BSides NYC - 2025

I recently attended BSides NYC 2025, and it was a genuinely productive and engaging experience. This free event continues to be a fantastic resource for the community. The technical depth across all tracks was excellent, providing plenty to analyze and reflect on. While I had to prioritize some external commitments which cut my time short, it simply fueled my drive to fully immerse myself next year, especially in the hands-on workshops. The quality of the sessions provided a great foundation for professional growth. You can view some of my detailed technical notes and observations below:

Technical Session Summaries

I. Detecting and Preventing Obfuscated Script Execution with Tree-sitter

Track: Blue (L2.84), Time: 10:00 - 10:55

This session focused on the persistent problem of obfuscated script execution (PowerShell, Python, JavaScript) being used by threat actors to complicate analysis and bypass traditional security tools.

• The AMSI Challenge: Windows’ built-in Antimalware Scanning Interface (AMSI) DLLs struggle with detection, allowing for trivial bypasses via relatively simple obfuscation. AMSI bypass techniques are routinely deployed by obfuscated code in the infection chain.
• The Tree-sitter Solution: The tree-sitter parsing library provides an API to interact programmatically with a script’s syntax tree (AST).
• Defense Application: This enables new techniques for rapidly detecting, analyzing, and preventing infections.
  • Demonstrated was a custom AMSI provider DLL designed to deobfuscate, block, and log obfuscated PowerShell payloads.
  • Showcased successful detection of AMSI bypass attempts from tools like the r77 rootkit and the nishang offensive PowerShell framework, along with payloads obfuscated with Invoke-Obfuscation.
• My Notes/Takeaways:
  • You must (actually learn PS) to understand the core logic being manipulated.
  • The idea is to integrate Yara rules with Treesitter to scan the structural logic, not just the text.

II. Spycraft 2.0: Hunting Dead Drops in Web Applications

Track: Blue (L2.84), Time: 11:00 - 11:55

This talk focused on how modern malware uses public web services to maintain covert Command and Control (C2).

• The Threat Technique: Attackers adopt the classic espionage “dead drop” tactic by embedding encrypted or obfuscated C2 locations in public web applications like Dropbox, GitHub, and Pastebin.
  • This technique, known as a dead drop resolver, allows malware to dynamically locate its C2 server.
  • It provides high resiliency, making it easy for attackers to migrate infrastructure if a server is discovered or taken down.
• The Defender Challenge: These digital dead drops are difficult to detect using traditional, static methods.
• Defense Application: A new analysis system helps uncover these hidden links at scale. The goal is to proactively identify and disrupt such covert channels by gaining insight into how malware families use this strategy.
• My Notes/Takeaways:
  • The malware must include decode and decrypt logic to fetch values from the dead drop, which is the vulnerability defenders should target for proactive threat hunting.
  • My team is actively moving clients from strongDM to services like Tailscale, reflecting the shift away from centralized access points that attackers target.

III. Using Volatility 3 to Detect Sophisticated Malware

Track: Blue (L2.84), Time: 13:00 - 13:55

This session introduced the latest version of the widely used open-source memory forensics framework.

• The Rewrite: Volatility 3 is a complete rewrite of the framework, which has been the standard for memory forensics since 2007.
• Core Utility: The framework and its new plugins are essential for detecting a wide range of sophisticated, modern malware.
• Detection Focus: The new version includes features to detect techniques currently deployed by ransomware and APT groups to:
  • Evade EDR detection.
  • Inject code in a stealthy manner (e.g., Process Hollowing).
  • Perform lateral movement.
• Takeaway: Attendees learned how to detect modern malware and how to integrate Volatility 3’s new features into production-suitable detection workflows.
• My Notes/Takeaways:
  • The axiom remains: RAM cannot lie. Acquisition of physical RAM is the only way to catch memory-only or fileless malware.
  • The hunt focuses on kernel structures like the VAD (Virtual Address Descriptor) to find illegally injected code regions.

Observational and Logistics Notes

• Training Focus: The sheer number of people in red team vs blue team events was noticeable (estimated 2-3 times higher in offensive tracks). Good thing or bad thing?
• Vendor Check: Spoke to a few vendors (none were memorable). I’m tired of VC-backed slop. Aren’t you?
• Swag: Nice to get another set of Jane Street playing cards I’ll use in about a decade.

• Recruiting: Spoke to a recruiting agency to gauge the job market landscape, providing details on my security and compliance experience.
• Lunch: Enjoyed a delicious turkey brie sandwich.