It has been a few years since I have been out to DerbyCon. I really enjoyed the first experience and I enjoyed this year’s just as much. Here are a few notes from my week in Louisville, Kentucky with my friends.
I took Carlos Perez’s Advanced PowerShell for Blue and Red Teams course. It really is an advanced class and Carlos provides a significant brain dump of his experiences. Each real world example demonstrates the power of PowerShell for attack and response. One of the things I enjoyed most about this class is that Carlos provided three one-hour sessions of PowerShell instruction in the weeks leading up to DerbyCon. These sessions covered the basics of PowerShell so that students could more easily grasp the concepts he covered during the two-day session at DerbyCon. I do have to say the class definitely left me wanting to understand other concepts a little better. Some of the commands and piping options involving looping and filtering using PowerShell objects is still a mystery to me. While I am much closer than I was before receiving this instruction, I still have a lot of trial-and-error to accomplish before I can actively and consistently implement PowerShell in a production environment. But this is a typical experience when moving from a text-based Bash-shell background to an object-based PowerShell environment.
Ever since getting a little burned out on challenges at conferences I have actually started attending the talks. While it is nice that DerbyCon records and streams these events, there is nothing like hearing someone speak about the hard work they put into a project. Hearing the real examples of implementation and development are a bit easier to comprehend in person, especially without the distraction of checking emails or quickly moving onto another video if the talk slows a bit.
This year I concentrated on the PowerShell and talks that might provide me with information related to using during Incident Response. Here are a few notes about my favorites.
Devon provided some good background on malicious content leveraging legacy features in Windows programs. He provided a good background and demonstration on his bug hunting technique. He did get a bit distracted during his talk when his fuzzing demo immediately identified a new issue that he needs to do more research on to determine if it is an exploitable vulnerability (but who wouldn’t get distracted at that moment). What I really liked about his talk is he finished it by explaining the different things that were not successful during his research. Not everything goes right, it is important to relay this to other researchers for a variety of reasons.
Will and Matt provided a detailed walkthrough of updating Empire to Empire 2.0. This new project has a variety of updates to pull in new functionality, community additions, and integrate EmPyre into the same code base. This project is an excellent example of how a simple project and idea can grow and advance the whole industry. It is truly a success story. To top it off, I had the pleasure of getting a few moments with Will and some of the other contributors. They are very humble, extremely helpful, and very knowledgeable. From a security team’s viewpoint, I highly recommend considering using Empire 2.0 to understand the implementation of Active Directory within an environment. Whether it is identifying configuration issues or generating system and event log artifacts for alerting / analysis, it provides most of the functionality necessary to accomplish the task. The tool also makes it easy to implement environment and event-specific modules and tests for a variety of situations.
Sean and Will gave an entertaining talk that walks thru the use of Empire 2.0 to demonstrate gaps in security controls. It has a great example of leveraging BloodHound to determine configuration weaknesses, demonstrate how they can be leveraged against an organization, and how to limit the negative impact to an organization’s resources by limiting the assets that are compromised during a penetration test. The later being one of the most important concepts I have seen outlined in all of penetration testing presentations I have attended. Sean ends the presentation with an excellent review of the Active Directory concepts that should be considered when addressing common issues with AD implementations of most organizations. Luckily, for everybody, the slides and guidance are freely available at ADSecurity.org. I will be using this for reference as I move forward as a security professional. I recommend you all do the same. Some key concepts from this talk I will be reading up on include Investigating Subversive PowerShell Profiles and SPN Abuse for Kerberos.
Eric spoke about developing tools to identify suspicious events in Windows Event logs using PowerShell. It is a great concept that can be used to help SOC analysts and Incident Responders quickly parse through logs to get a second set of eyes on event log data that may or may not be identified by the implemented alerting mechanisms or an organization’s current anomalous event parsing scripts. It is an ongoing project that you should look at and consider contributing to if you find it helpful. It is also an excellent way to practice PowerShell, get an understanding of normal activity, and review the events generated by common PowerShell exploitation toolkits and scripts.
There are definitely more presentations to mention. This list is just a few to get you excited about watching these and other talks, that may peak your interest, from this conference.
DerbyCon 6.0 - “Recharge” was excellent. The attendees were professional, playful, inventive, and entertaining. The bonding was refreshing, as Dave Kennedy and the rest of the DerbyCon team intended. All-in-all, I am glad I saved my training and conference presence for this event this year. I made new friends, introduced myself to the people working on the projects I will be looking into this year, and I reconnected with my InfoSec family. Thank you all, there are too many to list here: you know who you are.
Go forth and do good things,
Don C. Weber