Skip to main content


Seeing as how I just returned home from DerbyCon 6.0 - Recharge in Louisville, Kentucky, I'd like to share my experience.

As a PowerShell junkie this con was special and certainly that feeling is shared amongst a lot of you that attended or watched the videos (Big thanks to @irongeek_adc (Adrian Crenshaw) for all the uploads). But before we get to all that I wanted to start at the very beginning of my trip.

I went 3 days before the actual conference began for @Carlos_Perez (Carlos Perez) class, "Advanced PowerShell for Blue and Red Teams". Thought I'd get in town a bit early, see the city a little and rest (as you can see in the below photo) since the next 2 days would be 8am starts and a lot of content to take in.

Showed up to get my badge a bit before class and it was off to the PowerShell races!

The class was fantastic. In all honesty, I left with a far deeper understanding of PowerShell and WMI not only for the pwnage, but on the blue side as well. There was an epic amount of content to get through and Carlos did an excellent job preparing the course and executing it (big thank you
to Jose Quinones as well). Carlos also delivered a great talk about purple teaming I encourage you to watch.

The class was full and by sheer tyranny of will, I happened to pick a seat next to a fellow Canadian.

Met some fantastic folks in class so thank you all for the great chats. To make it all the more interesting both days had some amazing drop-ins and characters meandering about:

Once the 2 days of training were over, some mental rest was definitely needed.

September 23, the conference officially kicked off. I was excited because so many people I had never encountered in person were in attendance, which was the real treat.

Talks were starting, the vendors were out. I was interested in seeing as much PowerShell-related talks as I could - not a difficult task since unofficially this was PowerShellCon 2016 :). An awesome blend of red and blue content dominated along with their master practitioners. The only real difficulty was choosing between @harmj0y and @PyroTek3 about "Attacking EvilCorp: Anatomy of a Corporate Hack" talk and @mattifestation and  @jaredcatkinson
 "Living off the Land 2: A minimalist's guide to Windows Defense" talk, which was totally accidental that they would be scheduled at the same time right ;) .

PowerShell aside, there was an amazing mix of topics with wonderful speakers and I highly encourage you all to watch the vids

On to the folks I would really like to acknowledge for making my first DerbyCon a killer experience (didn't get to take pics with everyone ): )

@armitagehacker (Raphael Mudge) has been a major influence on me and as a Cobalt Strike junkie myself, being able to speak to the developer is a lot of fun. I can't stress enough that you should be reading his blog as it's full of incredible insights if you love Cobalt Strike and red teaming / adversary and threat tactics. YouTube channel is an excellent resource as well

@subTee (Casey Smith) delivered a great talk and has made amazing contributions to application whitelist evasion and more. Another individual who couldn't be friendlier and has had profound affect on my knowledge and education. Be sure to check out his blog too

@jasonstreet - Let's be honest, no conference is complete without an awkward hug!

@edskoudis - Despite being interrupted by me on his way out, Mr. Ed was kind enough to stop and chat for a while about all kinds of shenanigans ,

@harmj0y (Will Schroeder) - Like @armitagehacker, Will has tremendous influence on me and many of you I'm sure. From Veil to Empire to BloodHound (and all the other devs involved of course).

@ReL1K (Dave Kennedy) - Last but certainly not least, thank you Dave (and all DerbyCon staff) for everything. Couldn't have happened otherwise.

Some other mentions I have to throw out there:

@PyroTek3 (Sean Metcalf) - Another fellow I managed to interrupt on his way somewhere but still took the time to stop and chat about fun AD things.  I'd be a fool to not mention his blog which is your one stop shop for Active Directory security.

@jsnover (Jeffrey Snover) - Well, when the father of PowerShell is in the house, you gotta shake his hand. Jeffrey and @Lee_Holmes delivered the opening keynote for the conference.

@tifkin_ -  (Lee Christensen) - Another awesome guy to chat with, and you know that unmanaged PowerShell ability in that tool you love? Ya this is the guy :)

@engima0x3 (Matt Nelson) - One more reason the Veris ATD guys are kicking butt. Matt was great to chat with and if you're not up to date on his blog an research, you should be.

@byt3bl33d3r (Marcelo Salvati) - Funny how someone you maybe talking to on the Twitterz is quite literally sitting beside you. Had a blast walking around, talking shop, and beers with the developer of CrackMapExec. He also gave an excellent talk during the con I highly encourage you to check out.

@traversal (Haydn Johnson) - A must do shout out to my pal Haydn. Thanks for dragging me out of the hotel :) Haydn along with @carnal0wnage (Chris Gates) are delivering a talk at SecTor 2016. Check them out if you're in town!

OK, back to the story. Like I said, it's not always about the talks and training; sometimes it's just meeting the people you've always wanted to talk to. @superkojiman, member of the @VulnHub team whom we competed against at @defcon_toronto CTF (that's us in 3rd), invited me and others out to a pizza meet up with some awesome folks. Next time you're in Louisville, KY be sure to check out Spinellis (very cool joint). Great hanging with you all.

All in all, I met people I've always wanted to meet, attended talks I planned on attending, and learned what I came to learn. It's easy for a conference to have a disconnected, cold, just business feeling to them but DerbyCon had more of close-knit, belonging, comfortable vibe that makes it very unique and special.

In closing, thank you for the experience and I'll see you next year!

Popular posts from this blog

Leveraging WEF and the HELK

In an effort to have some more content on this blog (wow life gets busy sometimes!) I thought I'd write up this post on how to configure Windows Event Forwarding and the awesome project, HELK. On a bit of a side-note, this post coincides with an event we run up here in Toronto, Canada called the Canadian Collegiate Cyber Exercise (C3X). This year we are running the first real iteration (although we executed a pilot version last year which you can see here: ) and part of the design will be providing the students with HELK. OK back on track. I'll admit that when I first learned about Windows Event Forwarding it seemed a little daunting. A few of the posts I first read seemed confusing and a lot of moving parts. To the newcomer, Windows Event Logs can also be fairly intimidating which is why projects such as HELK are so fantastic to be openly and freely distributed. So why leverage WEF? Well, at a very basic level (and this

We Break So We Can Build Better

Hello again friends! Today I'm writing this post to shed a little preview light on how our team that builds C3X (Canadian Collegiate Cyber Exercise) will be approaching the design for the 2019 competition. We are doing a lot of different and fun things this year which means all of us are very excited and at the same time have a beast of a project ahead of us. I'm also going to discuss areas where you can help out and be a part of this wonderful event. C3X Overview Entering its third year, the C3X is a competition that puts student teams from various Canadian colleges and universities who are enrolled in cyber security programs a chance to defend a controlled environment against a team of offensive security professionals. That's the short and sweet version but there is so much more. Ben Wells (@1StealthMove) and I created this in 2016 and saw the first event happen in 2017. Why did we do this? Canada isn't exactly overflowing with combative challenges. Sur

Simple PowerShell One-Liners

In this post, I want to go over some basic recon-style commands in PowerShell, which complements a talk I gave recently at the DefCon 416 meetup. A good chunk of my demonstration consisted of various ways to accomplish simple recon and post-exploitation tasks by leveraging what is already installed throughout Windows environments. I'm going to keep things very basic and simple just in case PowerShell is brand new to you. These "one-liners" are meant to show things you can incorporate into a script that, when placed onto a targeted machine, executed in memory, can spit the output into a file or send it back to a C2 server. Let's begin :) I am using a Windows 7 virtual machine running PowerShell v2, but feel free to use Win8 or higher. Open up a PowerShell prompt (no need to run as an admin, but may be required later).   I create a folder on the desktop called "hello" with a single text file called "hello.txt" inside. Feel free to do the