Daniel Bohannon is a principal applied security researcher with FireEye’s advanced practices team with over eight years of operations, security and incident response consulting experience.
He is the author of Invoke-Obfuscation, Invoke-CradleCrafter, Invoke-DOSfuscation and co-author of the Revoke-Obfuscation detection framework. He has presented at numerous conferences including Black Hat USA, DEF CON, DerbyCon and BlueHat.
Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology (2013) and a Bachelor of Science in Computer Science from the University of Georgia (2010). His primary research areas include obfuscation, evasion and methodology-based detection techniques for endpoint and network applied at scale.
Follow on Twitter @danielhbohannon
Malicious Payloads vs Deep Visibility: A PowerShell Story
10:10 - 11:00 a.m. CDT
For over a decade PowerShell has empowered administrators, DevOps practitioners and automation enthusiasts to accomplish significant tasks with relative ease. However, malicious threat actors have also harnessed PowerShell’s capabilities by writing extensive offensive tools and frameworks in PowerShell.
The PowerShell team has countered these malicious trends with adding numerous defensive enhancements to PowerShell including extremely deep logging visibility (like ScriptBlock, Module and Transcription logging) as well as blocking capabilities and interfaces like the AntiMalware Scan Interface (AMSI).
This talk draws from over four years of Incident Response experience to lay out a technical buffet of in-the-wild malicious PowerShell payloads and techniques. In addition to diving deep into the mechanics of each malicious example, this presentation will highlight forensic artifacts, detection approaches and the deep visibility that the latest versions of PowerShell provides security practitioners to defend their organizations against the latest attacks that utilize PowerShell.
So if you are new to security or just want to learn about how attackers have used PowerShell in their attacks, then this talk is for you. If you want to see what obfuscated and multi-stage, evasive PowerShell-based attacks look like under the microscope of PowerShell deep inspection capabilities, this talk is for you. And if you want to see why these security advancements to PowerShell are causing many attackers to shift their tradecraft development away from PowerShell, this talk is for you.