Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Incident Response: Faster and Safer with PowerShell

Published byShavonne Jackson Modified over 6 years ago

Similar presentations

Presentation on theme: "Security Incident Response: Faster and Safer with PowerShell"— Presentation transcript:

1 Security Incident Response: Faster and Safer with PowerShell
-J. Greg Mackinnon | Windows Technical Lead Windows Services | Information Technology Services Yale University

2 Security Incident! Security Incident!
How to probe compromised systems securely? Remoting protocols like WMI and WinRM, when used with Kerberos Auth, avoids hazards of credential harvesting. How can we discover the extent of the compromise? Traditional forensic techniques involve cloning of machines. Slow!!! WinRM is faster than WMI, and easier to access though firewalls. For the win... The code is Github Enterprise, and shared with the ISO They can pull it down on their own “walled garden” systems. They can modify the code: (add scanning modules, or update regex strings in existing modules.) An early use case... We won’t get into the code here, but a link to a fork project called “Spool-FTLDrive” can be found in the footnotes. DevOps tools like “Ansible” enable rapid data collection over WinRM …but Ansible gets mixed results on the Windows platform. PowerShell remoting can be fast, too… it’s a “simple matter of programming”. Supports multi-threading in the form of “Jobs”

3 Start-FTLDrive Inspired by Ansible:
Faster-than-Light! (Props to “Battlestar” for the PowerShell-friendly name) Rides on WinRM, PowerShell remoting, and PS Jobs Modules are just PowerShell: No C#, YAML, or T-SQL required. Most modules configured to run against PowerShell 2.0 or later (ability to scan legacy Server 2003 hosts from modern systems) Features: Queue management function Modular action scripts Dead-host detection Discovery running against 800 hosts can complete in about 15 minutes (Previous single-threaded processing took in excess of 8 hours.)

4 Where Can I Get It? How Can I Help?

Download ppt "Security Incident Response: Faster and Safer with PowerShell"

Similar presentations

Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.

Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.
Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:
Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.

Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.
IP ADDRESS MANAGEMENT [IPAM]

IP ADDRESS MANAGEMENT [IPAM]
What’s New: Windows Server 2012 R2 Tim Vander Kooi Systems Architect www.NetComLearning.com.

What’s New: Windows Server 2012 R2 Tim Vander Kooi Systems Architect
POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY.

POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Abusing Windows Remote Management with Metasploit David Maloney Metasploit Software Engineer Rapid7.

Abusing Windows Remote Management with Metasploit David Maloney Metasploit Software Engineer Rapid7.
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Thursday September 20th, 2012 System Center User Group Philadelphia Chapter Tonight’s Sponsor is.

Thursday September 20th, System Center User Group Philadelphia Chapter Tonight’s Sponsor is.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Micro Focus Net Express / Server Express in GDT Update.

Micro Focus Net Express / Server Express in GDT Update.
SharePoint 2010 Development Environment A Guide to Setup SharePoint 2010 Development Environment on Windows 7 Machine.

SharePoint 2010 Development Environment A Guide to Setup SharePoint 2010 Development Environment on Windows 7 Machine.
AppManager Product Status Update David Mount Technical Manager – UK, Ireland & Middle East David Mount Technical Manager – UK, Ireland & Middle East.

AppManager Product Status Update David Mount Technical Manager – UK, Ireland & Middle East David Mount Technical Manager – UK, Ireland & Middle East.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
PowerShell Shenanigans Lateral Movement with PowerShell

PowerShell Shenanigans Lateral Movement with PowerShell
Block1 Wrapping Your Nugget Around Distributed Processing.

Block1 Wrapping Your Nugget Around Distributed Processing.
POWERSHELL SHENANIGANS KIERAN JACOBSEN HP ENTERPRISE SERVICES.

POWERSHELL SHENANIGANS KIERAN JACOBSEN HP ENTERPRISE SERVICES.

Similar presentations

Ads by Google