Discovering Cyber Indicators of Compromise on Windows OS 10 Clients Using PowerShell and the .Net Framework
Abstract
This report describes research that was conducted for the purpose of advancing cyber incident response capability at the U.S. DoD-defined Tier 3 level. As both authors (at time of writing) serve in cyber support roles within the U.S. Navy, the report is written with some specificity to Navy shipboard and facility environments. Given the complexity of modern cyber systems, analysis is generally considered to be the most technically difficult task involved in the incident handling life-cycle. Significant knowledge is required to detect (or verify) that an incident has occurred and to obtain sufficient additional system information with which to direct an informed response and recovery effort. This work focuses on analysis of the Windows OS 10 (client) platform using tools native to PowerShell. The authors attack a host, then demonstrate how PowerShell can be used to analyze system artifacts so as to determine details regarding either attack techniques used or system weaknesses that allowed the attack to succeed. The authors then describe how the most reliable artifacts can be combined to define indicators of compromise (IOC) using PowerShell scriptsscripts that could then be deployed to proactively hunt for other infected systems.
Document Details
- Document Type
- Technical Report
- Publication Date
- Mar 01, 2019
- Accession Number
- AD1073689
Entities
People
- Andrea E Galloway
- Jackie E Turner
Organizations
- Naval Postgraduate School