That is some really excellent insight into observing these activities and parsing the wheat from the chaff. Great work Gents. Even the Audio was much better this year!
Seems like AppArmor or android permissions (issues aside) are the more elegant approaches, as fun as building classifiers is... to bad that after 19 years the powershell install options are nowhere close the bounty of trusted code in apt.
I really don't understand why they focus on false positives so much. A false positive means a safe script was called out as potentially dangerous, so it gets reviewed. Big whoop. Their false negative rates were higher - that are actually dangerous scripts which they deemed to be safe. It only takes 1 of those and the game is over.
False positives are deadly to anything at scale. The reality is that clean scripts outnumber obfuscated ones by many orders of magnitude. If an ops team has to look at 100 scripts per day that are false positives, they will become blind when real obfuscated stuff comes up (if they are even still looking at the reports any longer).
It drives me absolutely bonkers when people say ob-FEW-scate / ob-FEW-scation. Throw a define:obfuscate into Google and click the speaker icon in the result up top. And now back to the video which, sans all the ob-FEW-scates I'm sure are in store for me, I feel quite certain is going to be rather awesome. =)
This presenter is NOT DIVERSE ENOUGH. Too white, too straight, too male. By comparison, I don't flinch when I get ransomware... but this level of cisgender privilege has me LITERALLY shaking. OMG, I can't even...
Obfuscation Detected! Analysis..... High frequency of "white space encoding". Weighing script elements before Eval.......... Revoke.method............ delete.user
And in the end its best this way, fuck those SJWs trying to ruin our field and attempting to instill affirmative action. All it'd do is cause more work and load for us as we need to pick up the extra slack, fix more mistakes, do extra training, deal with more stress - fuck that
