Conférenciers

In a world where MFA is enabled on every portal and everything is a web application, red teamers can access cookies and cached information from your browser to gain access to everything without knowing a simple password or having access to your MFA.

Let us embark you on a journey through the OT Threat Landscape. We will start our voyage by looking at what the global threat landscape looks like today, with a focus on Canadian (and Quebecois) events of note. We will then explore how these landscapes have evolved and the earthquakes that shaped them in recent months and years. We will wrap-up by covering some intelligence-informed takeaways and recommendations on how to weather the incoming rogue waves of the OT ocean.

As the authors of this talk can testify from experience, it feels almost impossible to detect cyberattacks, let alone stop them. Alert fatigue and a shortage of automation, skills, and personnel further exacerbate this problem, emphasizing the need for prevention mechanisms that allow defenders time to investigate threats.

Incident response, even if automated, is best done after an attack has already been thwarted. Easier said than done? Not really if you use the right tools!

The right tools we will discuss in this talk are our open-source RPC-Firewall and LDAP-Firewall. First, we prevent! We show how these tools can be used in every Microsoft domain environment to halt innumerable attacks throughout the kill chain. We can stop the initial stages of an attack by preventing domain enumerations via SharpHound, BloodHound.py, SOAPHound, and various LDAP queries. We can also prevent numerous types of privilege escalation and lateral movement attacks, including DCSync attacks, remote DCOM execution, PsExec, PetitPotam attacks, Coercing attacks, and many more…

Second, we detect! Our open-source tools write Windows events to the local event logs, which can be easily forwarded to your local SIEM. The RPC Firewall and LDAP Firewall also have their own Sigma rules published for them, making detection engineering even simpler. Using Sentinel as an example, we show how these events can be ingested into any SIEM, how baselines can be easily created, and how detection rules are formulated.

Finally, we will summarize with RPC and LDAP firewall internals, which will help guide the security community on how to better contribute, expand, and customize these open-source tools to bring more value to the community.

As the authors of this talk can testify from experience, it feels almost impossible to detect cyberattacks, let alone stop them. Alert fatigue and a shortage of automation, skills, and personnel further exacerbate this problem, emphasizing the need for prevention mechanisms that allow defenders time to investigate threats.

Incident response, even if automated, is best done after an attack has already been thwarted. Easier said than done? Not really if you use the right tools!

The right tools we will discuss in this talk are our open-source RPC-Firewall and LDAP-Firewall. First, we prevent! We show how these tools can be used in every Microsoft domain environment to halt innumerable attacks throughout the kill chain. We can stop the initial stages of an attack by preventing domain enumerations via SharpHound, BloodHound.py, SOAPHound, and various LDAP queries. We can also prevent numerous types of privilege escalation and lateral movement attacks, including DCSync attacks, remote DCOM execution, PsExec, PetitPotam attacks, Coercing attacks, and many more…

Second, we detect! Our open-source tools write Windows events to the local event logs, which can be easily forwarded to your local SIEM. The RPC Firewall and LDAP Firewall also have their own Sigma rules published for them, making detection engineering even simpler. Using Sentinel as an example, we show how these events can be ingested into any SIEM, how baselines can be easily created, and how detection rules are formulated.

Finally, we will summarize with RPC and LDAP firewall internals, which will help guide the security community on how to better contribute, expand, and customize these open-source tools to bring more value to the community.

Apprenez à réaliser des tests d'intrusion de manière sécurisée, professionnelle et efficace avec Exegol. Prenez une longeur d'avance en suivant ce training qui se concentrera sur la manière dont les professionnels peuvent facilement configurer et utiliser leur environnement de test d'intrusion, basé sur Docker, en quelques minutes, sans difficulté. L'époque des tests d'intrusion non professionnels, non sécurisés et laborieux est révolue.

Apprenez à réaliser des tests d'intrusion de manière sécurisée, professionnelle et efficace avec Exegol. Prenez une longeur d'avance en suivant ce training qui se concentrera sur la manière dont les professionnels peuvent facilement configurer et utiliser leur environnement de test d'intrusion, basé sur Docker, en quelques minutes, sans difficulté. L'époque des tests d'intrusion non professionnels, non sécurisés et laborieux est révolue.

The objective of the workshop is to learn how to use some powerful but intimidating tools while reverse engineering IOT devices: Angr, Unicorn and Qiling.

The workshop aim to show common use cases for each of these tools and also their limits.

To that end, the workshop will propose the following exercices:

• Decipher XOR encrypted strings with Angr
• Automated buffer overflow exploitation with Angr
• Emulation of arbitrary function or code blocks with Unicorn
• Binary emulation with Qiling
• Complete device emulation after firmware extraction with Renode

This is an introduction to crypto: building blocks, protocols and attacks on them. We cover: encoding vs encryption, hashes, ‘classic’ crypto, stream ciphers, block ciphers, symmetric crypto, asymmetric crypto, has attacks, classic crypto attacks, stream cipher attack, block cipher attack models, ECB attacks, crypto protocols, digital signatures, message authentication code, nonces, simple authentication, challenge response, simple authentication attacks (key collisions, key extraction and extension, replay, valet, bad counter resync), MAC attacks, digital signature attacks, pubkey substitution, challenge response attacks (middleperson attack, UDS style seed-key predictions), WPA2 password cracking, WPA2 key reinstallation, WPA2 key nulling, TLS/SSL middleperson attacks, SWEET32, DROWN, logjam, POODLE, UDS seed-key exchange attacks (reverse key algorithm, lift key algorithm, solve for unknowns, retry-retry-retry, brute force, glitch past).

Tools covered include: rumkin.com, hashcat, john the ripper, binwalk, radare2, binvis.io, Veles, airocrack-ng, mitmproxy, MITMf.

The workshop is a ‘101’ level: geared for people good at computers but maybe no knowledge of cryptography. There will be minimal math (I promise). We’ll talk mostly about how to break bad crypto and bad crypto algorithms with 10-15min hands-on sessions integrated into 4 hours of workshop: Decrypt ‘Crypto’, Break Hashes, Break Crypto, Visualize Crypto.

We will explore three applications of the building blocks and attacks also. Towards the end we tie-in the building blocks and attacks into how the following crypto protocols get broken: WPA2, TLS and UDS Seed-Key exchange (from automotive). Please join us for an intro-level exploration of cryptography building blocks, protocols and how to attack them. And, as always, crypto means cryptography.

Our training provides an intuitive introduction to machine learning for security professionals with no prior knowledge of mathematics or ML. In the ML4SEC section attendees will gain hands-on experience building MLpowered defensive and offensive security tools using popular libraries like Tensorflow, Keras, Pytorch, and sklearn. We’ll cover the entire ML pipeline, from pre-processing data to building, training, evaluating, and predicting with ML models. In the SEC4ML section we’ll address vulnerabilities in state-of-the-art machine learning methodologies, including adversarial learning, model stealing, data poisoning, and model inference. Participants will work with vulnerable ML applications to gain a thorough understanding of these vulnerabilities and learn possible mitigation strategies. Our training provides practical knowledge that security professionals can apply in their work

Are you a seasoned reverse engineer, but you tremble when a Rust binary lands on your desk? When you encounter a Rust binary, do you just run strings on it and hope for the best?

We will take a single problem - string recovery from a Rust binary - and uses it as an approachable starting point for exploring reversing Rust binaries. We will cover:

• What are the practical steps we need to take to recover strings? How are strings represented in memory, passed between functions, and manipulated throughout the program?

• Once we recover the strings, what do the strings mean? What can the strings we recover tell us about the compiler, language runtime, standard library, and third-party libraries in the binary?

This workshop is intended for reverse engineers and malware analysts who are familiar with reversing C or C++ binaries, but who are unfamiliar with the Rust programming language.

Ansible WorX (AWX), la version libre de Ansible Tower, sert à gérer des serveurs à distance de façon centralisée. L’application permet de simplifier la gestion des serveurs en s’appuyant sur la puissance de Ansible et en ajoutant des fonctionnalités de gestion d’inventaire et d'autorisations. Cependant, qui dit centralisation, dit souvent unique point de rupture.

Pour les attaquants, AWX est une cible de choix. Si des accès à la plateforme sont compromis, il est primordial de savoir l’auditer. Il serait facile de causer des incidents et des pertes de service, et c’est à éviter à tout prix. Ceci-dit la récompense de l’utilisation des accès obtenus se compte souvent en dizaines de serveurs compromis. Il s’agit donc d’ un impact majeur pour une organisation.

Dans cet atelier, vous apprendrez les différents concepts reliés à AWX et Ansible. Vous apprendrez également à utiliser des accès à AWX dans l’objectif de compromettre les serveurs gérés par la plateforme. Divers scénarios et méthodes seront abordés pour être prêt à toutes éventualités.

Dans le but d’un atelier le plus fluide possible, s’il-vous-plaît, pré-installez AWX CLI.

Ansible WorX (AWX), la version libre de Ansible Tower, sert à gérer des serveurs à distance de façon centralisée. L’application permet de simplifier la gestion des serveurs en s’appuyant sur la puissance de Ansible et en ajoutant des fonctionnalités de gestion d’inventaire et d'autorisations. Cependant, qui dit centralisation, dit souvent unique point de rupture.

Pour les attaquants, AWX est une cible de choix. Si des accès à la plateforme sont compromis, il est primordial de savoir l’auditer. Il serait facile de causer des incidents et des pertes de service, et c’est à éviter à tout prix. Ceci-dit la récompense de l’utilisation des accès obtenus se compte souvent en dizaines de serveurs compromis. Il s’agit donc d’ un impact majeur pour une organisation.

Dans cet atelier, vous apprendrez les différents concepts reliés à AWX et Ansible. Vous apprendrez également à utiliser des accès à AWX dans l’objectif de compromettre les serveurs gérés par la plateforme. Divers scénarios et méthodes seront abordés pour être prêt à toutes éventualités.

Dans le but d’un atelier le plus fluide possible, s’il-vous-plaît, pré-installez AWX CLI.

The workshop, Actionable Security, is centered around the tips, tools and skills required to get security issues identified and addressed in a company. We will cover ways to do threat models (using real examples), how to communicate risk and how to get the findings addressed via clear communication and prioritization through engaging exercises. A lot of these skills are talked about and written in books but there are little to no workshops focussing on building skills required to get security issues actioned within a large organization. This workshop is designed to make that skillset practical and easy to acquire for all the professionals who are starting their journey as a security engineer.

A few helpful notes from over a decade of reverse engineering malware and documenting the process along the way! By the end of this, you will be able to unpack most malware with a single breakpoint... maybe?

Nim has become the language of choice for a number of libraries and tools used by red-teamers and pentesters. Much like with Mimikatz and Cobalt Strike before, malicious actors have started putting some of the same tooling to their nefarious purposes . One such example is Mustang Panda, a China-aligned APT that started using Nim to create custom loaders for their Korplug backdoor. For attackers, using a less common language also has benefits when it comes to evading defenses and hindering analysts’ work; we have seen the same thing with the growth of malware written in Go and Rust. In this presentation, we will go over some of the specific challenges associated with analyzing Nim malware. We will then present tips and tools to help mitigate these difficulties. This will include the presentation of Nimfilt, our analysis script for IDA Pro that we will release shortly before the conference. Finally, we will demonstrate the use of Nimfilt and other publicly available tools on real malware samples .

Did you know that ransomware groups are actually generous? They're so generous, in fact, that after putting all their time and effort into writing an exploit, they just share it with the internet for free! At GreyNoise, we've made it our mission to detect and categorize all traffic blasted onto the internet, which includes old exploits for old vulnerabilities, new exploits for new vulnerabilities, and everything in between. We'll show you what happens when an experienced exploit developer kicks back and lets others do the hard work - by building and deploying honeypots for emergent threats, we can spend our time analyzing what the baddies are up to, which vulnerabilities are actually being exploited, and who's being naughty. This talk will include real-world exploitation examples, including examples of exploits that would go on to join the Known Exploited Vulnerabilities (KEV) list. We'll Armed with that information, security teams can use their limited resources much more efficiently by prioritizing the vulnerabilities that are under attack!

LLMs are the hot new thing, and are exciting enough to even have their own OWASP Top 10 as of 2023! But are these vulnerabilities really any different from what we already see in more traditional web applications?

In this talk, Logan will explore the different vulnerability families from the new OWASP Top 10 for LLM Applications, discuss the different scenarios represented therein with a focus on real-world exploitation scenarios, and outline how they parallel the vulnerabilities that we've all grown to love and pwn over the years.

Attendees should leave this talk with a more complete understanding of the vulnerabilities manifesting in LLM applications, how these vulnerabilities can directly affect end users, and scenarios to be conscious of when developing for, or around, LLM applications.

Since we were children we wanted to go to the arcade and play for hours and hours for free. How about we do it now? In this talk I’m gonna show you some vulnerabilities that I discovered in the cashless system of one of the biggest companies in the world, with over 2,300 installations across 70 countries. We will talk about api security, access control and nfc among other things.

This talk, centered around curiosity and its transformative power, reflects my personal exploration into uncharted territories, an area that few people are familiar with. Surprisingly, I had no prior experience with hardware hacking; everything I've learned so far, starting from scratch, thanks to countless YouTube tutorials and extensive PDF books.

I'm excited to share my discoveries and experiences thus far, highlighting the potential that curiosity holds in reshaping one's path. This talk aims to provide you with the fundamentals of protocols, types of devices, and the equipment needed to start. Additionally, I will guide you on how to undertake your first hardware hacking project on a connected device. Are you up for joining me on this adventure?

This talk examines the rise of crowdsourced DDoS attacks amid geopolitical events, focusing on the Russia-Ukraine and Israel-Hamas conflicts. Once the domain of well-resourced actors, large-scale attacks now involve networks of novices using open-source tools, provided there are enough individuals sympathetic to a particular political ideology or cause. To incentivize participation, hacktivists employ leaderboards, cryptocurrency rewards, and gamified ranking systems based on contributions to DDoS attacks. This transforms disruptive criminal attacks against services into a competitive and commoditized activity.

Does attribution of cyber operations actually matter? It depends on who’s asking. Using real world APT examples from threats attributed to Iran, Turkey, North Korea and Russia, we’ll demonstrate what details go into attribution work from the perspective of email security vendor, why attribution can be useful for defenders and how Blue Teams can use it to better inform threat modeling and risk. We'll define attribution, compare the concepts of attribution and Attribution, discuss how softer attribution should be paired with harder, more technical attribution and then close by discussing potential pitfalls we’ve seen with attribution working for the government, private corporations and at a security vendor.

In 2014, we published a paper about Operation Windigo, where we described a cluster of server-side threats fuelled by Ebury, a backdoor and credential stealer injected into the OpenSSH server and client of compromised servers. That report shed light on web traffic redirections, delivery of Windows malware, and spam campaigns, all using Ebury-compromised servers.

After the arrest and extradition of one of the perpetrators in 2015, some of the monetization activities temporarily stopped, but not all of the botnet’s activities. Ebury continued to be updated and deployed to tens of thousands of servers each year, to reach a cumulative total of nearly 400,000 victims since 2009, the first year Ebury was seen. Moreover, we have discovered its operators have added more tools to their arsenal, such as Apache modules to exfiltrate HTTP requests or proxy traffic, Linux kernel modules to perform traffic redirections, and modified Netfilter tools to inject and hide firewall rules.

For this investigation we set up honeypots to collect Ebury samples and understand deployment tactics, and partnered with law enforcement. This gave us unique visibility into the perpetrators’ activities, which expanded to include cryptocurrency theft and possibly exfiltration of credit card details. We now have a better understanding of how they expand their botnet not only by stealing credentials, but also by actively trying to compromise the hosting provider’s infrastructure to deploy malware on all of the providers’ customer-rented servers. In some cases, this resulted in the compromise of tens of thousands of servers, hosting millions of domains.

The latest update to Ebury, versioned 1.8.2, was first seen in January 2024. In the past years, clever userland rootkit functionalities were added to Ebury, which make its detection a lot more difficult than before. From a system administrator’s perspective, not only is the malware file absent, but none of the resources it uses – such as processes, sockets, and mapped memory – are listed when inspecting the system.

This presentation not only reveals the latest toolset of the Ebury gang, but also discusses detection techniques to protect against some of the trickiest Linux threats. Some techniques are specific to Ebury, but most apply to the detection of any userland rootkit.

Debugging and testing an embedded application is always painful. A serial printf might not be enough, a high end JTAG with 1000+ pages of documentation might be too costly or complex.

Scrutiny Debugger is a new open source project that offers an alternative by enabling remote control of the memory through any communication channel (Serial, UDP, etc.). How does that work? A Python server continuously communicates with an embedded application that runs a small instrumentation library. Using the debugging symbols, extracted at compile time, the server exposes all the variables and memory structure to client applications through a websocket API. 2 clients are available: an Electron GUI and a Python SDK for programmatic interaction with the server.

Clients can read/write variables or raw memory. They can do graphs of variables; being continuous time logging or embedded graphs that triggers on a specific variable change, like an electronic scope does. Not the best for low-level driver development; but ideal for high-level embedded application.

The Python SDK is fully synchronized with the target device, meaning that a Python script can remotely run and behave like it was an internal thread inside the device; but with slow memory access time. That powerfully enables HIL (Hardware-in-the-loop) testing.

Many are aware of clout-chasing influencers on social media such. However, many have not considered this cultural phenomenon transcending into the professional world. From "thought leaders" on LinkedIn to law enforcement agencies on Twitter, it is not just Instagram models sharing content with the primary goal of getting more 'likes' and followers. In this presentation, Mr. Myler highlights examples of Infosec influencers providing guidance that, at best, distracts from prioritized risk-based cybersecurity.

Liam Neeson is coming for you. But how will he find you? Come to this talk to learn how the picture of a firetruck you took in front of your house and shared on Instagram two years ago will be the source of your demise.

In this talk, I will share how I developed this compulsive habit, in which I need to find where a picture was taken. We will cover how to perform open-source intelligence (OSINT) on publicly shared pictures and videos, which tools and techniques to use, accompanied with real step-by-step examples.

I believe that understanding how OSINT works is key to better protect ourselves online. I'm aiming to give you the tools and knowledge to be better cybersecurity professionals, and learn to be more careful and diligent online, all in a (hopefully) fun and engaging way.

Not convinced yet? This talk will also cover the following topics: metadata (d'oh!), physical keys (who doesn't like keys?), data in public registries, and conclude with Do's and Don'ts for everyone.

Beyond the buzzword of 'supply chain security,' lies a critical, frequently ignored area: the Build Pipelines of Open Source packages. In this talk, we discuss how we’ve developed a data analysis infrastructure that targets these overlooked vulnerabilities. Our efforts have led to the discovery of 0-days in major OSS projects, such as Terraform providers and modules, AWS Helm Charts, and popular GitHub Actions. We will present a detailed attack tree for GitHub Actions pipelines, offering a deeper analysis than the prior art, and outlining attacks and mitigations. In addition, we will introduce a unique reference for 'Living Off the Pipeline' (LOTP) components, aimed at providing Red and Blue teams with a way to prioritize more risky scenarios.

Beyond the buzzword of 'supply chain security,' lies a critical, frequently ignored area: the Build Pipelines of Open Source packages. In this talk, we discuss how we’ve developed a data analysis infrastructure that targets these overlooked vulnerabilities. Our efforts have led to the discovery of 0-days in major OSS projects, such as Terraform providers and modules, AWS Helm Charts, and popular GitHub Actions. We will present a detailed attack tree for GitHub Actions pipelines, offering a deeper analysis than the prior art, and outlining attacks and mitigations. In addition, we will introduce a unique reference for 'Living Off the Pipeline' (LOTP) components, aimed at providing Red and Blue teams with a way to prioritize more risky scenarios.

This presentation, informed by a collaborative research project led by CDEACF, the Alliance des Maisons 2e Étape and the Lab-2038, addresses the critical need for specialized digital privacy strategies in support of Intimate Partner Violence (IPV) victims. Rather than looking at what advices security experts can give to IPV victims, we investigate how user experience, security settings and data governance pratices can directly impact their digital and physical safety. Our research highlights how generic, one-size-fits-all threat modelling and security policies by providers, including internet service providers, can inadvertently burden IPV victims. The talk emphasizes the importance of developing nuanced, victim-centred digital security approaches that acknowledge the unique challenges faced by IPV victims. It advocates for a collaborative effort among service providers, technologists, and social welfare experts to create more sensitive and effective digital privacy solutions tailored to the needs of IPV victims.

In a mobile-first world, user registration using only a phone number has become pretty common, this phone number has become the primary method of authentication due to its convenience and speed. These systems may or may not verify other details about the user, such as their email address and typically rely on Single Sign-On (SSO) identity Providers.

This talk explores the potential issues that can arise when multiple systems are used for authentication, and how these can lead to vulnerabilities. We will touch upon how authentication and authorization bugs can originate from user registration and how this can lead to full account takeover, password stealing, and denial of service. The speaker will draw from their own experiences in identifying and addressing these vulnerabilities, providing valuable insights into this common issue.

Finally, the talk concludes by discussing potential solutions and stronger controls that can be implemented to prevent these issues from occurring.

Attendee Takeaways * Security engineers will gain valuable experience in identifying and addressing authentication bugs, helping them to improve their skills in this area. * Developers will be encouraged to think more broadly about potential edge cases and vulnerabilities in their applications, leading to stronger and more secure authentication and authorization controls.

There are various Machine Learning/BigData frameworks that have become quite popular in the past year due to the release of ChatGPT. This sudden popularity has caused that the scale for growth in parallel computing comes first and leaves aside the implementation of security mechanisms in some of the frameworks' components. In this talk I will go over the research process that I performed on one of these frameworks in an AWS install, showing how it started as two vulnerabilities in a web dashboard and quickly became privilege escalation in an AWS account.

For organizations using Microsoft Entra ID (formerly known as Azure Active Directory) and O365, it’s fairly well understood that a set of default logs are readily available for use, no matter what log management tooling an organization is using. However, this standard logging has its limits.

Last fall, the team at Black Hills Information Security released a post exploitation kit called GraphRunner. This tool is focused on interacting with the Microsoft Graph API, which is the backbone that services Entra ID, O365 and many other services in the Microsoft cloud. The release of GraphRunner and future tools like it streamlines a number of activities that an adversary would perform after gaining access, making it simpler for anyone to use. While GraphRunner is a post exploitation toolkit, there are authentication functions that highlight how adversaries could use the OAuth authorization code flow to their advantage.

As a defender, this presents a set of challenges. Less sophisticated adversaries have a lower barrier to entry once they have gained access to the Graph API than they did before. It also highlights that the standard logging may not be sufficient to gain visibility into actions like the refreshing of tokens or other activities that a tool like GraphRunner provides.

This talk is designed to provide insight into additional data sets that Microsoft cloud users have access to but may not be as widely deployed. These additional data sets can provide defenders additional insight, detect suspicious activity and can serve as a hunting ground when confronted with an adversary using techniques like those found in GraphRunner.

Because GraphRunner contains numerous modules and is written in PowerShell, an adversary can customize it to their own needs. While we won’t be able to cover all possible permutations, our goal is to identify data sets and events that can assist defenders while using GraphRunner as a representative of the kinds of methods that adversaries might use.

Attendees will come away from this talk with: -A greater understanding of GraphRunner and its capabilities -Awareness of the logging available for the Graph API beyond the standard logging -Ideas around how detections and hunts can be designed to identify GraphRunner activity

Let's face it, responding to cyber incidents is full of challenges but managing the dreaded "war room" shouldn't have to be one of them. In this talk AJ Jarrett, Incident Response Director at DTCC and former firefighter will discuss how cybersecurity and IT teams can leverage the tactics and techniques used by first responders during disasters to bring cyber incident response to the next level.

This year marks the ten-year anniversary of Heartbleed’s discovery and public disclosure. Heartbleed was a severe flaw in the OpenSSL cryptographic library. It was publicly disclosed on April 7, 2014, initiating a long and arduous process of remediation for more than two thirds of all web servers on the internet. Anybody could potentially eavesdrop on communications, steal data or impersonate users for any vulnerable service or device, without leaving a trace. Described by some experts as “one of the most consequential vulnerability since the advent of the commercial internet”, Heartbleed abruptly unveiled the insecure and unsustainable foundations on which the internet infrastructure was built. How could so many major organizations (Google, Amazon, Facebook, financial and government institutions) depend on OpenSSL, a struggling free software project with one overworked full-time developer and $2,000 in yearly donations? How could they integrate its code without any proper security audit or reciprocal financial support? This presentation traces the historical roots of the OpenSSL project and its growing adoption, from the mid 1990s up to 2014. Based on original interviews with OpenSSL developers and security experts as well as extensive archival research, it portrays a nascent cryptographic library written “as a learning exercise” during the turmoil of the Crypto Wars of the 1990s. Finally, this presentation explores some of the long-lasting effects Heartbleed has had on the tech industry and free software community – effects that still resonate to this day, ten years later.

The talk will outline detection and threat hunting strategies that could be easily adopted by a mature SOC to look for threats in their Cloud (O365 and AWS) environment. I'll be introducing a Jupyter notebook containing detections mapped to the MITRE ATT&CK framework and threat hunting methodologies backed by unsupervised machine learning. We will take a look at huge datasets using visualizations to find anomalies. These anomalies would be converted into High-Fidelity Detection, along with some ideas to extend this hunt to IAM Platforms like OKTA

Malware development and evasion techniques are becoming more difficult each day. EDRs are implementing signature-based detection, behaviour-based detection, as well as entropy-based detection techniques. Shellcode is often encoded/encrypted which can cause payloads to have high entropy (randomness), therefore being detected and blocked by EDRs.

This presentation is the journey of a red teamer - improving their tools with simple techniques and learning about evasion and Windows internals along the way.

Through this talk, we will review the high-level theory behind evasion and present unique approaches to evasion techniques, including entropy reduction and shellcode callbacks. We will present a novel tool to reduce entropy via dictionary word shellcode encoding, and use Windows callback functions to launch our shellcode.

Furthermore, an overview of detecting these novel techniques will be discussed to help blue teamers in their jobs. Detection methods discussed include using YARA rules, ETW, and PE file memory scanners.

Participants will benefit from this talk in many ways. Red teamers can now immediately benefit from the tool, which is publicly released, along with C#/C++ Code samples. And Blue teamers can learn how to better detect these advanced techniques.

It is quite challenging to verify the origin of online content. In this era of disinformation exacerbated by ever-evolving AI tools, the creation of seemingly authentic fake accounts and content can be quite dangerous, with risks ranging from harming one’s reputation to damaging society as a whole. Fortunately, content provenance technologies are emerging to fight this problem. The Coalition for Content Provenance and Authenticity (C2PA) is the leading effort allowing creators to cryptographically sign their digital assets and record subsequent edits helping consumers to confirm their origin and authenticity while keeping an auditable history of the data transformations. It has been adopted by leading technology providers (Microsoft, Google, Meta), camera manufacturers (Sony, Nikon), image/video editors (Adobe), generative AI companies (OpenAI, Midjourney), and news organizations (BBC, CBC/Radio-Canada, New York Times). C2PA is also at the forefront of the fight against election disinformation, and was one of two technologies mentioned in the recent AI Elections accord signed at the Munich security conference. In this presentation, I’ll describe the C2PA use cases, specifications, and the lifecycle of a protected digital asset (such as images, videos, and audio clips) from their creation, to their modifications and validation. I’ll present open-source tools/SDKs that anyone can use to create and verify protected content or integrate this functionality in their applications and services. I’ll also present the Cross-Platform Origin of Content (XPOC) framework allowing content owners to create authoritative lists of their social media accounts and content, addressing a slightly different provenance problem. I’ll give a demonstration of the open-source tools allowing anyone to self-host and verify XPOC manifests.

API Documentation often gives the simplest most bare-bones examples to get something running. This runs into the old adage: Nothing is more permanent than a temporary solution. Come join me and walk through a particularly fun example of cloud API documentation showing you the wrong way.

Included will be a deep dive and demo of a vulnerability caused directly by this kind of mistake which maybe shows that Phreaking is alive and well in 2024.

In today's technology-driven landscape, the transition to digital transactions has eclipsed conventional face-to-face interactions, presenting novel challenges in ensuring transaction security. Users, perhaps inadvertently, heighten security risks by opening email attachments from phishing attempts, intensifying the complexities of online transaction security. Moreover, there exists the potential of voluntarily disclosing sensitive information, further adding intricacy to the digital transaction security landscape.

Compounding this issue, cyber attacks leverage customer data pilfered from compromised merchants. Victims find themselves coerced into divulging credit card details through a sophisticated, multi-step process. This research brings to light a new phishing campaign, unraveling the techniques, tactics, procedures (TTPs), and indicators of compromise (IoCs) employed by threat actors. These encompass the exploitation of the platform's chat function and the incorporation of transaction data to bolster the credibility of phishing pages.

The cyber attacks, though strikingly similar, employ urgent language and intimate knowledge of users' bookings, instilling credibility in deceitful messages. However, distinctive cues like odd URLs and typos serve as saviors for potential victims. Upon analysis, these campaigns redirect users to counterfeit sites that mirror legitimate e-commerce platforms. The craftiness of cyber criminals shines through identical HTML elements and scripts, meticulously validating data and even circumventing multi-factor authentication.

Further investigation unveils the tactics employed by cyber thieves: exploiting InfoStealer malware to breach hotel chat systems and amass valuable customer data, escalating their targeted attacks. Open-source intelligence tools reveal a broader scope, a twin campaign where attackers impersonating various platforms, not limited to travel sites but also other e-commerce platforms, since 2021. Domain fronting is also consistently employed to conceal their tracks along with some other TTPs.

The research culminates in insights and recommendations to enhance the security of all parties involved. By implementing these suggestions, it is hoped that both platforms and merchant-customers can fortify their resilience, mitigating potential risks in the dynamic digital landscape.