Sessions 2025

Q&A Panel for the Red Team block

Endpoint Detection & Response (EDR) tools are becoming more and more sophisticated, requiring attackers (both good & evil) to work ever harder to subvert them. This talk will address the architecture of EDR solutions (with a focus on kernel-mode components), the various sources of telemetry, and how an attacker can leverage 3rd-party vulnerable drivers to blind an EDR agent. The audience should walk away with a deeper understanding of the inner workings, capabilities, and limitations of market-leading EDR tools.

Azure Logic Apps, a powerful tool for automating workflows and system integration, plays a pivotal role in modern cloud operations. However, these capabilities come with hidden risks numerous potential security vulnerabilities and attack vectors that can be exploited due to unnoticed misconfigurations. This session will examine the complex attack surface of Azure Logic Apps, revealing how attackers can manipulate its features to compromise cloud environments.

We will cover critical topics such as the exposure of sensitive data due to improperly secured Logic Apps, the execution of inline C# code to perform malicious actions, privilege escalation within storage accounts, hijacking API connections, and techniques for facilitating cloud-to-on-premises lateral movement. Additionally, we will address the often-overlooked risks associated with custom authorization logic, showcasing real-world examples of how weak authentication mechanisms can be bypassed, resulting in unauthorized access and data breaches.

Furthermore, we will explore the broader implications of misconfigured Logic Apps, such as overly permissive role-based access control (RBAC), insecure service principals, and unprotected connections to external systems. These misconfigurations can open the door to privilege escalation, unauthorized access, and even cloud-to-cloud or cloud-to-on-premises lateral movement.

By examining these threats and their countermeasures, organizations can strengthen the security of their Logic App implementations and ensure resilient cloud operations. Real-world scenarios and exploitation techniques will be dissected to highlight critical vulnerabilities in these workflows.

For the last five years, I have produced live content on the internet. This workshop will be presented live at NorthSec and online at the same time. This is a live 2-hour session of offensive coding where we will write code together and learn some interesting C and assembly tricks.

Q&A Panel for the Red Team block

This talk will present a technique that allows red teamers to execute shellcode within a .NET process without the need to create a RWX memory section limiting the EDR detection. This technique abuses the underlying concept of how .NET executes the CIL code once it is compiled. No external dependencies are needed, only the .NET framework's magic.

Azure Logic Apps, a powerful tool for automating workflows and system integration, plays a pivotal role in modern cloud operations. However, these capabilities come with hidden risks numerous potential security vulnerabilities and attack vectors that can be exploited due to unnoticed misconfigurations. This session will examine the complex attack surface of Azure Logic Apps, revealing how attackers can manipulate its features to compromise cloud environments.

We will cover critical topics such as the exposure of sensitive data due to improperly secured Logic Apps, the execution of inline C# code to perform malicious actions, privilege escalation within storage accounts, hijacking API connections, and techniques for facilitating cloud-to-on-premises lateral movement. Additionally, we will address the often-overlooked risks associated with custom authorization logic, showcasing real-world examples of how weak authentication mechanisms can be bypassed, resulting in unauthorized access and data breaches.

Furthermore, we will explore the broader implications of misconfigured Logic Apps, such as overly permissive role-based access control (RBAC), insecure service principals, and unprotected connections to external systems. These misconfigurations can open the door to privilege escalation, unauthorized access, and even cloud-to-cloud or cloud-to-on-premises lateral movement.

By examining these threats and their countermeasures, organizations can strengthen the security of their Logic App implementations and ensure resilient cloud operations. Real-world scenarios and exploitation techniques will be dissected to highlight critical vulnerabilities in these workflows.

The world of Web Hacking is evolving, and with it, our tooling must evolve as well. Caido, the new guy on the HTTP Proxy block, brings a new set of tools and capabilities to web hackers that minimize friction and increase efficiency in your hacking process. Join us as we explore: * Caido Workflows (easy to understand & integrate low-code/no-code automation) * Organization/Note Taking * Shift - Caido AI Integration * Environment Variables (no, not that kind) * HTTPQL Search * and much more

Caido has been adopted by many top hunters in the bug bounty scene - maybe you’re next.

Ever wanted to make a CPU says Hello world? Or figure how a driver to communicate with hardware? Or how to reverse engineer a bootloader? Then this workshop is for you.

The ultimate goal of this workshop is to make participants understand how they could emulate and debug binaries which runs directly on a CPU, without an underlying operating system. Good examples of such binaries are bootloaders and the kernel of the operating system itself.

To this end, this workshop propose the following:

• Install a cross compiler toolchain and compile the Qemu emulator from source code.
• Try code samples with our compiled Qemu
• Modify these samples to make them work on different machine types
• Solve CTF challenge with static and dynamic analysis of a more complex binary using Qemu's debugging capabilities.

Network protocols are messy! Sure, there are standards - RFCs, IEEEs, you name it - but there are also multiple ways to do basically everything. If you're relying on network IDS/IPS tools like Suricata, I have bad news - a sufficiently clever attacker can bypass a lot of your signatures, leaving you completely blind.

Many attackers use off-the-shelf tools/exploits that are based on proofs of concept, while many defenders use detections based on the same proofs of concept and tools, which creates a really boring armistice. But as attackers (and defenders!) we can do so much better! The cool part about HTTP is that, at every level of the stack, your software tries to make sense of the user's (aka: the attacker's) requests. From the web server (Apache, IIS, etc) to the language parser (PHP, .NET, etc) to the various frameworks to the application code itself - everything just wants your requests to work. That's great for ensuring the internet keeps working, but creates makes it really hard to write signatures!

In this workshop, we'll learn about the structure of an HTTP request, including the URI, headers, post body, and all that. Then we'll learn a bunch of different exploit types - shell command injection, SQL injection, path traversal, and more - and how they fit into an HTTP request.

Once we have a firm footing in HTTP exploits, we'll learn how to write a Suricata rule to detect each of them. You'll get hands-on experience on both sides of the table - after writing exploits, you'll learn how to detect them!

Finally, once you're comfortable with basic exploit development and basic Suricata usage, we'll add a final twist: you'll exploit all of the same vulnerabilities again, several times each, but this time you'll have to evade my rules.

Can YOU bypass my Suricata rules? We'll see!

This interactive workshop is designed for cybersecurity professionals and students at all levels - beginner to expert - who want to expand their understanding of how cybersecurity concepts can be applied to assist vulnerable communities.

The workshop uses intimate partner violence (IPV) survivors as a case study, illustrating the importance of tailoring digital security practices to meet the unique needs of this population. Drawing on real-world scenarios and insights from experts, the session emphasizes the importance of trauma-informed approach to cybersecurity, but also humility, adaptability, and collaboration in establishing threat models, helping people secure their digital life and designing systems, policies, and support mechanisms that truly prioritize their safety.

Through a combination of conceptual discussions and hands-on exercises, the workshop will challenge participants to critically examine how conventional expertise, rigid frameworks, and assumed best practices often fail to address the unique needs of vulnerable and high-risk communities.

This workshop will be led by members of Lab2038, a research and development collective specializing in cybersecurity, digital rights, and privacy. Lab2038 works at the intersection of technology and social justice, designing security solutions that prioritize marginalized communities. Their work bridges the gap between technical security measures and real-world needs, advocating for inclusive and adaptive digital security practices.

As of 2024, most reverse engineers still struggle to statically reverse Rust binaries. Static RE tools are beginning to develop features for analyzing Rust, and tools for recovering Rust library function signatures now exist. However, even when function symbols and signatures are available, analyzing data flow in Rust binaries is not trivial. The Rust type system, standard library, and compiler differ in many ways from C and C++, making type recovery difficult even for experienced reverse engineers.

This workshop provides a guide for reverse engineers on reconstructing types in Rust binaries. We will cover the basic building blocks of the Rust type system, from both the Rust programmer's perspective and the Rust compiler's perspective. From the primitive types, we will move to constructing the layouts of common standard library types found in Rust binaries, including types used in string formatting and in error handling. We will also cover artifacts inside Rust binaries that give information about type layout - how to find them, how to use them, and where in the Rust toolchain they actually come from.

The goal for this workshop is to provide the audience with a solid mental model for the layouts of Rust types, and present bite-sized practical techniques for Rust structure recovery. The intended audience for this workshop is reverse engineers who are familiar with reversing C or C++ code, but who are unfamiliar with both developing and reversing Rust.

Reading datasheets might not be glamorous, but it's crucial for hardware hacking - understand your target, then bend it to your will. In this workshop, we'll dive into technical details that even experts need the docs for, but we'll break it down to be beginner-friendly.

If you are curious about hardware and are into CTF challenges, this session might turn out to be a fun and insightful ride for you to learn something new. Let’s get hands on how hardware security works, or doesn’t, with flash memory and cryptographic coprocessors chips.

This workshop will use CTF challenges and electronic devices that will be provided to you for the duration of the session. Challenges are accessible through a console interface and don't require any special hardware devices.

All you need is a laptop, an USB C cable and the desire to learn and hack!

For those already advanced in that realm, we’ll go over a W25Q64JV and an ATECC608B using an ESP32, with some quirks and features that you can’t actually find easily online.

If you’re curious and just want to watch and learn, that’s fine too. We’ll go over concepts around content that was exclusively researched and developed for the CTF challenges.

By the end of this workshop, you should be able to understand how some electronic components work and what weaknesses can lead them to be hacked.

Come join us, you’ll see, hardware is really not that hard!

Reading datasheets might not be glamorous, but it's crucial for hardware hacking - understand your target, then bend it to your will. In this workshop, we'll dive into technical details that even experts need the docs for, but we'll break it down to be beginner-friendly.

If you are curious about hardware and are into CTF challenges, this session might turn out to be a fun and insightful ride for you to learn something new. Let’s get hands on how hardware security works, or doesn’t, with flash memory and cryptographic coprocessors chips.

This workshop will use CTF challenges and electronic devices that will be provided to you for the duration of the session. Challenges are accessible through a console interface and don't require any special hardware devices.

All you need is a laptop, an USB C cable and the desire to learn and hack!

For those already advanced in that realm, we’ll go over a W25Q64JV and an ATECC608B using an ESP32, with some quirks and features that you can’t actually find easily online.

If you’re curious and just want to watch and learn, that’s fine too. We’ll go over concepts around content that was exclusively researched and developed for the CTF challenges.

By the end of this workshop, you should be able to understand how some electronic components work and what weaknesses can lead them to be hacked.

Come join us, you’ll see, hardware is really not that hard!

Welcome aboard the CVSS Bonsecours! Our first stop is the island of Vulnerability Management; a wild place first settled by hackers, now congested with warring tribes, each selling magick ointments that they claim will protect your ship from ghosts, whirlpools, termites, and giant squids alike. We'll visit these tribes, compare their warez, identify the useful products, and highlight those that just leave you greasy and poor.

Q&A Panel for the AppSec block

Sponsored introduction by Wiz

Most tabletop exercises for cybersecurity focus on the known issues and challenges in a particular organization: the architecture, the known vulnerabilities, the dynamics of incident response among different departments, and the current processes. When you're designing something bigger, for a multinational corporation, or for a competition that involves students in law, policy, international relations, and cybersecurity, the stakes get a lot bigger (and more fun to plan out). In this session, we'll talk about what we can learn from building a "bad day in cyber" exercise that involves geopolitical intrigue as well as an array of threat actors.

NorthSec 2025 continues!

L'ouverture de NorthSec 2025! // NorthSec Grand Opening!

Discours d'ouverture: Vice-président conférence, rappel du code de conduite, Président et mot de notre partenaire diamant CyberEco

Opening Remarks: Vice President of the Conference, Code of Conduct Reminder, President, and a Message from our Diamond Partner CyberEco

NorthSec 2025 continues!

Q&A Panel for the Malware block

A full malware analysis is quite long to perform. Depending on its complexity and the desired level of details, it takes between half a day and 10 days. Can we speed up the process with assistance from Artificial Intelligence (AI)? Will the quality of the analysis be good enough?

I started the research open minded, not knowing whether the outcome would be positive or not. For my tests, I collected recent Linux and IoT malware that I had never worked on before, and analyzed the binaries with r2ai. The r2ai project handles the communication between r2 - the Radare2 open source disassembler - and a LLM. The results were astonishingly good. The main functions of the malware were often decompiled in a very correct and understandable manner. We can even get the AI to defeat obfuscation mechanisms. Personally, I hadn't expected the AI to be that good, but - as with everything? - there were many caveats:

1. You cannot expect the best results in a single go. Using an AI is comparable to team work with a smart intern. You need to discuss and guide the AI towards what you are interested in.
2. The AI is very convincing, but you should not trust it blindly (never!). You need to check everything it claims. Hallucinations are the best known issues, but we also need to take care of omissions (very frequent) and exaggerations.
3. Costs are usually controlled and very low, but in some cases, they can grow a bit too quickly if you do not pay attention to the amount of data you send to the AI.

In this presentation, I will show how to use r2ai over recent versions of Linux/Ladvix (aka Rhomba, Ebola) and a Linux shellcode of March 2025. We will tackle the 3 issues we mentioned previously, and see how to get the best results, spot hallucinations etc while keeping costs below 10 dollars.

Expect several demos.

Q&A Panel for the Malware block

Cross-site scripting (XSS) vulnerabilities allow attackers to inject malicious script code into legitimate web pages. Identifying XSS vulnerabilities is a typical pentesting exercise, as they are commonly found in web applications that use user-provided, including attacker-controlled, data as output. The theory is well understood, but what do real-world attacks look like?

Our research team at ESET has spent the last two years investigating the exploitation of XSS vulnerabilities in webmail portals. These portals are particularly vulnerable: their main purpose is to display untrusted HTML content, in the form of email messages, in the context of their web applications, which run in their users’ web browsers. During our research, we discovered two zero-day vulnerabilities, one each in Roundcube and MDaemon, and identified the use of multiple N-day vulnerabilities in Roundcube, Zimbra, and Horde.

Our presentation showcases the webmail vulnerabilities we uncovered, and provides a detailed analysis of the exploits and JavaScript payloads used by three cyberespionage groups: Russia-aligned Sednit and GreenCube, and Belarus-aligned Winter Vivern. We demonstrate how these groups leveraged XSS vulnerabilities to steal email messages from government officials and other high-value targets.

Q&A Panel for the Malware block

Q&A Panel for the Malware block

Let's dive into the domain of edge devices and botnets through our discovery of a vast cluster of ~70,000 compromised hosts. This story stemmed from a simple error - the repeated use of a self-signed certificate across multiple hosts. In this talk, we will demonstrate how this small SecOps oversight allowed us to unveil a whole network of Operational Relay Boxes and a multi-layered cyber attack infrastructure involving the GobRAT malware and a previously undocumented backdoor, which we named Bulbature. A unique attribute of this infrastructure is the fact that a majority of the C2s possess open directories. Altogether, over 5,000 varied types of files have been analysed, enabling us to effectively place ourselves in the operators’ shoes. This infrastructure is touching corners around the globe and hints at ties to China.

Q&A Panel for the Red Team block

Q&A Panel for the Red Team block

Abstract: Social Engineering for Physical Pentesting Assignments

This presentation will explore the strategic use of social engineering in penetration testing, focusing on gaining covert access to a client's server room. I will outline how to perform reconnaissance, gather intelligence on company structure, employee behavior, and security vulnerabilities. Attendees will learn effective social engineering tactics such as pretexting, tailgating, baiting, and phishing, all designed to manipulate human behavior and bypass physical security.

I will cover the importance of crafting a believable pretext, from creating fake work orders to using props like ID badges and uniforms, and demonstrate techniques for gaining access to restricted areas like server rooms, and later on how to navigate the target environment, avoid detection, and plant a symbolic flag.

Finally, the session will discuss post-engagement reporting, vulnerabilities identified, and recommendations for strengthening defenses against social engineering attacks. This talk emphasizes the ethical considerations and the need for careful planning, confidence, and adaptability throughout the operation.

Q&A Panel for the Red Team block

This talk explores the intersection of philosophy, ethics, security, and AI. As AI systems like LLMs become increasingly ubiquitous in our lives, security practitioners are shifting from testing security to testing for safety - a fundamentally normative issue. A transition to this new paradigm can be an uneasy one for professionals accustomed to the comfort of (relatively) objective processes. I argue that despite some initial discomfort, penetration testers & red teamers - with our rich history of social awareness and ethically motivated action - are well-positioned to tackle AI safety and responsibility challenges. We can do this by reframing what we already know how to do so well in other contexts: balance technical rigour on a robust foundation of humility, curiosity, compassion and epistemological self-awareness.

Q&A Panel for the Machine Learning Block

Q&A Panel for the Machine Learning Block

In this session, we’ll explore how LLMs can be leveraged to uplevel your product security program. Discover practical strategies for integrating LLMs into your workflows, including dynamic risk assessment.

Learn how to harness their natural language understanding capabilities to streamline communication between engineering, security, and business teams—bridging gaps and enhancing collaboration.

Through real-world examples and actionable takeaways, we’ll show how LLMs are not just tools for efficiency but catalysts for innovation in securing your products and protecting your users. Whether you're building out your first security program or looking to amplify an established one, this talk will leave you inspired to embrace the power of AI and redefine what’s possible in product security.

Join us to learn how AI can be your ultimate ally in staying ahead of the curve and ensuring your product security program is future-ready.

Q&A Panel for the Machine Learning Block

Machine learning has been used extensively for the prediction of cyber security threats for a number of years. More specifically, building predictive models for the exploitation of security vulnerabilities and the publication of vulnerability exploits is essential in anticipating threats in the cyber security landscape.

Many published approaches train ML models using publicly available data, be it online discussions or vulnerability details available through the publication of CVEs. Unfortunately, many challenges arise when encoding this data to predict exploitation. More importantly, many of these do not impact the model's performance on historical data, but instead result in a poor performance when used as a live model in a real environment.

In this talk, we will demonstrate our implementation and deployment of several of these methods. We show that performance of these models in a live environment underperforms in comparison with its historical evaluation. Vulnerability and threat information evolve over time, and are often not available on the day of a vulnerability's publication. We identify four incorrect ways to encode and evaluate features for the prediction of exploits, that causes the model to incorrectly predict exploits when used in a day-to-day live system.

Ultimately, we show how a model that has a lower performance on its historical data evaluation can better predict the publication of exploits in a live setting, by encoding the features correctly.

Q&A Panel for the AppSec block

Sponsored introduction by Wiz

The next wave of Supply Chain attacks is brewing in our Build Pipelines (CI/CD), where 0-days and novel attack paths are still waiting to be discovered. In 2024, the XZ compression library compromise was used as a trojan horse to backdoor OpenSSH, thankfully, this was caught early on, but the next time it might go unnoticed for much longer. This talk picks up where we left off last year, and we tell the story of how we went from finding 0-day vulnerabilities in the Build Pipelines of critical Open Source packages to predicting TTPs for the next XZ-like attacks. This time we've adapted MITRE's ATT&CK framework for CI/CD environments. We'll go in depth on how Threat Actors can "Live Off the Pipeline" by abusing legitimate build tools to do their bidding proving why this has become Red Teamer's favorite new soft spot.

The session introduces practical methods for predicting and identifying threats before they materialize by mapping build pipeline tactics to our adapted ATT&CK model. Real-world case studies, based on our forensics of the recent Kong Kubernetes Ingress Controller and Ultralytics YOLOv5 ML library compromises, will demonstrate how adversaries exploit build pipelines, escalate privileges, and can remain undetected long enough to have significant impact.

This session empowers attendees to proactively identify and defend against advanced supply chain attacks, effectively countering adversaries that seek to "Live Off the Pipeline" as demonstrated in the XZ compromise.

Q&A Panel for the AppSec block

Sponsored introduction by Wiz

This talk explores how to leverage the nooks and crannies of Salesforce to find and abuse misconfigurations that chain together and create serious vulnerabilities that leak sensitive data to adversaries. It highlights that security concerns still exist on applications built on a well-known CRM tool with declarative or "point-and-click" development, where to discover them, and how they can be remediated. It provides a real-world scenario of using various Salesforce widgets to find security vulnerabilities like Insecure Direct Object References (IDORs) and Broken Authorization as a means of stealing sensitive client information. It offers solutions for detection and prevention for these elevated attacks that relate to common security best practices. At the end of this discussion, you will walk away with better awareness of the vulnerabilities existing in Salesforce, how they can be discovered, remediated, then prevented. You may even learn a new trick or two on how to think like a hacker when building your company's next communication tool!

Laptops have become ubiquitous in modern times. An all but guaranteed organizational asset that quite literally holds keys to the kingdom, in every employee's hands. For an attacker, what's not to love? From large government organizations to fortune 500 companies, these assets are constantly on the move and often poorly secured against advanced threat actors seeking to extract their secrets. Encryption at rest is NOT enough in 2025! And I can show you why.

This talk will showcase methodologies used by our offensive security team to penetrate well-hardened, modern laptops during engagements we call “stolen laptop scenarios”. No power? No credentials? No problem! We push the envelope to the limit of what can be realistically expected of next-generation adversaries. We begin by exploring the potential impact that a compromised laptop can have on an organization, briefly discussing potential lateral movement through extracted domain credentials, tickets, certificates, cookies, and sensitive data. After exposing the audience to the value obtained through physical compromise, we will discuss real attack vectors, with examples and video demos.

We will explore together direct-memory access attacks, the physical and logical implementations of these techniques, defenses, bypasses, and more. On the menu is an overview of PCI Express technology, DMA hardware including FPGA boards and what we do with them, practical demonstrations of attacks against modern laptops, countermeasures introduced by hardware vendors to protect against these attacks, and ways that attackers circumvent these protection mechanisms. Naturally, we will discuss BIOS/UEFI security, how it relates to DMA, and how we exploit pre-boot environments to gain access to a stolen computer. This includes showcasing physical attacks against BIOS EEPROM chips using a universal programmer.

Finally, we will talk about encryption at rest, specifically BitLocker, TPM implementation, and the potential implications of using these technologies for attackers, with a focus on why these are not sufficient for preventing attackers with physical access from compromising a PC. This section will culminate with an exploit demonstration compromising windows OS from UEFI via DMA when all modern countermeasures are enabled. Of course, we will discuss proper configuration that can limit or eliminate these attack vectors as well! We will discuss open-source tooling such as PCILeech, MemProcFS, UEFITool, etc, and some closed source tooling including XGPro.

Spied on, followed, tormented: 70% of victims of domestic violence report experiencing technological abuse. As the technological environment around victims becomes more complex, how can we work to improve digital literacy among vulnerable populations and implement support tools?

Infostealers are malware that collect sensitive data from infected devices and transmit it to Command-and-Control (C2) servers operated by cybercriminals. The resulting stealer logs, containing credentials and system information, fuel a lucrative underground market. But what if C2 operators also fell victim to their own skim : the biters bit. Our research reveals that C2 operators themselves sometimes become unwitting victims, exposing valuable intelligence about their operations. In this presentation, we will be turning the tables on the very actors behind infostealers. Through analysis of stealer logs, we uncover diverse profiles within the infostealer ecosystem. Most notably "NoObSec" - amateur operators with critically poor security practices who can be de-anonymized through their own logs, and "Skip Tracers' Nightmares" - sophisticated actors operating from dedicated virtual machines who maintain strict operational security. These contrasting profiles demonstrate the wide spectrum of expertise in the infostealer landscape, from those who inadvertently expose their identities to those who masterfully conceal their tracks while orchestrating complex campaigns. This presentation presents case studies including a malware distributor using cracked software for infection and a threat actor operating multiple malware families to create a complex cybercriminal ecosystem. These examples demonstrate how stealer logs serve as powerful investigative tools for understanding both cybercrime infrastructure and techniques shaping the infostealer landscape. Join us as we pull back the curtain on the cybercriminal backstage.

Our personas are fabrications and constructions of our inner self that we project outwards. We do this through various means and influences such as race, gender, sex, ability, age, culture, religion, norms, class, and status. For the “real world” aka “irl” we do all this by expression in our clothing, makeup, hairstyling, our hobbies, our network of friends, colleagues, and acquaintances. We leverage all of these facets and we create masks, personas, that we think will best interact with the world around us. The same concepts apply when creating personas for infiltrating online communities. ​ Online communities are built on trust, reputation, and currency which can take various forms such as data, crypto, intel and notoriety. This talk is an exploration of techniques; linguistics, OPSEC, OSINT, and SOCENG. Tactical operations and concepts like hours of online operation, timezone shifting, and using low ranking accounts as canon fodder for probing, and psychological models used in the infiltration of emerging threat actor groups.

Persona Theory applies the understanding of threat actors, how they think, how they operate, their language, their motivations, fears, methods, the "game" and reflects it back at them like an obsidian mirror. The talk features case studies showcasing active infiltration chat logs and we present this first hand showing how established ransomware threat actors communicate during their ARP (Active Recruitment Phase). Recruitment for RaaS (Ransomware-as-a-Service) functions very similarly to a job interview. You need to show you got the goods such as the ability to provide your initial access into organizational infrastructure, pentesting, and overall business acumen. The case studies go from initial contact, to obtaining the ransomware builder and affiliate panel access. We also explore the use of transliteration (preserving pronunciation) vs translation (preserving meaning) and how machine translation engines like DeepL and Google Translate aren't necessarily the best for passing yourself off as a native speaker.

Participez à l'enregistrement d'un épisode du balado PolySécure pour un panel spécial pour revenir sur la première journée de conférences.

Noise pollution is linked to high blood pressure, headaches, fatigue, stress, and impaired focus, leading to decreased performance over time. This analogy accurately describes the impact of excessive obscure alerts and unlabelled data on SOC analysts. Awareness of noise pollution is crucial for both mitigating (blue team) and exploiting (red team) its effects.

This talk will explore the sources of noise and propose methods to reduce or transform it into music. The ultimate goals are to enhance how CTI analysts operationalize indicators of compromise (IoCs), prevent alert fatigue, and avoid the aforementioned health issues.

Attendees will step into the shoes of a SOC analyst navigating a high-severity alert on a Friday at 4 p.m. (as is tradition). The high-confidence IoC is linked to known malicious infrastructure, threatening to ruin weekend plans if confirmed malicious.

Spoiler Alert: The false positive turns out to be the Windows Delivery Optimization (DO) service functioning as intended on port 7680.

We will dig into this feature, revealing that Windows devices have participated in a peer-to-peer (P2P) network by default since Windows 10 to speed up updates delivery. A deep understanding of the DO ecosystem is necessary to interpret telemetry from XDRs and contextualize the noise.

Noise reduction strategies will be proposed at various stages of the telemetry lifecycle, applicable to other services, protocols, features, and XDR artifacts.

AES-GCM is robust when used properly, but in practice, some APIs make it easy to introduce vulnerabilities giving the possibility to alter the content of encrypted ciphertexts. One of these APIs lacking misuse resistance is implemented by OpenSSL; a library providing cryptography functions to products such as browsers and even to some programming languages (eg: Ruby and PHP).

In this talk, we go through AES-GCM, why it's robust and what is needed to affect its integrity property. We'll go briefly over specifications only to introduce the required concepts. Then, we'll continue with a few examples where misuse resistance was never considered when implementing cryptography APIs. We'll see how to detect these misuses and how to exploit them in real-life scenarios. The abuse cases vary depending on how AES-GCM is used, but we'll see what techniques can be used to leverage this vulnerability.

Theory is one thing, but implementation choices can be questionable and lead to real issues which results in the popular saying: "It works on my paper..."

Digital identity credentials are coming of our mobile wallets. In North America, several states have begun deploying mobile Driver's Licenses (mDL), with others, including the Canadian provinces, are preparing to follow suit. In Europe, plans are underway for a unified digital identity wallet. Similarly, corporate identities, like those provided by Microsoft Entra, are enabling various online authentication scenarios, such as employment verification. Together, these innovations are building the long-missing identity layer of the internet.

However, the internet’s foundational business model, rooted in tracking user activities to serve targeted ads, has created persistent privacy challenges. Modern identity frameworks like Selective-Disclosure JSON Web Tokens (SD-JWT) and mDLs address some concerns by enabling selective disclosure, thereby minimizing data oversharing. While this is an important step forward, one critical gap remains: breaking the cryptographic link between the issuance and presentation of credentials. Without this, issuers and verifiers can still track users’ activities, eroding user privacy.

Several cryptographic schemes, such as blind or group signatures, have been proposed to address this issue. However, these solutions require significant overhauls to existing identity systems, making widespread adoption difficult. An interesting alternative is to leverage zero-knowledge proof mechanisms to present unmodified existing identity credentials while achieving any desired levels of privacy. This approach allows users to prove specific claims — such as "I reside in QC" (without revealing the full address) or "I am an adult" (without disclosing the date of birth) — without unnecessary data disclosure.

In this talk, I'll present our recently released Crescent open-source framework implementing such a zero-knowledge scheme, and demonstrate how it can be used to 1. prove you are currently employed by a specific company to access employer-provided sensitive resources (e.g., a mental health clinic or an anonymous survey system), and 2. prove you are over-18 to a social network using your mDL

This is achieved without the employer and government being able to track the usage of the credentials.

For further details, visit: https://christianpaquin.github.io/2024-12-19-crescent-creds.html

A new era of malware distribution is here, where “ghost”/bot accounts spread malicious links across multiple platforms. The Ghost Network is a sophisticated operation that uses fake and compromised accounts to act in a legitimate way while spreading and promoting malware. The first discovered Ghost Network operates on GitHub. The operator behind Stargazers Ghost Network controls over 30,000 GitHub accounts, driving rapid infections and generating significant profits in a remarkably short period. What makes this operation particularly dangerous is its ability to bypass platform defenses, minimizing the impact of any countermeasures imposed by GitHub. The continuous activity and low downtime of the distribution process allow the malware campaign to persist with little interruption. The great success of the original GitHub-based Ghost Network has spurred its expansion to multiple other popular online platforms, significantly broadening the reach of this insidious malware distribution method and making it harder to contain.

BlueTeam analyzes new attack methods that attackers consider and comes up with detection and defense methods. This is an eternal cat and mouse game. However, the attackers are always ahead of us. The attack using the MSIX file is a prime example. To overcome this situation, we have researched new attack techniques that attackers would use in the future. This gives us an advantage over attackers.​

This presentation will briefly describe existing attack techniques, followed by an introduction to new MSIX abuse techniques that we have discovered. In MSIX abuse techniques, a feature named the Virtual File System (VFS), used to maintain compatibility, is particularly utilized. We will share how the VFS mechanism is abused to perform DLL Hijacking and AppDomainManager Injection. This allows the audience to understand how VFS can be abused. And we’ll also introduce attack techniques that abuse other features of MSIX. These attack techniques has not yet been observed to date.

Finally, we will explore defensive strategies against these attack methods. The talk will include detailed detection logic and effective countermeasures.​

BlueTeam analyzes new attack methods that attackers consider and comes up with detection and defense methods. This is an eternal cat and mouse game. However, the attackers are always ahead of us. The attack using the MSIX file is a prime example. To overcome this situation, we have researched new attack techniques that attackers would use in the future. This gives us an advantage over attackers.​

This presentation will briefly describe existing attack techniques, followed by an introduction to new MSIX abuse techniques that we have discovered. In MSIX abuse techniques, a feature named the Virtual File System (VFS), used to maintain compatibility, is particularly utilized. We will share how the VFS mechanism is abused to perform DLL Hijacking and AppDomainManager Injection. This allows the audience to understand how VFS can be abused. And we’ll also introduce attack techniques that abuse other features of MSIX. These attack techniques has not yet been observed to date.

Finally, we will explore defensive strategies against these attack methods. The talk will include detailed detection logic and effective countermeasures.​

L'ouverture de NorthSec 2025! // NorthSec Grand Opening!

Discours d'ouverture: Vice-président conférence, rappel du code de conduite, Président et mot de notre partenaire diamant CyberEco

Opening Remarks: Vice President of the Conference, Code of Conduct Reminder, President, and a Message from our Diamond Partner CyberEco

We still haven’t solved phishing. Why does phishing still happen and why do security professionals struggle to understand user behavior? This presentation demystifies the challenge of phishing and presents key findings from one of the largest independent studies of phishing behavior in Canada.

Drawing from five years of research, this talk challenges assumptions about human decision-making and security training. By integrating insights from a range of scientific perspectives, we explore why phishing remains effective despite increasing awareness. This research will also present results of a large scale, Canada-wide study of phishing behaviours, offering an unparalleled view into real-world phishing trends. Key questions addressed include: - When are phishing emails most dangerous? We show the time and day of the week that is the riskiest, and evidence as to why. - How often should cybersecurity training be conducted? We Investigate the decay rate of training effectiveness to balance reinforcement with security fatigue. - Does Cybersecurity Awareness Month actually change behavior? We evaluate the real-world impact of this national event. - Can strong technical security measures increase phishing risk? We look into the potential negative impact that confidence in technology can have. By the end of this session, you will gain a deeper understanding of phishing psychology and training, helping you design more effective security programs that account for human behavior. Attendees will learn why traditional training can fails, the why of phishing simulations, and how to better interpret user behavior. This talk will debunk common misconceptions and provide practical, data-driven approaches to phishing mitigation.

This presentation is based on PhD research conducted at the University of Montreal in collaboration with Beauceron Security. These findings are being presented publicly for the first time, offering a unique opportunity to engage with groundbreaking research

A ransomware attack isn’t just a technical compromise of a company; it’s also a game of negotiation and perhaps even chess. In this talk, I plunge into 133 recorded conversations and more than 7,000 messages exchanged between ransomware gangs and their victims, unraveling the narrative of cyber extortion. This is an insider’s look at how these dark operators blend intimidation, persuasive rhetoric, and even a twisted sense of humor to secure their demands. I dive deep into the qualitative nuances of these dialogues, decoding the linguistic tricks, psychological maneuvers, and power dynamics that define the art of ransomware negotiation. Each conversation is a case study in negotiation that flows between capitulation and defiance, where subtle cues and strategic language can be the difference between a quick surrender and a prolonged standoff. Furthermore, I integrate comprehensive data detailing who paid their ransom, how much, and under what circumstances to construct a predictive model that exposes the critical factors influencing ransom decisions. This model not only sheds light on the financial and behavioral patterns of cybercriminal interactions but also unearths trends that could forecast future threats. By examining variables such as company size, industry type, and security stance, I reveal a multifaceted picture of vulnerability and response. Beyond the numbers and narratives, the talk will present real conversations to clearly show how these conversations unfold. With this data-driven roadmap, my aim is to better prepare companies and individuals facing the all too common ransomware attack, and to empower defenders, incident responders, and policymakers with actionable strategies designed to disrupt these criminal networks and mitigate future threats.

Vulnerability scoring is supposed to bring order to the chaos of risk management, but in practice, it can feels more like reading tarot cards or poking at entrails than applying science. CVSS performs monkey math to force fractal bell curves, EPSS tries to predict exploitation with statistical black magicks, and SSVC ditches math entirely in favor of structured gut feelings.

Meanwhile, defenders mix and match shortcuts — KEV lists, vendor advisories, and lived experience — to separate the truly urgent from the merely annoying. But are we actually making better risk decisions, or just using these frameworks to justify what we were going to do anyway?

This talk will dig into the strengths, weaknesses, and absurdities of CVSS, EPSS, and SSVC, comparing them to the reality of how security teams actually handle vulnerabilities. Tod will explore where these models help, where they mislead, and whether any of them are meaningfully better than rolling a D20 saving throw vs exploitation. Expect debate, disagreements, and plenty of astrology jokes.

Breaking into supermarket systems, ticketing platforms, and more. I’ll share some of my latest hacking stories, showing how I found the vulnerabilities, reported them, and collaborated with the companies. We’ll dive into tools, the challenges of disclosure, the importance of being “ethical”, lessons learned and how these experiences help improve security and build trust between hackers and organizations.