Octavio Paguaga (@oaktree_) pentester, network security instructor, Archsight admin, and network engineer. While his interests started in securing wide/local area networks (WAN/LAN) his work has taken him away from Cisco products and towards more of a Microsoft (server/clients). He is an active member of Novahackers and works with RVASec building their CTF. Outside of security he enjoys outdoor hobbies away from a terminal prompt.
Pow Pow Pow Powershell!
The talk will be a combination of the training recently given at Bsides DC & Deleware (https://github.com/git-oaktree/bsidesdc) but at a faster pace and covering more defense. No matter the skill level of participants, I want to make sure that beginners and more experienced participants leave with tools and resources they can use to continue learning.
If i were to give this presentation today the flow would be:
1) Introduction of speaker and language
2) Reference to resources I have found valuable
3) Examples: Lets do a pen test. How do we enumerate users/groups? Difference between remote WMI and WinRM. Ways of maintaining persistence ( Using the registry)
4) Defense side. How to stop Powerview, and Bloodhound. Logging and the various levels ( Transcription, script block logging, and event forwarding )
5) Defense/offense: Overview of Powershell 5 features such as AMSI (Powershell’s antivirus inspection), as well as constrained language mode. “Just enough administration,” which is a way to create roles and profiles so that only staff have the ability to access the tools necessary to perform their duties.
Talk Will Be Recorded