Over the past few years, we saw the rise of popularity and the use of offensive C# over PowerShell. This sparked a plethora of new offsec focused C# tools and executables bypassing the watchful eye of the security community. However, this shift of focus has allowed attackers to learn new techniques on how to bypass and defeat the organic controls that Microsoft has put into place to protect the scripting application. We believe that PowerShell exploits and attack methods are still alive and well. With PowerShell still being deployed on every machine by default, it still is a massive security hole for your organization that could allow an attacker to navigate your environment without ever needing to place an executable “on disk”. Using our own Red Team PowerShell scripts as examples please join me as we discuss the following concepts.
• Advantages of PowerShell for an attacker
• AMSI and “signed script execution” bypassing
• Whitelist application bypassing
• Malware deployment / Shellcode loading
• How to prevent and detect these methods