Completed
Intro
Class Central Classrooms beta
YouTube playlists curated by Class Central.
Classroom Contents
Investigating PowerShell Attacks
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 Background Case Study
- 3 Why PowerShell?
- 4 PowerShell Attack Tools
- 5 PowerShell Malware in the Wild
- 6 Investigation Methodology
- 7 Attacker Assumptions
- 8 Version Reference
- 9 WinRM Process Hierarchy
- 10 Remnants in Memory
- 11 How Long Will Evidence Remain?
- 12 Example - Simple Command
- 13 Example-Encoded Command
- 14 What to Look For?
- 15 Memory Analysis Summary
- 16 PowerShell Event Logs
- 17 Local PowerShell Execution
- 18 Remoting (Accessed Host)
- 19 PS Analytic Log: Decoded Input
- 20 PS Analytic Log: Encoded I/O
- 21 PS Analytic Log: Decoded Output
- 22 Logging via PowerShell Profiles
- 23 Logging via AppLocker
- 24 PowerShell 3.0: Module Logging
- 25 Module Logging Example: File Listing
- 26 Module Logging Example: Invoke-Mimikatz
- 27 PowerShell Persistence
- 28 Common Techniques
- 29 Persistence via WMI
- 30 Event Filters
- 31 Event Consumers
- 32 Enumerating WMI Objects with PowerShell
- 33 PS WMI Evidence: File System
- 34 PS WMI Evidence: Registry
- 35 PS WMI Evidence: Other Sources
- 36 Other Sources of Evidence
- 37 Lessons Learned
- 38 Acknowledgements
- 39 Questions?
