PowerShell Classification: Life, Learning, and Self-Discovery presented at BSidesLasVegas 2018

by Derek Thomas,

Summary : By now, many security practitioners know that PowerShell is a powerful scripting language used by administrators and adversaries alike. Many blue team professionals may also know that effective detective controls are very difficult to develop due to the flexibility of PowerShell. This presentation covers the journey where I try to develop effective detective mechanisms for malicious PowerShell, shortcomings of this attempt, my first attempt at developing a classifier, the problems I encountered, the lessons I learned, and the success in the end. I will cover the development of the initial prototype from start to finish but the greatest value is in the lessons that were learned during the journey.