan, how much did you really lose on the Blackjack tables? Okay, so, Rob, I know you can't see this but it lights up. Rob, if I can have you come up here to help me test this Lasso of Truth, I would greatly appreciate that.Īll right, so go ahead, hold one end and I'll wrap it around you. The next thing I have is the Lasso of Truth here from Wonder Woman, right? Nice strong, powerful woman, so we got to get this going. Come and see me afterwards and I will give you one of these prizes. They'll come around and find you and give you a ticket. I have my colleagues Ron and Kirtan in here. If you see one of these Easter eggs, either raise your hand or stand up. I made it with an Arduino, 3D printed case and I have some Easter eggs hidden in my presentation. It's going to do a couple of different things. So right here, I have an Iron Man Arc Reactor. Some of you that know me know that I'm a maker and I enjoy making things. And so today, I have some prizes to help you channel that inner DFIR Superhero. You're here to learn how to channel these powers. Today, I'm going to walk through how you find these malicious PowerShell scripts and then show you how you can decode them.īut first, one of the themes you may have noticed here at this conference is DFIR Superheroes. And at Kroll, we come across a lot of malicious PowerShell scripts in our investigations. She also demonstrates how to use an open source python script to automate the process once you have discovered the MO of the attacker in your case. Mari walks through how to decode them, as well as how to perform some light malware analysis on any embedded shellcode. Once located, these PowerShell scripts may contain several layers of obfuscation that need to be decoded. In this presentation, learn how to locate and identify activity of these malicious PowerShell scripts. Although sometimes referred to as "fileless malware", they can leave behind forensic artifacts for examiners to find. ![]() Malicious PowerShell scripts are becoming the tool of choice for attackers. Mari's presentation was picked as the 2nd most popular talk across all SANS conferences in 2018. Presented at the 2018 SANS DFIR Summit by Mari DeGrazia, Senior Director, Kroll Cyber Risk. ![]()
0 Comments
Leave a Reply. |