Several years ago, Microsoft announced a new tool – AppLocker, which, according to the developers, was designed to increase the level of security when working in Windows. Unfortunately, the way was uncovered, in which you can run any application in the system bypassing AppLocker and without administrator rights.
Nikhil Mittal has shared the presentation ‘Hacked? Pray that the Attacker used PowerShell’. It tell us how to find fingerprints of an attack with powershell in a compromised system.
The work of Ryan Kazannian and Matt Hastings for their research on the attacks of Powershall served as a starting point and the main resource for research on this topic. Recently, David Wells has been working on this for a long time.