Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Thursday, June 8 • 2:00pm - 2:50pm
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niques') -Join '')

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
PowerShell is increasingly being used by advanced attackers and script kiddies alike in targeted attacks, commodity malware, and even ransomware. The most common usage involves PowerShell remotely downloading and running payloads entirely in memory, rendering many traditional detection mechanisms useless.

Detection has increasingly shifted to monitoring for this malicious activity via process command line arguments and parent-child process relationships. While this is a significant improvement there are numerous evasion techniques of which the Red Team and Blue Team should be aware.

For the past 1.5 years I have researched PowerShell obfuscation, evasion and advanced detection techniques. Picking up from where I left off in my recent presentations on Invoke-Obfuscation, in this presentation I will highlight my new tool Invoke-CradleCrafter. Additionally, I will introduce a new family of PowerShell obfuscation techniques and show how they can be applied to several new and obscure families of remote download cradles.

Speakers
avatar for Daniel Bohannon

Daniel Bohannon

Senior Incident Response Consultant, MANDIANT, A FireEye Company
Daniel Bohannon is a Senior Incident Response Consultant at MANDIANT with over six years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation... Read More →


Thursday June 8, 2017 2:00pm - 2:50pm
Richmond Salons