PowerShell pew pew pew: Skillz 4 blue team

good morning besides columbus uh welcome to the blue team session powershell pew pew pew skills for the blue team my name is ashley mcloone i'll be your tour guide today are you tired of the red team taking your lunch money with commodity power shell attacks that have been available for several years now quite common and i'm gonna show you some a way that you can turn on the black light so to speak you've watched these csi shows where they have uh the black light that shows you all the evidence well here we go we're gonna show you some evidence today with powershell a little bit about myself my name is ashley mcglone i live here in columbus

and my resume includes companies like toyota and microsoft and now tanium and so that's where i've been now for about three years at tanium doing uh security at scale so let's dive right in so today we're going to talk about how do we get here with powershell malware and then we're going to look at the windows powershell policies and then i also want to talk about powershell core which is the cross-platform powershell how you can do the same policies there because uh powershell core has been out for several years now and started against the momentum and we don't want attackers bypassing your traditional windows powershell policies for core so i want to show you how to do

that as well and then i'll share some free resources with you at the end as well as a demo in there so a brief history of powershell security how did we get here so 2003 powershell was announced as project monad at the pdc professional developers conference years ago 17 years ago wow so 2006 powershell one was released 2008 was the first security oriented blog post from the powershell team at microsoft and basically the point was that execution policy in powershell is not a security feature all right it's easy to bypass it's designed that way out of the box and you can check out that blog post for more info 2008 12 years ago all right

2013 another blog post powershell security best practices coming out of redmond all right 2015. this was massive if you've not read this blog post yet you need to go find it powershell hearts the blue team this was written by lee holmes when windows 10 dropped and they put in a massive amount of logging and fingerprints so that you can track exactly what's happening in powershell this is huge there were some earlier attempts at this but this became de facto standard out of the box with windows 10 and available down level on older versions with a windows management framework install massive 40-50 page white paper i want you to go read that because that's a foundation for a lot of

what we're going to do today and by the way if you've not seen lee holm's derby con talk from last year i would encourage you to check it out too because he tells the story of how we got to this point of uh wanting to make uh powershell a better world for everyone but that same year 2015 powershell empire premiered at b-sides las vegas most likely this is in your daily toolkit powershell empire was a framework that would allow you as a plug-and-play framework that would allow you to extend it with additional toolkits and made it really easy and really turned powershell malware into a commodity and after that then we saw another blog post from the powershell team this was

paul higginbotham and lee holmes talking about a comparison of shell and scripting languages proving that green bar across the middle that powershell is the most secure solution out there really when it comes to scripting languages and i'll talk about this a little bit later but in environments where uh leadership decides hey we need to turn off this powershell thing i heard it's bad and just shut it down across the entire environment what that's telling what really what that says is hey let's go use some other unsecure scripting or automation framework that we can't track so you don't want to do that you want to actually use powershell to your advantage in that way so and then 2017 uh matt graber

a popular security researcher he says look because of this new logging it is so good i'm moving on to other language where they can't track me right and the industry kind of followed and the other point that he made there is look you can burn powershell with fire in your org but that doesn't bother me powershell is not the reason people get owned okay uh powershell is usually not the point of entry um maybe it's dropped in a phishing attack but it's not the point of entry typically and so that's what you need to keep in mind powershell itself is very secure but when people misuse it that's when it becomes a problem that's what we're going to

talk about here so uh 2018 powershell core was released this is cross-platform windows mac and linux and it has the security policies built in that we used over on the windows side as well so those policies are still there we're going to walk through each of those last year the announcement came out by zawyer that powershell empire is officially dead and at the same time you saw a number of new tools emerge however there is another group that has obviously powershell empire is open source it's out on the web there's another group that's got a repo that they're continuing development on powershell empire but the original founders of it uh declared it dead but it's not dead

because in the headlines every day of the week you can still read where powershell script is quite common in malware attacks today across the enterprise across the entire industry so because once it's out there it's out there and people are gonna lose the least path resistance and powershell malware is easy now to obtain and use with little training or effort so that's why we have to guard against it right also a lot of people are struggling just to identify malicious powershell and environment that's why i'm doing this session today i want you to know what tools you have at your disposal um this uh tweet by naked security said hey what if you could eliminate one file type on the network

what would it be and the majority 34 said powershell ps1 saying we need to eliminate that again that's the wrong mindset i want to teach you today how to monitor what's being done in powershell so you can use it to your advantage 2020 this last january during the iran cyber attack concerns there was some guidance coming out of the u.s cert that was both helpful and not so helpful and one uh in this u.s cert bulletin on one side they said turn off bb script and power shell and turning off power shells really not the best thing you want to do like i said but then they did give you a list of recommendations for mitigation and

detection that are all valid and lee holmes says look you know there's a lot better ways to do this powershell can be a great honeypot and so you don't want to turn it off entirely in the environment so even as recent as just this last january i know when i was investigating some of the methods used in these attacks they were literally just commodity powershell with a couple twists so it was really the emphasizing the reason why even though empire is dead we need to continue to uh investigate and monitor these techniques so uh as we get going here something you need to be aware of is there are different powershell editions now so there's windows powershell which is

built in since windows 7 2008 r2 out of the box but you want to upgrade that if you've got old machines make sure you get them upgraded windows 10 ships with version 5.1 out of the box of windows powershell there okay being specific there for a reason that version of powershell was complete microsoft likes to say that means there's no new development going into it it's achieved a step stability level symbol similar to python 2.7 where there's not going to be a lot of develop any real development excel outside of bug fixes going into that and so powershell core then uh is started an open beta in 2016. but then it was released in 2018 now

we're up to uh powershell core version 702 as of this recording windows mac and linux you can see here in the screenshot you've got dollar ps version table will report to you the powershell edition and also the version and the platform that you're running on there are also some variables that will tell you am i running on linux mac os or windows here true or false so there's uh os awareness built into powershell core and when you install this oh that's also available on arm so i've run this on a raspberry pi as well back in 2016 when it launched so um pretty legit stuff you can actually do pwsh is your shell now you can run that on

windows mac and linux i drive a mac every day for work and i use powershell quite frequently i wouldn't say every day but at least weekly i'm using powershell on my mac for you know processing json files and different things like that automating tasks so this is open source now powershell core you can go out to github powershell powershell and they also have a third third thursday of every month an open powershell community call go check it out you can actually get to interact directly with the product team at microsoft who's in charge of powershell i would encourage that so let's talk about how to do powershell security again so that's the background how we got here it's a new field we've

got multiple types of powershell editions now not just windows anymore to be concerned with and one of the things about that that you need to be aware of is they can have what they call powershell upgrade attacks as well as downgrade attacks so powershell v2 on windows 7 did not have the logging we're about to talk about pwsh the new powershell core edition most likely has slipped under the radar and doesn't have logging configured either so you want to make sure logging is configured everywhere that you've got powershell enabled so how do we do that so powershell hygiene strategy is going to include number one making sure all your older machines have at least powershell five one on them

uh so that's your baseline for your older windows 7 2008 r2 servers all right even your 2012 2012 r2 get them all up the windows powershell 51 and then there is an os feature for the v2 engine you can disable that you don't need it and then what we're going to focus on primarily today is implementing and monitoring the logging and transcription which is turning on the black light so to speak so you can see what's happening but you also want to use remoting to your advantage enable that is that's uses all the windows permissions and protections but also don't forget that in your firewall rules and windows you can then allow one rm port 5985

specifically requiring that to certain firewall destinations right certain ip ranges whatever so you can restrict remoting and there's even tools within powershell to as restrict promoting further and then actually get to the blocking phase uh you would use app locker device guard or out of the box ampsy and also be careful with amc because if you're using if you're not using windows defender not all windows av products will tie into amc that's the anti-malware scan interface it's working for you every day and yes there are bypasses for everything i'm going to talk about today but a layered defense is your best strategy so feature matrix basically what i wanted to mention here i've kind of covered most of this

the main point here is that uh the windows uh logging and transcription i'm going to talk about today are built-in on windows 10 and above server 2016 and above and powershell core when you install it however you have to enable the logging there's an additional step that you have to take and that's what i'll make make sure you take away today so upgrade your stuff so real quick we're going to go through these in a demo in a second but module logging is also known as pipeline execution or execution logging and so you're going to see module commands in powershell the parameter binding that happens as they're executed in the logs script block logging you're going to see

whole blocks of code as they're executed appear in the logs transcription is literally a text file output of what commands were run and what output was generated and that all all of these techniques that i'm explaining to you those first three all work on code that was interactively typed or run in memory from an administrative tool or a hacking tool anywhere that code executes it's going to be logged and then ps readline command history is uh ps readline is a module that comes out of the box with powershell and it basically gives windows folks a unix like command history experience that's persistent between sessions so you can look at that file to see what interactively type commands could have

been malicious as well and then finally we've talked about anti-malware scan interface so i'm putting this chart in here for your reference i don't want to get into the details here too much and for the sake of time we're going to do this in the demo shortly but suffice it to say there are multiple windows event log log locations as well as syslog if you're doing uh powershell core on mac and linux and so there are paths here you can see where the policies defined for transcription in the registry which window windows logs you want to monitor and which event ids you want to look for to see where those things are popping in your environment

so policies on windows using group policy you can set these policies under administrative templates for windows on both the user computer side obviously it only makes sense to set this on the computer side for all users in the group policy you go and set those and then you'll see there this is a little local version of group policy editor here but um sometimes active directory environments are complicated you've got non-domain machines and so if you want to automate this at scale you can simply just run a rich script that will drop the registry values into the policy path under hkey local machine software policies microsoft windows powershell and then these different module logging script block logging transcription

so i've got some scripts that'll help you with that in a little bit here so group policy in the registry or through the gui tool powershell core now i want to be careful as i was looking at this in my lab over the last few months i noticed that when you install powershell core on windows this is not a thing on linux or mac but on windows specifically you have to make sure whether you're doing the gui install or the uh behind the scenes msi package command lines this is all documented in a link out of microsoft on how to install powershell but you want to be careful that you make sure you register the event log manifest

when you look in the ps home directory you'll see a powershell core instrumentation dll and the install powershell remoting install ps core configuration definitions policy definitions and register manifest those scripts are called when you check these boxes over here in the install or supply these flags make sure if you're deploying powershell core in your enterprise that you enable that because that's going to give you the event log that we're going to look at in a minute for powershell core so what does that look like in policy then how do i set the policies for powershell core all right let's talk the windows first so in the ps home directory you'll see there are there's a script install ps core policy

definition which has an admx group policy template that group policy template then will add now notice this is no longer windows powershell this is powershell core so they've dropped the windows name and so now you have a second location for policies in group policy management called powershell core with settings that you can apply that look identical with one exception if you already have the policy set for windows powershell you can simply check a box in each one of these to use the windows powershell policy setting so it would mirror whatever settings you had configured on the windows powershell policy side i know that might be confusing re-watch the video a couple times if it needs to

sink in but there's now two places for policy configuration because it's no longer windows powershells powershell core got a separate place in the registry and a separate place in group policy so now under policies microsoft powershell core we'll see some of those same settings in the registry as well now if you're doing this on mac os or linux and you can even do it this way on windows powershell as well again in the ps home dollar ps home directory you look for json files and there's a powershell.config.json if the file is not there most likely you can create it and so then in that powershell.config.json file you can provide these settings which will be in the slide notes later for you

and so this is json saying hey turn on script block logging turn on module logging for all modules turn on transcription and write it out to this var temp directory which is a persistent attempt right that's important there if you write it make sure you write it to the correct temp directory that will be persistent all right so you can turn on those policies on other powershell core as well now i tweeted this screenshot back in december as i was looking with the preview on powershell 7 but it basically kind of puts it all together on a windows machine using the json powershell config so under program files powershell now just slash 7 no preview see your powershell config

json file it's got these policy settings in the json you run your malicious powershell command here as an encoded command and what you see behind you is in the event log you can see the plain text of the command that was executed behind the scenes behind that encoded command as event 4103 or 4104 then in the ps transcripts directory i open up the date stamped folder and in there i'll see files which will have a full transcript of the command the user it was run under the process id all that good juicy forensic data that you would need to investigate a powershell attack it's all there this is powershell core but the same thing applies to

windows powershell same logs you're going to look for except the location and the registry is going or the event viewer is going to be slightly different we'll take a look at that so uh pro tip here when you're making changes to powershell policy you need to make sure that you log out of your powershell session and open a fresh one because uh powershell policy settings are cached in the powershell session when it's created in memory when it's instantiated so if you're changing powershell policy settings and you're not seeing the logging happen the way you expect it to it's probably because you need to exit that powershell session and then come back into it and then as

you make changes you'll see that hit the logs so that's one important thing as you're working with this you need to be aware of so let's do some demos here so let's take a look here at windows powershell so here i am on a windows box i've got the windows powershell command environment and i've also got the powershell core that i'll spin up here so here in windows powershell i can type things like get process right id 0 and there's our idle process all right run commands you know whatever you want to do and let's go grab a malicious uh powershell encoded command here and what we'll do is i'm going to drop this into the

command prompt and i'm going to run it both as powershell which uses the powershell engine oh look it changed my font size and then i'm also going to run it with a pwsh which is the exact same um kind of syntax here as let's see get that in there all right so demo fail let's pull up a fresh command prompt here there we go and let's uh paste that guy in come on edit and paste oh well let's try this one last time here there it is there's my uh powershell core so what we've done is we've done an encoded command we cannot see if you're using command line logging all you would see is the

encoded command you wouldn't know what was in there it's base64 you decode the base64 but then it could still be obfuscated so this is going to show you what happens in memory all right so we've run it in both powershell core pwsh and in powershell so we've introduced some malicious code let's go take a look so you'll notice here in the registry we have the windows policy set for example transcription script block logging module logging and then up here under powershell core we have module logging script block logging and transcription turned on so those are turned on now we can go look and see where they occur but let's let's take a look also at a couple other

freebies we get here so if i type invoke mimicats on a windows 10 box see this script contains malicious content has been blocked by your antivirus software i want to point out something if you don't see this message that has been blocked as malicious that means that anti-malware scan interface or ampsy is not enabled on your machine certain third-party av if you disable defender you're disabling ampsy and you're opening yourself up to this basic protection built into windows 10 be sure that your av provider supports amsi for that reason alone so invoke me cats is there but it there's no command on that command has no module installed on the machine but just the name of that

command is popular enough that it knows to block it i also want to show you a ps readline history so if i say get module see what we've got notice ps read line module is loaded in the background by default it includes some commands get ps read line option and we can see the options for ps redline which include how many history commands to remember and where am i going to stick this and the thing i like about this is it puts it in the user's app data path on windows it puts it in another location on mac and linux but here it's in my app data path so now i have a console history session

of every interactively typed command in powershell now be aware it's easy to just unload the module when you start your session okay if you're malicious you may do that but most everyday users wouldn't know to do that so it's going to record anything that they do so what i can do then is i can say get content which is the powershell version of cat and i can tell it to use get ps read line option history say path so it pulls in the path it opens the file and shows me all the commands that were interactively typed on that machine there's the commands that we just typed a few minutes ago all right so that is the only problem

with this file however is there's no date stamping on the commands that were run so it is a fingerprint location you can look for powershell activity just know there's no date stamping in there so that's running commands on the powershell side so then over here in core i can do the exact same thing we just did there now let's go take a look under ps transcripts here let's start with the ps transcript and today's date and notice here there's a number of transcript files let's pick one and see if we got the right thing there it is yep so if we go in here and we zoom in let's zoom in and let's take a look

here's a powershell transcript file that shows me date time it was run the user context and if it's a remoting session it will tell me the user id it was run under tells me the windows computer name the in this case the host application is the encoded command it shows me the process id and all the addition the version all that shows me here's the actual invoke expression it's just just for demonstration purposes but this was further obfuscated in the code that it was actually in that encoded command so while you're looking at invoke expression here you'll note that in this case the invoke expression was the result of other obfuscated code and the output was just pew pew pew

powershell pwned and then you see headers here for the time that that command ran so this is incredibly valuable for forensic information for investigation you'll see the exact same thing happen with powershell core it will put it into the transcript path that you specify i'm also then in windows event log what we want to look at is under the windows application logs powershell here you'll see 41.03 let's refresh this view and let's take a walk down through here these event logs until we find our powershell pew pew pew and we're looking for 4103 which is module logging at 4104 which is script block logging and because i'm kind of doing this demo on the fly

i should probably go back and look for a time stamp maybe but anyway what you're seeing here is you can see each command as it's being run the parameters that are being bound to that command as it's executed for powershell parameters are okay keep going there's our invoke mimikat's output in the console i will keep going and we'll look for pew pew pew should be coming up there it is yeah 4103 so here's the output of the command in the windows event log there's the same thing that we saw in the transcript earlier all the metadata about the session that makes it interesting for us that's in the 4103 module logging we can also see that in

4104 script block logging and again the benefit here is it doesn't matter how the code was executed you're going to see the output in the logs similarly if i scroll up to the powershell core log here so under my logs now i have powershell core on the left as well if you've installed pwsh same thing here i can look at 4103 there it is pew pew pew same metadata so make sure that if powershell core is being used in your environment that you install it with that manifest switch to so this log gets turned on on windows and we'll see the same thing with 4104 script block logging so there we have it on a windows machine

now let's pivot over to the world uh cross platform with a centos box here so here dollar ps version table actually i don't have it my logo so i've got an ssh session to my centos box pwsh and now i've got powershell already installed there the installation directions are on the microsoft website or that github slash powershell powershell and so here i'm running uh powershell now on a centos box ps version table tells me this is the edition powershell core the version is 702 the exact same version it was running on my windows box i also have it on my local mac here as well so uh here i am and uh what i want to do is change into the

dollar ps home directory which is the dollar ps home sends me to the installation path for powershell and here watch this just for fun normally we would do an ls i'm going to do a dir on a linux machine just to mess with people star.json and here is a windows style directory listing on a unix box is hilarious anyway inside there for everybody else i can do ls json all right there it is so powershell.config.json cat that file json powershell.com.json you'll see here is our policy set on this box with script block logging we don't do the invocation option typically but we do enable script block logging when do enable module logging for all modules here and then enable

transcripting to the var temp and you just pick your path ps transcripts is what i picked so transcription module logging also so so the transcription is going to come out in this path the module logging and script block logging are going to come out in syslog which we'll take a look at here so here again invoke mimikatz is not even a thing on unix platform there's not that much malware on powershell core but i expect it to be out any day so here we want to run some commands now get process id one so now i'm running just like i run get processes on windows machines i can now run it here and i'm going to exit my

powershelf session and um haven't helped us it won't be that much longer before cross-platform malware will be doing things like this calling pwsh with the exact same encoded command i did on the windows machine and how i've got the malware here pew pew powershell pwned it's an encoded command it's obvious gated in the original code but now you can see what the output is so we want to go find that in the logs now so remember this var temp ps transcript so let's uh let's take that path and drop in there now we do a an ls because we're back to uh actually no no we're still in all right anyway we've got 2020 716 so

let's see 2020 and inside there i see a number of log files that have been written so i'm going to cat out power shell transcripts and toss and let's look for the most recent one starts with a y on the randomized name and here we'll see in a transcript on a centos box the same data we saw over on the windows side the start time username machine name the host was that encoded command process id and all that goodness here's the start time here's the command here's the output it's all good all right so that's transcription now uh for the windows folks you might think well there's no windows event log how do i see

what happened so let's do this then for for the event logging so on windows we know 4103 4104 and the windows powershell or powershell core log how do we find that over here so what i'm going to do is i'm going to run over and take a look at the syslog so i'll start up another session actually i'm going to do it right here pwd all right notice i'm not in powershell core right now it's not tab completing that's important because if i'm reviewing malware in a powershell session viewing those logs gets written back into the logs and it becomes kind of a ship in a bottle kind of thing uh a nested logging of logs

which is not pretty so you want to exit out of powershell before you do that but what i'm going to do is i'm going to go to var log and i can do sudo grip for powershell in the messages file which is the syslog file put in my super secret password and now you can see here in that i've got pipeline details that's the module logging feature invoke expression and there's a pew pew pew powershell pwned right there all right and also comes out so that's pipeline details you also see a script block uh same thing two styles of logging okay two different options the different policies that we've enabled and they're slightly different in the output that

they generate but you can see the commands that were executed there so now for fun what we're is we're going to entail this pseudotail minus f messages all right and so now i'm going to go over here to another ssh session on the same box and i'm going to run pwsh notice it just dropped commands behind us in the syslog and now let's do um hello from pwsh and now back behind us uh in the log you'll notice prompt shows up a lot but here it is right there in syslog hello from pwsh as a script block log and then it's uh also there as a pipeline details all right so that's the two styles of logging

so now you've got it and i did that on a centos box it's the same on mac except syslog is a little different on mac but you can still have your transcripts and all that there too so so that's cross platform powershow i know most of you are probably in windows environments and that's your primary concern but i want you to be aware of the concerns for powershell core that's emerging that's going to be your next attack vector that the red team could be using against you so be careful out there a couple things you need to know before you implement powershell logging at scale across your environment so transcription specifically can cause some issues

and this is not a i guess this is really just a core fundamental issue with the operating system the way some of the transcription works i've already um had a meeting with the pm at microsoft giving them this feedback this is feedback that i've seen working with customers is that if you turn on powershell transcription it will crash citrix not cool if you have citrix in your environment all right they learned the hard way active directory administrative center is that little powershell-based version of active directory users and computers it'll hang that as well and if you're using scom some of the management scripts in scom can fail if you have transcription disabled and i saw a note from microsoft

support that said they were going to potentially automatically disable powershell transcription out of the box when you install scom so watch out for that be careful on that conflict if you use microsoft's also some older versions of i use vs code every day on my mac to do powershell note-taking and things now there's a script analyzer plug-in that happens when you are editing powershell and vs code that plug-in using script analyzer was backed by uh powershell code in the source which would then cause additional logging to just spam your logs i've talked with the powershell team on that last year they said they're fixing that i presume i haven't checked lately it's probably fixed by now

but just be aware that if you leave vs code open with powershell in it it can trigger log writing all day long even if you're not doing anything in it um also i haven't talked about hardening yet i'll get to that in a second but you want to harden your transcription directory if you do that on powershell for an older version that does support transcription uh that's why i don't recommend the older versions you should be on powershell 51 but if you've got like a 2012 r2 box that you've turned on powershell transcription and you open the powershell prompt it'll it'll just crash it won't even run so you can break it hardening means setting that transcript directory so

only so everyday users can only write into that directory but they can't read from it only administrators and local system can read transcripts out of there reason being is you don't want everyday users on servers or workstations being able to get into those transcript files or those event logs for that matter because if they can then they could potentially see secret information that you would put in your powershell scripts and run across the enterprise now i know nobody watching this video would ever put passwords into a powershell script however you might have other things that are you know sql connection strings or you know some other type of privileged information that you don't want people to see so make sure you

harden transcripts and event logs and if you harden the event logs you have to set it through the registry i've got a script that'll help you with that some some editions of windows that might require reboot before that hardening would take place now i'm also interested to know from you what issues have you encountered with powershell logging in the enterprise if you've got any of those catch my contact information at the end of the deck i really do want to hear from you because i'm trying to compile good guidance from field experience to help other customers as well so some free resources for you number one i have created a ps policy module out on github right now

it only works with windows powershell51 it doesn't do powershell core yet but what it does is instead of because again group policy is unwieldy in a lot of environments because it's so um it's so long in the tooth and it's been i usually most places it's not been managed well and you've got conflicts of policies everywhere it's easier to go straight to the registry to set these so i've provided some scripts for you that will set the policies also will increase the event log size because the default event log size for powershell is 15 megs and that's not going to hold very much of anything especially once you turn this on so you want to increase your event log size

i've seen industry standard guidance that says you know set it to a gig so that you've got and then monitor those logs to see how many days of activity you're getting in those logs and that's what this ps model policy module is designed to do it'll also give you the code you need to harden both the transcripts and the windows event logs and then clean out those transcript files if you start writing files to disk and you never clean them that's going to be a problem one day surprise you filled the disk up so you want to also schedule a task to clean those transcript files on your endpoints and then also you want to

be able to search across all those logging locations that we looked at in the event of an uh investigation a forensic investigation so i have a script that will do that however i put here foot gun warning you can shoot yourself in the foot this way because if i'm typing in meme cats as my search string and i'm searching that from a powershell prompt now i have introduced the word mimi cats into the very logs that i'm trying to search for mimi cats you see that ship in the bottle you know inception kind of problem that we have there so be careful with that there's a command here to do it you should do that obviously as you already

practice on a machine that's dedicated to investigation where you don't have to worry about corrupting your own local logs so this is a work in progress you can ping me if you run into issues it's not really released widely yet i haven't really set a powershell gallery yet either so i'm interested in your feedback give this a try let me know if it's helpful to you and your environment but what it's designed to do is take care of some of the cleanup and nuances around these policies that don't come out of the box with group policy also last year i spoke at the powershell summit 2019 unfortunately it was canceled this year but last year i did a hands-on lab

going through all of these policies on windows and there's a lab on linux as well and so there's a guide here on github you can go check out and walk through building out your own vms and build your own environment where you can practice with powershell policies and i walk you through step by step in a very teaching method how to do a lot of the use cases that we went through very quickly today it's a lot of extra tips packed in there that you want to check out also if you're curious how do i get powershell on my mac or linux box there's instructions there at the docs.microsoft.com also i'll provide a pdf of this deck for

you out on my github and as always uh you can reach me actually.mcglanatanium.com or on twitter at go tpfe and i work for microsoft my title was premier field engineer now i've left microsoft and i'm still i can't change my twitter and i'll lose a bunch of people so anyway uh reach me at go tpfe out there on twitter and this presentation is not a vendor commercial it's designed for public education right however that being said there are some challenges with doing this automation of setting these things at scale and that's exactly what tanium does really well so when i came to tanium i brought this knowledge of powershell investigation and policy management and i built it into

some content for tanium customers so that you can set these policies at scale see where they're set what the settings are very quickly within a few seconds and then also once you've got the settings turned on how do i keep the transcripts clean all that stuff the hardening is all taken care of and some content i created on the titanium platform but then more importantly is how do i look for mimi cats again for example how do i find that then across thousands of machines in the event logs we can do that very quickly with tanium as well so if you'd like more information on that you can reach out to me so uh besides this has been fantastic

sharing the day with you i look forward to the q a here in a few minutes happy to answer any questions you might have there so in the words of mark manassee one of our industry mentors on the windows side of things use your powers for good and not for evil so thank you for attending today's session and i hope to see you in the q a soon you