Do you have the skills needed to defeat cyber attackers? Register now for training in San Francisco.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






Microsoft Windows

Featuring 5 Papers as of February 20, 2019

  • PowerShell Security: Is it Enough? STI Graduate Student Research
    by Timothy Hoffman - February 20, 2019 

    PowerShell is a core component of any modern Microsoft Windows environment and is used daily by administrators around the world. However, it has also become an “attacker’s tool of choice when conducting fileless malware attacks” (O’Connor, 2017). According to a study by Symantec, the number of prevented PowerShell attacks increased by over 600% between the last half of 2017 and the first half of 2018 (Wueest, 2018). This is a staggering number of prevented attacks, but the more concerning problem is the unknown number of undetected attacks that occurred during this time. Modern attackers often prefer to “live off the land,” using native tools already in an environment to prevent detection; PowerShell is a prime example of this is. These statistics lead to a suggestion that current PowerShell security may not be effective enough, or organizations are improperly implementing it. This paper investigates the efficiency of PowerShell security, analyzing the success of security features like execution policies, language modes, and Windows Defender, as well as the vulnerabilities introduced by leaving PowerShell 2.0 enabled in an environment. Multiple attack campaigns will be conducted against these security features while implemented individually and collectively to validate their effectiveness in preventing PowerShell from being used maliciously.


  • Supplementing Windows Audit, Alerting, and Remediation with PowerShell by Daniel Owen - November 16, 2017 

    This paper outlines the use of PowerShell to supplement audit, alerting, and remediation platform for Windows environments. This answers the question of why use PowerShell for these purposes. Several examples of using PowerShell are included to start the thought process on why PowerShell should be the security multi-tool of first resort. Coverage includes how to implement these checks in a secure, automatable way. To demonstrate the concepts discussed, small code segments are included. The intent of the included code segments is to inspire the reader's creativity and create a desire to use PowerShell to address challenges in their environment. Finally, a short section includes resources for code examples and learning tools. While some knowledge of PowerShell will aid the reader, the intended audience of this paper is the PowerShell novice.


  • Migration to Office 365, a Case Study on Security and Administration in the Non-profit Sector by Richard Snow - February 27, 2017 

    A non-profit serves a mixed community of staff and volunteers. Its email archiving and spam filter services were going to reach the end of life in January 2017. Generous charity pricing for Office 365 from Microsoft was an incentive to move away from the existing hosted Exchange platform. The company needed to develop a strategy for migration to Microsoft Office 365. It had to upgrade Microsoft Office software as well as migrate email. How could it accomplish the transition as well as maintain or improve security?


  • Securing the GIAC Enterprise Endpoint ISE/M 6100 - Security Project Practicum - Lab Notebook STI Graduate Student Research
    by Balaji Balakrishnan, Matthew Hosburgh, and Patrick Neise - January 6, 2016 

    This was a student assignment to perform an OPSEC assessment for a fictional company, GIAC Enterprises. The team found some interesting tools and wrote some of their own. In addition, the report could be used as a first order template for an organization's Windows 10 deployment.


  • Securing the Windows 10 GIAC Enterprise Endpoint ISE/M 6100 - Security Project Practicum - Technical Paper STI Graduate Student Research
    by Balaji Balakrishnan, Matthew Hosburgh, and Patrick Neise - January 6, 2016 

    This was a student assignment to perform an OPSEC assessment for a fictional company, GIAC Enterprises. The team found some interesting tools and wrote some of their own. In addition, the report could be used as a first order template for an organization's Windows 10 deployment.


Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.