Virginia Beach 2015

Virginia Beach, VA | Mon, Aug 24, 2015 - Fri, Sep 4, 2015

Preparing for PowerShellmageddon - Investigating Windows Command Line Activity

  • Chad Tilbury
  • Tuesday, September 1st, 7:15pm - 8:15pm

There is a reason hackers use the command line, and it isn't to impress you with their prowess. Throughout the history of Windows, the command line has left far fewer forensic artifacts than equivalent operations via the GUI. To make matters worse, the transition to Windows 7 and 8 has spread PowerShell throughout the enterprise. While it makes our lives easier as defenders, it does the same for our adversaries. Every time you marvel at the capabilities of PowerShell, you should fear how your adversaries may use that power against you.

This talk will demonstrate how incident responders are countering the command line threat with real-world examples. Learn to identify when it is in play, extract command history, and see what is new on the horizon from Microsoft to make tracking command line and PowerShell activity easier.

Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

  • SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
  • Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
  • Lunch & Learn: Short presentations given during the lunch break.
Monday, August 24
Session Speaker Time Type
General Session - Welcome to SANS Dr. Eric Cole Monday, August 24th, 8:15am - 8:45am Special Events
WHY? Dr. Eric Cole Monday, August 24th, 7:15pm - 9:15pm Keynote
Tuesday, August 25
Session Speaker Time Type
The Tap House Phil Hagen Tuesday, August 25th, 7:15pm - 8:15pm SANS@Night
Wednesday, August 26
Session Speaker Time Type
Adopting an Attacker Mindset with Core Impact Pro Bobby Kuzma, Systems Engineer, Core Security Wednesday, August 26th, 12:30pm - 1:15pm Lunch and Learn
Card Fraud 101 G. Mark Hardy Wednesday, August 26th, 7:15pm - 8:15pm SANS@Night
Sunday, August 30
Session Speaker Time Type
General Session - Welcome to SANS Dr. Eric Cole Sunday, August 30th, 8:15am - 8:45am Special Events
WHY? Dr. Eric Cole Sunday, August 30th, 7:15pm - 9:15pm Keynote
Monday, August 31
Session Speaker Time Type
Complete Application Pw0nage Via Multi-Post Cross Site Request Forgery (XSRF) Adrien de Beaupre Monday, August 31st, 7:15pm - 8:15pm SANS@Night
SANS 8 Mobile Device Security Steps Chris Crowley Monday, August 31st, 8:15pm - 9:15pm SANS@Night
Tuesday, September 1
Session Speaker Time Type
Preparing for PowerShellmageddon - Investigating Windows Command Line Activity Chad Tilbury Tuesday, September 1st, 7:15pm - 8:15pm SANS@Night
Wednesday, September 2
Session Speaker Time Type
Need for Speed: Malware Edition Anuj Soni Wednesday, September 2nd, 7:15pm - 8:15pm SANS@Night