Dissecting a PowerShell Attack: CONVERGE Q&A With Ashley McGlone

10.25.2019 | Louise Larsen

PowerShell post-exploitation toolkits are prolific! How do you know if they are being used inside your enterprise? At CONVERGE 2019, Ashley McGlone, Director of Technical Account Management at Tanium, will host the Technical Lab ‘Dissecting a Live PowerShell Attack’. We met with Ashley ahead of CONVERGE for an insightful Q&A.

Describe what you do:

I’ve been a Technical Account Manager at Tanium for two years now. I help customers with pre-sales demos, POCs, daily support and even QA on Tanium releases. In addition I enjoy speaking at conferences and creating content for the tech community.

I’ve also worked a lot in the area of PowerShell for nine years now, and I continue to have an active presence in the PowerShell community. When I came to Tanium I wanted to leverage that knowledge with the Tanium platform, helping our customers implement PowerShell securely in their environments and empowering their investigations around PowerShell attacks. And that will be the content we are reviewing in the hands-on Technical Lab at CONVERGE 2019.

Without spoiler alerts, what can you share with us today about your upcoming CONVERGE session?

Customers need security tooling and alerts to see the script content inside a PowerShell attack. Last year I did a talk on PowerShell attacks as a CONVERGE Breakout session, demonstrating some prototype work in this area. The session was top-rated, but when I was reading through the evaluations two things stood out. First, attendees said they wanted to play with this and get their hands on it. Second, they wanted to be able to use it in their environments right away. So this year we are doing a hands-on technical lab around the forensics of PowerShell attacks, and when attendees leave CONVERGE 2019 they will be able to install it from the Tanium Labs manifest in their own environments.

Why is it important to discuss securing PowerShell today?

PowerShell-based malware is a commodity today. You do not have to be a nation-state or an advanced threat actor to use it. These are the kinds of visibility problems that Tanium solves, and I’m personally not aware of any other vendor in the industry that provides this needed level of visibility into the exact commands used in a PowerShell attack as Tanium does. The first step to combating malware is visibility into its tactics.

What other CONVERGE 2019 Breakout or Technical Lab Session would you attend?

I would attend the Tanium REST API session. Our customers are always asking us for greater automation around their tools. So in this session you will learn how to automate on any scripting platform that you are comfortable with, whether that is Bash or Python on Linux, or PowerShell on Windows. It will show you ways to take Tanium efficiency to a whole new level.

What’s the one thing you hope attendees will walk away with after they’ve attended CONVERGE 2019?

Hopefully, attendees will walk away with more confidence in their own abilities. I hope they walk away with more confidence in the sense that not only do they have a proven, premium platform but now they have the knowledge that “we can actually make this do a lot more than we thought it could.”

Interested in seeing Tanium in action? Schedule a one-to-one demo or attend our weekly webinar. Talk to our Tanium experts at our upcoming events.