Investigating PowerShell Attacks

Matt Hastings & Ryan Kazanciyan

Sun, 18th December 2016

Speaker Bio 1:
Matt Hastings is a Senior Consultant with Mandiant, a division of FireEye, Inc. Based in the Washington D.C area, Matt focuses on enterprise-wide incident response, high-tech crime investigations, penetration testing, strategic corporate security development, and security control assessments; working with the Federal government, defense industrial base, financial industry, Fortune 500 companies, and global organizations.

Speaker Bio 2:
Ryan Kazanciyan is a Technical Director with Mandiant, a FireEye company, and has eleven years of experience in incident response, forensic analysis, and penetration testing. Since joining Mandiant in 2009, he has led investigation and remediation efforts for dozens of Fortune 500 organizations, focusing on targeted attacks, industrial espionage, and financial crime. Mr. Kazanciyan also focuses on developing Mandiant’s investigative processes and technologies, and is a co-author of Incident Response and Computer Forensics, Third Edition", released in 2014.

Learning Objectives:

Matt & Ryan will explain:

  • Over the past two years, we’ve seen targeted attackers increasingly make use of PowerShell to conduct command-and-control in compromised Windows environments.
  • This has created a whole new playground of attack techniques for intruders that have already popped a few admin accounts (or an entire domain). This presentation will focus on common attack patterns performed through PowerShell and the sources of evidence they leave behind.