Jeff Hamm (USA)

Topic of presentation: What the Shell? Powering through PowerShell Forensics (Regular Talk)

PowerShell is a remote administration tool built into modern Windows operating systems.  The shell is a command line driven tool that can be very powerful for network administration, scripting, and even gathering artifact evidence across an enterprise network.  In this session, the attendee will see basic uses of PowerShell to gather data, and what traces the use of PowerShell leave behind and how to analyze the data.  Finally, the presentation will walk through a case study of an attack that leveraged only PowerShell and Metasploit PowerShell scripts to compromise a bank’s network, move laterally through multiple domains, and ultimately transfer funds out of the bank using SWIFT transactions.