PowerShell Audit Logging: Catch Intruders Living off the Land

Presented by

Randy Franklin Smith: Windows Security Subject Matter Expert. Greg Foss: Sr. Security Research Engineer, LogRhythm, Inc.

About this talk

PowerShell is like nuclear fission—it’s powerful, and it can be used for good and evil. The bad guys love to exploit PowerShell for at least three reasons: 1. It’s already installed on most versions of Windows. 2. It’s powerful. You really can do just about anything in PowerShell—even call into the Win32 API if enabled. 3.There are no EXEs or DLLs to upload. Lee Holmes (Microsoft’s PowerShell extraordinaire) will be joining me to show you how to catch intruders exploiting PowerShell to their own ends. First, we will provide a brief overview of PowerShell security capabilities especially enhancements in PowerShell 5.0t. There are some really good preventive steps you can take to limit your exposure to PowerShell-related risks. And PowerShell 5.0 is available on Windows 2008 R2 SP1 and Windows 7 SP1 and up, so this isn’t vaporware. Then we will zero in on the auditing capabilities in PowerShell. We’ll show you how to enable PowerShell logging so that you get events for every script block executed. We’ll show you sample events and discuss how to interpret them, how to filter the noise and more. I’ll also briefly point out some less powerful, but easy-to-implement techniques for just detecting the use of PowerShell itself using Process Tracking events. This can be useful for highly controlled endpoints where use of PowerShell at all is very limited and easy to recognize if PowerShell is being used in an unusual way. Of course producing valuable audit data is one thing. Collecting, analyzing and alerting on it is another. And that’s where our sponsor, LogRhythm, comes in. The security experts at LogRhythm have been following the increased exploitation of PowerShell by the bad guys and been publishing their own tips on how to combat. Greg Foss will briefly demonstrate LogRhythm’s built-in knowledge of PowerShell and its ability to correlate PowerShell events with all the other security intelligence LogRhythm collects from your enterprise.

Related topics:

More from this channel

Upcoming talks (0)
On-demand talks (94)
Subscribers (8178)
Notice: LogRhythm APJ channel has moved! Please note that this channel will not be updated with new content from 31 December 2020. We invite you to our new and improved LogRhythm channel, which can be accessed here: https://www.brighttalk.com/channel/12099/ At LogRhythm, we strive to provide our users and subscribers with the latest security tips & tricks available on-demand. Check out our latest talk: How to build an effective security program with limited resources: https://www.brighttalk.com/webcast/12099/460817