Explore the world of PowerShell obfuscation detection and evasion techniques in this Black Hat conference talk. Delve into the challenges of distinguishing between legitimate and malicious PowerShell usage in environments where it's heavily utilized. Learn about remote download cradles, command invocation methods, and various obfuscation techniques. Discover how to leverage character frequency analysis, cosine similarity, and machine learning algorithms for detection. Gain insights into building a PowerShell corpus, using AST Explorer, and implementing script block logging. Understand the importance of whitelisting and stay up-to-date with the latest references in PowerShell security.
Revoke-Obfuscation - PowerShell Obfuscation Detection and Evasion Using Science
Overview
Syllabus
Introduction
Remote Download Cradle
Get Command
More Options
Alias
Invoke Expression
Fun Fact
Invoke Expressions
Invoke Command
Invoke Script
Convert Expression to Script Block
InvokeCradleCrafter
Just Breathe
Reverse
InvokeOffEustachian
CradleCrate
Muto Gucci
Whitespace tab encoding
Im starting to feel guilty
The big thing to realize
Look at this
Character Frequency
Cosine Similarity
Character Similarity
Underhanded PowerShell Contest
Building a PowerShell Corpus
Lee is so polite
GitHub
Thank You
Remove Games at PS1
Stop Online Piracy Act
More Data
How Many Scripts
Similarity Metrics
Precision and Recall
Powershell
AST Explorer
AST Type
Linear Regression
Logistic Regression
Gradient Descent
Results
Deep Analysis
Fun Facts
Script Block Logging
Upgrade to PowerShell 5
Enable Script Block Logging
Whitelisting
References
Questions
Taught by
Black Hat
