PowerShell+ 2019 - Using Pester & ScriptAnalyzer for Detecting Obfuscated... by Daniel Bohannon

Channel:
United States Confreaks
Subscribers:
42,400
Published on ● Video Link: https://www.youtube.com/watch?v=VJ-tJdp1r4o


Duration: 0:00
42 views
2

Using Pester & ScriptAnalyzer for Detecting Obfuscated PowerShell by Daniel Bohannon

Over the years as attackers have increasingly used PowerShell as an important piece of their offensive toolkit, the PowerShell Team has countered by building deep inspection capabilities into PowerShell that are not found in any other scripting language. However, as defenders began using this new visibility and significantly improving their detection of malicious PowerShell usage, attackers adapted their techniques.
As attackers turned to the heavy usage of specific obfuscation techniques, like those found in Invoke-Obfuscation and Invoke-CradleCrafter, to target certain aspects of PowerShell’s ScriptBlock logging, defenders once again had to match this offensive shift with their own shift in detection methodology.
Defenders have since turned to various data science approaches, like those built into Revoke-Obfuscation, to more robustly detect heavy PowerShell obfuscation. However, countering offensive projects like PSAmsi have enabled attackers to apply selective obfuscation in minimal quantities to evade specific A/V signatures while falling under the "obfuscation threshold" of newer data science approaches.
Come learn how PesterSec combines the power of ScriptAnalyzer and Pester to perform context-specific detections of minimally-obfuscated PowerShell commands and scripts. These platforms also highlight the ease of access to PowerShell’s Abstract Syntax Tree (AST) for any PowerShell practitioner.

PowerShell Summit videos are recorded on a "best effort" basis. We use a room mic to capture as much room audio as possible, with an emphasis on capturing the speaker. Our recordings are made in a way that minimizes overhead for our speakers and interruptions to our live audience. These recordings are meant to preserve the presentations' information for posterity, and are not intended to be a substitute for attending the Summit in person. These recordings are not intended as professional video training products. We hope you find these videos useful - the equipment used to record these was purchased using generous donations from members of the PowerShell community.



Other Videos By Confreaks


2022-09-06PowerShell+ 2019 - Finding Performance Bottlenecks with PowerShell by Mike F. Robbins
2022-09-06PowerShell+ 2019 - F5 Declarative Configuration by James Arruda
2022-09-06PowerShell+ 2019 - Monitoring Out, Observability In by Ebru Cucen
2022-09-06PowerShell+ 2019 - Lord of the Configurations by Friedrich Weinmann
2022-09-06PowerShell+ 2019 - Using PowerShell Core to automate application... with Habitat by Matt Wrock
2022-09-06PowerShell+ 2019 - Publishing and Managing Modules in an Internal Repository by Kevin Marquette
2022-09-06PowerShell+ 2019 - PowerShell in Azure Functions by Dongbo Wang & Joey Aiello
2022-09-06PowerShell_ 2019 - The Windows Subsystem for Linux by Tara Raj
2022-09-06PowerShell+ 2019 - Advanced JEA Configurations by James Petty
2022-09-06PowerShell+ 2019 - Automating Active Directory Health Checks by Mike Kanakos
2022-09-06PowerShell+ 2019 - Using Pester & ScriptAnalyzer for Detecting Obfuscated... by Daniel Bohannon
2022-09-06PowerShell+ 2019 - 0-60 with PowerShell on AWS by Andrew Pearce & Steve Roberts
2022-09-06PowerShell+ 2019 - Using PowerShell in a Cross Platform World - Bill Hurt written by James Pogran
2022-09-06PowerShell+ 2019 - How to become a SHiPS wright - Building with SHiPS by Glenn Sarti
2022-09-06PowerShell+ 2019 - Deep Web: A Web Cmdlets Deep Dive by Mark Kraus
2022-09-06PowerShell+ 2019 - PowerShell Error and Event Collection at Scale by Dakota Clark
2022-09-06PowerShell+ 2019 - Better Ops Together: Practical PowerShell Pair Programming... by Mark Kraus
2022-09-05RustConf 2022 - Weird Expressions and Where to Find Them by Michael Gattozzi
2022-09-05RustConf 2022 - Your Open Source Repo Needs A Project Manager by Alice Cecile
2022-09-05RustConf 2022 - Writing a GraphQL compiler in Rust, a case study by Iryna Shestak
2022-09-05RustConf 2022 - How we ship Rust in OpenSUSE by William Brown