Horaire des conférences

The whole Microsoft cloud offering, including Azure AD and Microsoft 365, is based on the use of OAuth bearer tokens. The purpose of the token is simple: it proves the identity and the access rights of its bearer.

This workshop is a hands-on deep-dive to technical details of Azure AD’s implementation of OAuth standard. We’ll cover the JWT standard, different token types (access, identity, and refresh) and various ways of obtaining them, peculiarities of Family of Client Id (FOCI) tokens, and of course, different attack scenarios.

Attendees will learn the technical details of Azure AD OAuth implementation, helping them to secure their environments better and detect abuse of tokens.

L'objectif principal est de montrer que la recherche de vulnérabilités dans les modules de kernel Windows est à la portée de toute personne enthousiaste équipée d'un laptop capable d'exécuter deux machines virtuelles.

De plus, l'atelier cherche a démontrer que certains modules de kernel Windows, pourtant dûment signés numériquement, peuvent présenter des vulnérabilités relativement facile à trouver .

L'atelier couvrira les points suivants:

• Configuration du débogage réseau sur la machine virtuelle cible
• Configuration de WinDBG preview sur la machine virtuelle assignée comme débogeur.
• Analyse statique d'un module de kernel Windows avec Ghidra
• Analyse dynamique avec Windbg dans un but de recherche de vulnérabilités.

An introduction to Capture-The-Flag (CTF) with easy challenges and tips on how to approach them.

The objective of this workshop is to dive into Capture-The-Flag (CTF) competitions. First, by introducing participants to the basic concepts. Then, by helping them prepare for the upcoming NorthSec CTF, and, finally, evolve in their practice of applied cybersecurity.

We will have easy and medium CTF challenges in several categories (binaries, Web, exploitation, forensics) and we will give hints and solutions during the workshop.

This is meant to be for CTF first-timers. Seasoned players should play NorthSec's official CTF.

Requirements * a laptop * a programming language of choice (it's usually Python) * wireshark * a web assessment security tool (Burp, ZAP, mitmproxy) * a disassembler / decompiler (Radare2, Binary Ninja, IDA Pro)

Using cryptography is often a subtle practice and mistakes can result in significant vulnerabilities. This workshop will cover many of these vulnerabilities which have shown up in the real world, including CVE-2020-0601. This will be a hands-on workshop where you will implement the attacks after each one is explained. I will provide a VM with a tool I developed called cryptosploit. A good way to determine if this workshop is for you is to look at the challenges at cryptopals.com and see if those look interesting, but you could use in person help understanding the attacks. While not a strict subset of those challenges, there is significant overlap.

As Defenders it is easy to view attacker behavior through a Technique lens, but this perspective often causes us to forget about the diversity of implementation, morphology, that exists within a Technique. This often leads to detection rules that are more narrowly focused on specific tools instead of on the underlying behavior(s) themselves. MITRE ATT&CK provides a schema for evaluating inter-technique differences between tools, such as the differences between Kerberoasting and DCSync, but we currently do not have an industry-wide model for evaluating intra-technique differences, such as the how two tools performing LSASS Dumping might differ in approach and thus lead to evasion opportunities.

In this workshop, attendees will be presented with various tools that implement the same Technique, but use different approaches, or Procedures, to do so. We will then walk participants through the process of analyzing these tools to understand exactly where and by how much they differ. Participants will then learn how to model different Procedures to evaluate their similarity and determine the optimal events or logs to serve as a foundation for building resilient detection rules.

Go is becoming more and more prevalent in offensive security tooling. And while the analysis of most programs can be approached using the same methods, binaries generated by this language are different enough from what compilers generally produce that they require developing a special skillset.

Short, unscientific surveys conducted in my professional circle indicate that Go is reverse-engineers’ most dreaded language. It doesn’t have to be this way. In this workshop, I would like to share the knowledge I have built up reverse-engineering Go malware as well as the methodology I follow during my day-to-day work and useful disassembler plugins.

In March 2022, a new buzz called Bumblebee appeared in the eCrime scene. This loader is built to execute tasks from its command-and-control (C2), and deliver payloads such as CobaltStrike. But its development doesn’t stop there. In the span of less than a year, Bumblebee has been through several incremental updates, to such an extent, that this malware may be one of the most actively maintained malware families out there.

This presentation aims to get a sense of the operator’s development process behind Bumbleebee – how it changes and adapts in response to current endpoint defense efforts– and how its techniques compare to other botnet families.

This presentation will touch on the following areas of the malware: 1. A brief overview of Bumblebee's execution on a system - the importance of its loader, how it executes, communicates with the C2 and the role of the hook module. 2. A chronological view of the development cycle of the malware showing features introduced in response to public reporting, testing new code implementations and refactoring. 3. Comparing Bumblebee’s choice of techniques to that of other known botnet families - the overlaps seen and assessing each techniques’ pros and cons.

This presentation will examine the security exposures in GitHub Actions and GitHub Codespaces, two popular features of the widely used code-hosting platform GitHub. In 2019, GitHub released its own CI tool called GitHub Actions (GHA). GitHub Actions help you automate tasks within your software development life cycle, and it has been gaining a lot of adoption from developers. In addition, GitHub Codespaces, initially in preview for specific users, became widely available for free in November 2022. This cloud-based IDE (Integrated Developer Environments) allows developers and organizations to customize projects via configuring dev-container files, easing earlier pain points in project development.

The talk will explore how attackers can abuse these cloud services to achieve their malicious goals, either for crypto mining, delivering malware, or using it to attack other targets inside or outside Azure. The audience will learn about real-world exploitation scenarios from cybercriminals and proof of concepts from our threat modeling analysis and be provided with practical tips to detect, avoid or prevent attacks and secure their codebases and pipelines. The presentation aims to raise awareness of the potential abuses associated with attackers using GitHub Actions and Codespaces and to encourage best practices in protecting your software supply chain platform.

Windows Hello for Business is a passwordless authentication feature that uses a combination of device identity and biometrics or PIN to authenticate to Windows and (Azure) Active Directory. It is advertised as a strong multi-factor authentication method with hardware protected keys. In this talk we will dive into the internal workings of Windows Hello in Azure AD and hybrid scenarios. We will look into the protection of keys, the usage of hardware protection, the provisioning and storage of those keys and how attackers could interact with them. During the research into the protocols and externals, various vulnerabilities were discovered that could allow attackers to abuse Windows Hello to persist access to accounts, move laterally between identities and bypass Multi Factor Authentication. Vulnerabilities were also discovered that enable attackers to bypass the hardware protection of secrets which allow the Windows Hello credentials to be used on different devices than they were provisioned on. The talk will show why these flaws were present, how they could be abused and provide tools to interact with Windows Hello and Azure AD.

So-called “Supply Chain” attacks are all over the news as several high profile breaches highlight CI/CD pipelines as a prime target. While AppSec focuses on writing secure code (SAST), managing risks from Open Source dependencies (SCA) and more generally finding vulnerabilities in apps and APIs, a large attack surface is often overlooked. The supply chain links the developer’s laptop, via the SCM, through CI/CD and finally the running application in production.

We’ve all heard about the SolarWinds breach, but what can be done to prevent such an attack? In this talk, we dive behind the scenes of similar attacks through the lens of SLSA (Supply chain Levels for Software Artifacts), a threat model designed to tackle these emergent threats.

Most importantly, we will discuss new technologies and approaches that are available today (or are under active development) to address these threats.

This talk is going to cover some of the techniques used to successfully deploy your code or agent during a red team engagement without getting detected by EDR solutions. I will be presenting some of my techniques and tricks that successfully defeated the detection in place which include modern EDRs.

We’ve heard for years about the looming quantum threat: how a sufficiently powerful quantum computer could break the cryptography we use today. Many things happened during the last year forcing us to pay close attention to the situation: NIST selected their first post-quantum cryptography (PQC) algorithms for standardization, some government agencies have set rapid transition goals, industry groups started to discuss PQC integration. Will you be ready for the post-quantum transition?

In this talk, I’ll cover the emerging PQC algorithms (paying close attention to the lattice-based Kyber), give an intuitive overview of how they work, and explain how they integrate into TLS, SSH, X.509, etc. I’ll present open-source tools that can be used to prepare for the PQC migrations, to create a migration plan and to start experimenting with PQC.

gRPC/gRPC-web even as a newer protocol can offer a greater attack surface than regular HTTP1.1 REST through applicative services misconfigurations. During this talk, we will enumerate the new attack vectors through misconfigurations such as HTTP2 downgrade allowing request smuggling, disabling reflection. We want to present an entire code configuration for a secure generic gRPC service leveraging an automatically generated Kubernetes authentication service with an interceptor to an authorization engine to simplify complex delegation of access with open source Ory engines. Finally in-depth applicative problems with currency, math and conversions to watch out for.

One of the characteristics of system security is that attackers do not need any special and/or expensive tools to perform the most powerful attacks. Brute force authentication attacks on Remote Desktop Protocol (RDP) can be automated and shared between malicious actors. However, when a human or an organization behind an automated attack shows more motivation, the danger increases as it is no longer an opportunistic “spraying and praying” strategy but rather a strategy that is closer to a targeted attack.

The objective of this study is to measure the level of human engagement behind the attacks targeting Remote Desktop Protocol (RDP). To do so, we launched high-interaction honeypots on the Internet. We collected and analyzed over 3.4 million connections attempts that supplied hashed credentials over a period of 3 months. With over 95% success rate in cracking these hashes, our team was able to identify different attack strategies.

The indicators of human intervention in the attacks will be presented and includes (1) the number of attacks; (2) the use of credential leak lists; (3) the constant presence of the machine over the observation period; and (4) the use of several attacks per second. The indicators of machine-like behavior will also be presented and includes (1) presence of pause before launching an attack; (2) the attack is customized for its target; (3) slowing down of attack rhythm by imposing a delay between attempt login. A score of engagement is given based on those indicators to visualized the level of human engagement behind attacks. Then, a Pearson correlation coefficient was computed to assess the linear relationship between automated attacks and the other variables associated with human and machine behaviors.

Showing the series of actions conducted on exposed RDP systems gives us an eye-opening understanding of threat actors’ strategies. Characterizing attackers allows us to get closer to revealing their identity. This will hopefully contribute to give them cold feet as they will have to change their practices. The ultimate objective of our work is to increase the cost of attackers and knowing who they are and how they proceed is one step further in this direction.

"Surely we can make a detection for when the whoami command is executed, right? Nobody ever runs whoami but threat actors." - Someone with no experience in detection engineering

In this talk, we'll discuss how we addressed the dilemma between detection coverage and alert fatigue in a SOC by correlating minor or noisy detection logics. We'll go through our journey to build a custom platform that leverages the concept of indicators. We'll share the toolset and some implementation details and show how we use it to monitor tens of thousands of endpoints. It has become one of our main tools for threat hunting and is used by our SOC analysts to assist them in their investigations.

Can you believe that NorthSec already has 11 years? In this guest-filled session, we will take a look back at these 11 years and highlight NorthSec's rich history.

The SAP landscape is complex and highly customized, with numerous systems such as SAP HANA, SAP Solman, SAP Cloud Connector, and SAP ME. Many companies use cloud solutions provided by SAP, such as Cloud SAP HANA and SAP BTP. Those can exchange data with on-premise solutions. The vulnerabilities or misconfigurations in any of these systems can potentially lead to a compromisation of the entire landscape.

In this research, we will discuss the various combinations of security issues and misconfigurations that we discovered last year, which can be exploited by remote attackers or insider users to fully compromise the SAP landscape, both on-premises and in the cloud. We will examine how vulnerabilities and misconfigurations in areas such as password storage and access controls can be exploited to gain unauthorized access to systems and sensitive data. By understanding these vulnerabilities and misconfigurations, companies can take action to improve their security and protect against successful attacks on their SAP landscape.

We've often had the opportunity to hear about bug hunting & bug bounty programs from the researcher perspective, or in the form of sales pitches from companies that help build them, but less often do we hear from the folks who work on those programs as their main focus.

In this talk we'll explore the ins and outs of GitHub's Bug Bounty program, along with advice for those working in or building BB/VDP programs, or submitting bounty reports. GitHub was an early adopter of bug bounties, with our program dating back to January 2014. Since then, the program has been recognized as a leading bug bounty program consistently offering generous awards with clear scoping. In addition to having a dedicated team to work with researchers, we’ve paid out over $3,500,000 USD in bounties to date.

I'll cover: - GitHub's Bug Bounty program, including payouts and key milestones - How GitHub handles report triage & severity assignment - How GitHub’s bounty team interacts with researchers and aims to more deeply understand and analyze reports - Operational considerations of working with both a SaaS & on-prem product - Report/vulnerability disclosure - Bug bounty triage as a job & career stepping stone - Tips for researchers and bounty staff

Attendees will walk away having a better understanding of how GitHub's Bug Bounty team and program has grown over the past 8 years, the nuances and challenges that triagers/engineers face working with bounty reports, and also how to improve their ROI when working on/with programs.

Modern security teams have been engineering solid detections for a while now. All this great output also needs to be managed well. * How can we make sure that the detections we have spent a lot of time developing are deployed and are running in production in the same way as they were designed? * How can we assure our detection and prevention controls are still working and are detecting the attacks they have been designed to cover?

In this talk, we will discuss how security teams can reap the benefits of using detection-as-code, and how this can help achieving a single source of truth for their detection logic. We will explore how this approach enables teams to use automation and unit testing to manage and validate their detection controls across multiple environments. We will also discuss the importance of being in control of your detection systems, and how detection-as-code can help you maintain control, quality and ensure proper documentation. By adopting a detection-as-code approach, teams can improve the effectiveness, quality and efficiency of their detection systems and gain the confidence that comes from knowing that their detections and mitigations work as intended.

We will show how we have built a robust and flexible development and deployment process using Azure DevOps, Microsoft Sentinel, the Microsoft Defender suite, Azure Logic-Apps and Functions. This process allows us to quickly and easily implement new detection controls, test them across multiple environments, and deploy them in a controlled and consistent manner. We will also show how these tools integrate with each other to provide a single source of truth for our detection logic, and how they can be used to automate various aspects of the development and deployment process. Overall, our approach allows us to build and maintain a highly effective and scalable detection system that is well-suited to the needs of any enterprise or service provider.

The onus of data security and privacy till now has always been dumped on consumers - they have to navigate myriads of privacy policies and "Yes, I consent" clicks. Apps keep on leaking data, but hardly are the apps themselves questioned! Some laws (GDPR/CCPA) do outline what data can be collected and how it is supposed to be processed in the software - but this seldom creates actionable engineering directives that developers need to follow to build privacy respecting apps. We always see the privacy protection function from the lens of data collected and stored in DBs. What if we actually dug deeper and started looking not just at what data is collected, but at the exact lines of code responsible for collection and generation of data itself? Imagine a world where privacy is baked in the app itself and is not an afterthought. This talk explores how we can leverage static analysis techniques to find and fix privacy bug, early on in the game - before they ever manifest.

Ransomware has changed and adapted over time to survive. Unfortunately, this evolution has led to a grim reality. From a defender's perspective, the sheer number of new strains coming out regularly makes it impossible to defend their infrastructure against every new threat. For attackers, technological advancement created a playground filled with criminal opportunities waiting to be exploited. Game theory perspective is a way to analyze conflicting parties' behaviours to see how each will behave towards their endgames. Zero-sum games are when a player's win causes a direct loss to the other; ransomware is a good example. Traditional game theory research focuses on one attacker vs. one defender during a game. However, this is not the reality defenders face daily. Defenders must defend themselves against multiple attacks during multiple games simultaneously. This means it is far easier for attackers to win than defenders in a zero-sum game. So how can the odds be balanced out? The answer might be reducing the asymmetric information gap between the two parties. This research aims to find the recurring techniques and tactics used over time. Even though ransomware is constantly evolving, specific aspects should remain the same or at least this is what I will find out. I studied over eighty ransomwares over five years (2017-2022). This presentation will cover the evolution of the TTPs over the set period, the stable behaviours and present the observations from the findings.

Based on my in-depth knowledge of both Burp Suite and its extensions, this talk aims to provide bug hunters and pentesters with a set of useful strategies. The underlying goal is to increase the efficiency of the testing workflow (in terms of both capabilities and speed). I presented a similar talk in 2013, but the tool and its ecosystem changed significantly since then.

Among the topics to be covered: - Improved usage the Burp Suite GUI, from modifying default settings to increasing the speed of interaction (including hotkeys) - Automation of recurrent tasks, mainly the transparent management of sessions (via both cookies and headers like JWT) and CSRF tokens - Essential extensions like Hackvertor, Piper and Burp Bounty - Efficiently find authorization bugs, on both APIs and web apps - Niche knowledge about Collaborator (correlation) and Intruder (placeholders in wordlists) - Poor-man automation pipeline, from a list of domains to findings - Evergreen pieces of advice (on performances and live monitoring) - How to stay up to date (a list of relevant online resources)

The talk includes self-hosted demos illustrating its most critical points.

An important part of red teaming is developing custom payloads, since using anything public without in-depth customization will get your operation burned in a second. After spending countless hours crafting those precious master pieces, one of the main priorities of the red team and threat actors is to protect them from prying eyes (SOC analysts, forensic investigators or security researchers)

This talk will go over established techniques used to prevent analysis. In addition, three anti-copy techniques used by OKIOK’s red team in real engagement will be covered with proof-of-concept releases and detection opportunities. These techniques propose new ways of circumventing the weaknesses of the established ones.

Asylum Ambuscade is a threat group that came under research scrutiny after it targeted European government personnel in late February 2022, just after the beginning of the Russia-Ukraine war. During the intervening months, dozens of different threat actors have been caught by the security community attacking Ukrainian institutions and their allies. So what makes Asylum Ambuscade different from the others?

First, our investigation reveals that the group is engaged in both espionage and crimeware-related activities. Since March 2022, it has been spying on European diplomats, probably in order to steal confidential information related to the Russia-Ukraine war. At the same time, it has been compromising bank customers and cryptocurrency traders all around the world, including Canada and the United States. We noticed that the group is particularly interested in accessing cryptocurrency wallets stored on common coin exchanges.

Second, since the beginning of the war, not only did Asylum Ambuscade target Ukrainian institutions and their allies, but also individuals and local officials in Russia. Note that we believe that some members of the group are Russian speakers.

Third, the group goes after high-value espionage targets using a custom crimeware-like toolkit. This is very different from other groups operating in the same region such as the Dukes, Sandworm, or Turla, which run only cyberespionage campaigns.

In this presentation, we will describe the whole compromise chain, allowing us to link the group to past crimeware activities from 2020. We will also present an overview of the victimology and the TTPs of the group. Finally, we will discuss why a crimeware group could be engaged in espionage activities.

We're always seeing vulnerability reports in the news, but how much do you know about finding and reporting these bugs? In this talk, we're going to look at a series of critical security vulnerabilities in an RPC service developed for mainframes, ported to modern operating systems, and used by most large companies. We'll cover the full process:

• How we prepare the application for analysis
• How we reverse engineer implement the binary protocol
• How the RPC service authenticates users, processes messages, and starts other services
• How we can bypass user authentication
• How we found / exploited a variety of vulnerabilities in the services (including making Metasploit modules)
• How we reported all this to the vendor, and how we coordinated disclosure

Basically, this will be an end-to-end vulnerability research bonanza!

Ce talk a pour but d’expliquer comment fonctionne la segmentation réseau chez les grands acteurs d’internet. Nous ferons un focus sur la technologie VxLan qui a remplacé les Vlan dans les datencenters qui hébergent nos données. Nous ferons le point sur les surfaces d'attaques de ces « réseaux overlay », les faiblesses intrinsèques aux protocoles, les vulnérabilités exploitées ou restant à exploiter. On pourra sans doute observer que, chose étonnante, les bonnes vieilles recettes marchent encore et que des 0Days utilisent des concepts simplistes ! Nous présenterons les architectures réseau overlay des grands opérateurs puis nous utiliserons la bibliothèse SCAPY afin de forger des trames réseaux en mettre à l'épreuve les infrastructures cible.

This is the story of three organizations: EvilKittens (a criminal group), YOLO Corp (a new company that don't have any security staff) and CoolSec (a company that goes above security compliance). We will see how two corporations fret against EvilCats during various attack scenarios that all involve passwords.

Magicians are the most versed at lying and deceptions and pentesters can learn from these years of experience at lying, cheating and misdirection. Suggestion is the original exploit (CVE-000-0001) and, by the end of this talk, attendees should be more comfortable planning and engaging in social engineering.

This 30 minute talk will present key SE concepts, such as suggestion, exploiting cognitive biases, double talk, framing, creating trust and the anatomy of a lie (what works, what doesn't, why less is more), while focusing on practical tips for phishing, social phone engineering and physical intrusion.

Mobile phones have become ubiquitous in our daily lives. They are in many cases the devices we spend the most time on, and the devices that keep us connected to our friends, loved ones and colleagues. While useful in many ways, mobile phones pose a significant threat to offenders. Indeed, mobile phones monitor location through GPS and can have spyware installed to monitor written, audio and video communications. For law enforcement, mobile phones represent a treasure throve of information that can lead to arrests and convictions. In response to this threat, offenders have adopted shadow phones also known as ghost phones, encrypted phones or PGP phones. These come in a variety of ways, and offer in most cases a hardware package stripped of microphones, cameras and GPS chips to prevent any kind of spying. They also come with encrypted messaging services, and many security features such as remote wipes based on time delays, secret PINs or remote triggers. Canada appears to be a central player in the underground economy for shadow phones as some of the main distributors of these phones have been living (and arrested) in Canada. The aim of this presentation is first to survey the current state of the art on shadow phones. We reviewed court decisions, news reports and scientific articles on shadow phones, and researched companies that are currently advertising shadow phones for sales. Through this survey, we aim to present how the latest technologies are being used to protect offenders, and how law enforcement has attacked these encrypted communication services in the past. An important part of the services is the software that comes installed on the phones. The lessons learned here are extremely valuable for all communication services that are trying to offer end to end encryption, and a higher level of privacy to their users. The second part of this presentation is an analysis of interviews that we have conducted with various actors involved in the prosecution and defense of offenders who use shadow phones. We present their perception of the effectiveness of these phones, and the challenges that they pose for the judicial system. There are here again many lessons to be learned about how the judicial system can handle emerging technologies, encryption, and the targeting of offenders both online and offline who use encryption.

This study explores the application of machine learning (ML) for detecting security vulnerabilities in source code. The research aims to assist organizations with large application portfolios and limited security testing capabilities in prioritizing security activities. ML-based approaches offer benefits such as increased confidence scores, false positives and negatives tuning, and automated feedback.

The initial approach using natural language processing techniques to extract features achieved 86% accuracy during the training phase but suffered from overfitting and performed poorly on unseen datasets during testing. To address these issues, the study proposes using the abstract syntax tree (AST) for Java and C++ codebases to capture code semantics and structure and generate path-context representations for each function.

The Code2Vec model architecture is used to learn distributed representations of source code snippets for training a machine learning classifier for vulnerability prediction. The study evaluates the performance of the proposed methodology using two datasets and compares the results with existing approaches. The Devign dataset yielded 60% accuracy in predicting vulnerable code snippets and helped resist overfitting, while the Juliet Test Suite predicted specific vulnerabilities such as OS-Command Injection, Cryptographic, and Cross-Site Scripting vulnerabilities. The Code2Vec model achieved 75% accuracy and 98% recall rate in predicting OS-Command Injection vulnerabilities.

The study concludes that even partial AST representations of source code can be useful for vulnerability prediction. The approach has potential for automated intelligent analysis on source code, including vulnerability prediction on unseen source code. State-of-the-art models using natural language processing techniques and CNN models with ensemble modelling techniques did not generalize well on unseen data and faced overfitting issues. However, predicting vulnerabilities in source code using machine learning poses challenges such as high dimensionality and complexity of source code, imbalanced datasets, and identifying specific types of vulnerabilities. Future work will address these challenges and expand the scope of the research.

In their first Patch Tuesday of January 2020, Microsoft patched CVE-2020-0601, aka CurveBall, a flaw in their root CA trust store that allowed anybody to forge certificates that would be recognized as trusted by Windows 10 and Windows Server 2016/2019. The flaw was first discovered by the NSA and patched without fully disclosing its details. Back then, we "reversed" it and released a POC within 48 hours of its non-disclosure. We'll see how.

More recently, a second flaw,CVE-2022-34689, was disclosed by the NSA in Windows CryptoAPI. It was patched in August 2022, but was only publicly announced in the October 2022 Patch Tuesday.

In this talk we will discover how to leverage such cryptographic flaws in order to create trusted, signed binaries or how they enable us to perform MITM attacks against unpatched Windows machines and servers! We will also address how one can defend against these and why non-disclosure is not a great idea, especially for cryptographic flaws.