Cookie Monster Has Entered the Teams Chat with Miriam Wiesner

Recorded live at PSConfEU 2026, Andrew sits down with returning guest Miriam Wiesner, Senior Security Researcher at Microsoft, for a wide-ranging conversation on PowerShell security, cookie-based attacks, and the evolving threat landscape. Miriam walks through her two conference talks — one on Microsoft Teams session cookie hijacking (a follow-up to her 2025 Entra ID cookie talk, complete with Cookie Monster branding and actual handcuffs), and a joint session with Stéphane van Gulick on using Microsoft Defender's Live Response feature for incident investigation. The conversation also covers the current state of PowerShell security, why sophisticated attackers are moving away from PowerShell, and why defenders who haven't enabled script block logging and AMSI are leaving easy wins on the table. On top of the technical deep dive, Miriam and Andrew get into the human side of the conference community — nerves before presenting, imposter syndrome, and why showing up is already half the battle.

Key Takeaways:

• Cookie-based identity attacks are an active and growing threat. Microsoft Teams, SharePoint, and OneDrive share session cookies, meaning a single cookie theft can give an attacker broad access across your organization's collaboration tools — no re-authentication required.
• Sophisticated threat actors are moving away from PowerShell specifically because its security features work. Script block logging, AMSI, and Constrained Language Mode make PowerShell activity highly visible and detectable. If your org hasn't enabled these, you're handing attackers an easy path.
• Visibility beats prevention. You can't prevent what you can't see. Detection through proper logging is not a consolation prize — it's a core security strategy, and Microsoft Defender's Live Response feature gives teams a powerful way to investigate isolated endpoints without needing RDP or PowerShell remoting enabled.

Guest Bio:
Miriam Wiesner is a Senior Security Research Program Manager at Microsoft with over 15 years of experience in IT security, penetration testing, and security automation. She works on research behind Microsoft Defender and Sentinel and is the creator of widely used open source PowerShell security tools EventList and JEAnalyzer. Miriam is a sought-after speaker at major security and PowerShell conferences including Black Hat, PSConfEU, and MITRE ATT&CK Workshops. She's also the author of "PowerShell Automation and Scripting for Cybersecurity," published by Packt. Her conference speaker career started at PSConfEU 2018 and she's been a fixture of the community ever since.

Resource Links
Miriam's 2025 Cookies talk - https://www.youtube.com/watch?v=8xDcq0pPNPs
Book – PowerShell Automation and Scripting for Cybersecurity (Packt): https://www.amazon.com/PowerShell-Automation-Scripting-Cybersecurity-Hacking/dp/1800566379
Miriam on LinkedIn: https://www.linkedin.com/in/miriamwiesner
Miriam on X/Twitter: https://x.com/MiriamXyra
Miriam's GitHub (EventList, JEAnalyzer, and more): https://github.com/miriamxyra
Miriam's Website: https://miriamxyra.com
Connect with Andrew: https://andrewpla.tech/links The PowerShell Podcast on YouTube: https://youtu.be/zxJOqcEwgWE