DerbyCon: PowerShell Explosion!!!

DerbyCon is a conference that’s in its seventh year and is intended to be an informal event for idea-sharing. In their own words: “DerbyCon is a fun environment where the security community can come together to share ideas and concepts. Whether you know Linux, how to program, are established in security, are a hobbyist, or are trying to break into INFOSEC, the idea of DerbyCon is to promote learning and strengthen the community. We are a community of peers learning from one another.”

Kevin Finnigin, a member of Cylance’s Threat Research team, attended the event and offered this commentary on the event’s talks:

Welcome to DerbyCon

PowerShell!!! Lots of PowerShell. For those that have never attended DerbyCon, it’s broken into four main tracks with presentations lasting one hour apiece.

Nearly every time-slot for technical sessions had at least one talk where PowerShell was mentioned in the abstract. In fact, Matt Graeber’s key note used PowerShell throughout his presentation as he walked people through his discovery of Authenticode signature bypass. His use of a signed binary for bypassing Windows trust reminded me of the SrcTool.exe abuse we observed in January of this year.

The PowerShell Arms Race

As many noted in their presentations, PowerShell v5 saw significant improvements to aid defenders, including improved logging and policy enforcement. PowerShell as an attack platform might be considered too noisy or risky. However, the bar is still high for properly securing PowerShell and watching all those logs. Furthermore, attackers are actively working to make log analysis more difficult.

Lee Holmes kicked off the discussion with his presentation entitled “Defending Against PowerShell Attacks.” The line for his talk was literally out the door and around the atrium. Unfortunately, I did not get to attend the talk. DerbyCon is great in the (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Kevin Finnigin. Read the original post at: Cylance Blog