Explore the evolution of Windows malware and learn advanced techniques for detecting and analyzing suspicious PowerShell activity in this conference talk from Derbycon 7. Dive into the features of DeepBlueCLI v2, now available in both PowerShell and Python, and discover how to leverage this tool for enhanced security analysis. Gain insights into manual gzip advantages, regex implementation, and automatic detective whitelisting. Examine real-world examples of malware techniques, including hidden PowerShell windows and binary encoding. Understand the challenges of malware detection and the importance of continuous improvement in cybersecurity tools. Learn about integrating with Security Onion and extracting valuable information from event logs. Perfect your skills in identifying and mitigating sophisticated PowerShell-based attacks through practical demonstrations and expert guidance.
Overview
Syllabus
Introduction
How to download the talk
Whats on my website
Oregon Trail Expert
PreReq
Sunlight is the best disinfectant
The evolution of Windows malware
File list malware
Hidden PowerShell window
Manual gzip
The advantages of manual gzip
DeepBlueCLI v2 update
Perfect is the enemy of good
New features
Regex
Giant command lines
Perfect attacker fallacy
Im gonna fail
Lost in the wilderness
Peta gets smart
PowerShell
Event Log View
Wmake
PowerShell launch
Older examples
New object output mode
Metasploit
Pipe
PSExec
PSAttack
Daniel Bohannon
Dan Daniel
Multiple rounds
Alpha count
Binary encoding
Global variable
Object output
Automatic detective whitelisting
CSV deepwhitelist
Automate deepwhitelist
Is PowerShellExec evil
A revolution happening in Sims Elastic Stack
Why Python
Security Onion
How to get event logs
Python EBTX
BBBTX
Demo
Lobby Con
