Skip Navigation
BlackBerry Blog

DerbyCon: PowerShell Explosion!!!

NEWS / 09.28.17 / Kevin Finnigin

DerbyCon is a conference that’s in its seventh year and is intended to be an informal event for idea-sharing. In their own words: “DerbyCon is a fun environment where the security community can come together to share ideas and concepts. Whether you know Linux, how to program, are established in security, are a hobbyist, or are trying to break into INFOSEC, the idea of DerbyCon is to promote learning and strengthen the community. We are a community of peers learning from one another.”

Kevin Finnigin, a member of Cylance’s Threat Research team, attended the event and offered this commentary on the event’s talks:

Welcome to DerbyCon

PowerShell!!! Lots of PowerShell. For those that have never attended DerbyCon, it's broken into four main tracks with presentations lasting one hour apiece.

Nearly every time-slot for technical sessions had at least one talk where PowerShell was mentioned in the abstract. In fact, Matt Graeber's key note used PowerShell throughout his presentation as he walked people through his discovery of Authenticode signature bypass. His use of a signed binary for bypassing Windows trust reminded me of the SrcTool.exe abuse we observed in January of this year.

The PowerShell Arms Race

As many noted in their presentations, PowerShell v5 saw significant improvements to aid defenders, including improved logging and policy enforcement. PowerShell as an attack platform might be considered too noisy or risky. However, the bar is still high for properly securing PowerShell and watching all those logs. Furthermore, attackers are actively working to make log analysis more difficult.

Lee Holmes kicked off the discussion with his presentation entitled “Defending Against PowerShell Attacks.” The line for his talk was literally out the door and around the atrium. Unfortunately, I did not get to attend the talk. DerbyCon is great in the sense that almost all the talks are recorded and uploaded for viewing, thanks to @IronGeek and a legion of volunteers.

Also worth noting is that talks are live streamed and if you are fortunate enough to land a room at the venue’s host hotel, you can view the talks in your hotel room. I’ll be catching Lee’s talk from the comfort of my home!

Daniel Bohannon introduces Invoke-CradleCrafter for obfuscating PowerShell. He previously introduced Invoke-Obfuscation and ups the game for downloading and invoking payloads with this new framework. Immediately following his talk, Ryan Cobb introduced PSAmsi, a PowerShell framework for probing signatures supplied by Anti-Malware Scan Interface (AMSI) providers.

AMSI is still relatively new and only a few vendors have implemented it in their products. PSAmsi will help both defenders and attackers understand the signatures of those providers. On the other side of the coin, providers will need to move past naïve detection of strings.

Next up was Eric Conrad's presentation on DeepBlueCLI v2, which introduced a PowerShell framework for hunting and mining event logs on Windows. Introduced a year ago at the previous DerbyCon, Eric's work focused on improving detection (and a Python implementation!). His reasoning for a Python build was the obvious migration to do-it-yourself security information and event management (SIEM) engines. Elastic Stack anyone?

While many other talks touched on PowerShell or leveraged it to get things done, the last headliner catching my attention was a talk provided by Lee Holmes AND Daniel Bohannon. That’s right. Red and Blue join to give us “Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science.”

Their talk introduced a framework defender’s can add to their toolkit for detecting obfuscation in PowerShell commands. The presentation introduced the problems obfuscation presents to signature writing. Of course, the goal of any signature is to define prohibited code. Obfuscation attempts to bypass signatures but as result produces obviously malicious scripts that any human can identify as bad (or at least unwanted). Revoke-Obfuscation incorporates their research into legitimate scripts versus all the bad ways scripts can be obfuscated to provide high fidelity detection of obfuscated code.

It's Not All About PowerShell

While it would be a lot to cover all the talks (and impossible to attend them all for that matter), several are worth noting. Bruce Potter (@gdead) kicked off the technical sessions and gave a no-holds-barred talk on testing for security vulnerabilities. He did a great job of putting the focus on risk assessment. If it's not a risk (or a risk worth caring about), don't spend valuable cycles testing it! Copious f-bombs accompanied this talk. I could work with this CISO!

At the end of Day One, Waylon Grange finished up with literally the last talk of the day. His talk focused on attacking (dare I say exploiting) the C2s/CnCs of our adversaries. While much remains to be debated about the ethics and soundness of hacking back, few can deny the wealth of threat intelligence that can be gleaned from such a posture.

Waylon put aside the ethical issues and focused on this very topic. If we were free to compromise our attackers, what could we learn?

Apparently, a great deal, including the IP addresses of other compromised victims. From there, a simple whois will garner the company names and owners of those IP addresses. Perhaps more importantly is the "lay of the land", including malicious payloads and scripts staged for future exploit. Not to mention, true attribution... A thing rare in INFOSEC.

Why Antivirus Won’t Solve All Your Problems

In the late afternoon on Day Two, Ben Ten (@ben0xa) gave a great presentation on why antivirus will never solve all your problems. If the attacker can steal credentials inadvertently shared openly on the network, you don’t need exploits or malware to gain access.

Certainly, we believe prevention is a key aspect of your defenses, but you can’t stop there. As a defender, you must also focus on detection and anomalous behavior.

UAC Bypasses

Matt Nelson took us on a great deep dive of the bounty that is UAC bypasses. While his talk focused on several of the more well-known bypasses, he noted a slow, but increasing acknowledgement that bypasses cannot simply be ignored indefinitely.

In security, we can be too quick to write off attacks that require administrative access because it is widely acknowledged that once you are local administrator, there is little defense against skilled attackers. But at the same time, UAC bypasses are something that these attackers must contend with and now it is just too trivial to overcome this control.

Evading Autoruns

The last day of DerbyCon is always bittersweet as people are pulling up stakes and heading off to their parts of the world. I was pleased to end things on a high note with Kyle Hanslovan’s and Chris Bisnett’s talk on “Evading Autoruns.” They gave a great rundown on the evolving techniques used by malware authors to obscure the malware’s execution via known autoruns locations. They introduced several new techniques leveraging recent work to fool Sysinternals Autoruns and have it incorrectly report the actual persisting executable.

That’s a Wrap!

DerbyCon 7 concludes the final year it will be held at the Hyatt, marking an end to an era. This post focused on the technical talks, which are generally of high caliber. However, it only takes a quick review of the conference’s website to realize that there is a lot to do at DerbyCon. The organizers put on a great Con and I look forward to its continued growth in the future!

Kevin Finnigin

About Kevin Finnigin

Senior Manager of Threat Research at Cylance

Kevin Finnigin has 15 years’ experience in information security, including over 8 years as an active duty Air Force officer. He's reversed engineered malware for both the U.S. government and private sector and performed incident response roles at various levels. He holds a number of credentials, including an M.S. in Information Assurance and SANS GCFA. While on the job, Kevin is most at home with IDA Pro opened and a PowerShell session ready to do his bidding.