BSidesAugusta 2025

Grab your badge and freebies, then check out the CTF, exhibitors, lock pick village, and raffle table.

Grab your badge and freebies, then check out the CTF, exhibitors, lock pick village, and raffle table.

Grab your badge and freebies, then check out the CTF, exhibitors, lock pick village, and raffle table.

Grab your badge and freebies, then check out the CTF, exhibitors, lock pick village, and raffle table.

Grab your badge and freebies, then check out the CTF, exhibitors, lock pick village, and raffle table.

Live in Track 1, Simulcast in Tracks 2-4
Remarks will be delivered by BSidesAugusta staff and special guests.

Live in Track 1, Simulcast in Tracks 2-4
Remarks will be delivered by BSidesAugusta staff and special guests.

Live in Track 1, Simulcast in Tracks 2-4
Remarks will be delivered by BSidesAugusta staff and special guests.

Live in Track 1, Simulcast in Tracks 2-4
Remarks will be delivered by BSidesAugusta staff and special guests.

Live in Track 1, Simulcast in Tracks 2-4
Remarks will be delivered by BSidesAugusta staff and special guests.

Live in Track 1, Simulcast in all other tracks/rooms

Live in Track 1, Simulcast in all other tracks/rooms

Live in Track 1, Simulcast in all other tracks/rooms

Live in Track 1, Simulcast in all other tracks/rooms

Live in Track 1, Simulcast in all other tracks/rooms

Volt Typhoon is a state-sponsored threat actor that infiltrated U.S. telecom infrastructure using stealthy, malware-free techniques - living off the land with legitimate credentials and built-in tools. This session unpacks how the group maintained undetected access for years, bypassed traditional defenses, and positioned themselves for potential sabotage. We’ll dissect their tactics, from credential theft and lateral movement to covert exfiltration and persistence via hijacked SOHO routers. Attendees will gain actionable insights into detecting and defending against these advanced, low-noise intrusions. If your SOC relies on alerts alone, this is the wake-up call you can’t afford to miss.

As Microsoft phases out NTLM authentication, red teamers and pentesters need alternative techniques to maintain certain offensive capabilities. This talk demonstrates how Kerberos authentication can be abused through relaying attacks, providing a direct replacement for common NTLM relaying tradecraft. We'll cover the timeline for NTLM deprecation, practical Kerberos relaying techniques, demonstrate common attacks, and maybe even demonstrate some less common methods of abuse.

For defenders, we'll examine detection strategies beyond simply disabling NTLM, highlighting effective mitigations including Extended Protection for Authentication and LDAP signing requirements. Attendees will leave with actionable knowledge to both execute and defend against these emerging attack vectors in modern Active Directory environments.

You downloaded malware to your analysis lab, ready to dig in, and you’ve already lost the battle? Come find out. You double clicked malware, ran it in a sandbox and submitted a report, when the malware ‘s main purpose is the total opposite of what it did for you. Why? Come find out. You are certain that no EXEs or DLLs were written to your computer and there is nothing malicious in memory. Yet, you are still infected. Why? Come find out. Then I’ll show you how to build your first Malware Dev lab and do it yourself! Only then will you be a truly certified Malware Analyst in my book.

Blue Team

You are assigned to the Cybersecurity Team servicing four Regional Airports within the IG Labs Regional Airport System. The shift this evening started with routine checking status boards, reviewing threat alerts, and checking for any newly identified vulnerabilities that may have an impact on the system from both Information Technology (IT) and Operational Technology (OT) vectors.

Around midnight, the Control Tower Operator at the La Valoria regional airport had observed the runway lights turn off completely. A few seconds later, it was noticed that only a few of the lights came back on, though not enough to properly light the runway for inbound or outbound traffic. The operator also mentioned the Operator HMI (Human Machine Interface) controlling the Runway Lighting system is non-responsive and they are locked out of the Maintenance HMI to reboot the system. Without the lights, the planes circling the airport cannot land at La Valoria and flights are being diverted to other nearby airports.

You quickly alert the Cybersecurity Teams at Northbridge, Eldoria, and Fenmoor regional airports to the compromise of La Valoria airport and begin sharing what few details you have about the attack in the hopes the information will allow them to defend their respective airports and keep air traffic flowing smoothly.

As you sit down at your terminal to pull up the maintenance manual and troubleshoot the problem only to discover you are locked out of your account. You are suddenly relieved that management would not let you deploy security updates to the network because they feared service interruptions may occur. This should allow you to regain access through the GRUB command line interface.

Once you regain access to the system and have all the reference material available, you bring up the control logic for the runway lighting system on one screen and the HMIs on another and quickly realize this is not a normal system failure. An unknown hacker or hacker group has accessed and taken control of the system. They have manipulated the PLC (Programmable Logic Controller) and impacted the HMIs.

It is essential to restore operation to the Runway Lighting Control System quickly and ensure that the other regional airports your team is responsible for do not lose control of their systems and operations are able to continue without interruption.

Red Team(s)

Cybersecurity Teams are often heavily focused on securing Information Technology (IT) systems and devices but may not consider securing Operational Technology (OT) systems and devices. While OT systems and devices may be connected to IT systems, the type of data and protocols are different.

You start your day exploring OT system vulnerabilities and consider what chaos you could create. You see a report that the runway lighting system at one of the IG Labs Regional Airports has been compromised. The runway lights have lost sequencing and are flashing erratically and the operators have been locked out of the Human Machine Interface (HMI) which is preventing them from shifting to Maintenance Override Mode to take back control of the runway lighting system.

You start researching to learn more about the attack and the IG Labs Regional Airport System. There are no claims of responsibility and no evidence of a specific threat actor, so you do not have any leads as to the entry points or next steps to expect for the attack. Through your digging, you discover that there are four regional airports in the system and the same contract group constructed and configured each airport. You also note that the physical layout for the four airports is identical and wonder if the IT and OT systems are identical as well.

Satisfied that you have learned enough to add to the madness that has been created at La Valoria, you decide to launch an attack of your own.

Success will be determined by the ability to disrupt the control and operations of the Runway Lighting Systems for the IG Labs Regional Airports at the OT level. DoS and DDoS attacks are not permitted as the intent is to demonstrate an understanding of OT systems, their functionality, and protocols.

Additional registration is required on the day of the conference. Participants do not need to bring a laptop to participate.

Our CTF sponsor this year is the local RunCode.ninja crew, because apparently they weren’t content just breaking stuff on their own time.

This year’s BSides Augusta CTF comes in one spicy flavor:

Lone-wolf jeopardy style. A veritable smorgasbord of standalone challenges and intentionally vulnerable hosts, perfect for flexing your skills, hoarding shells, and proving you really don’t need friends to have fun.

RunCode says, "Hack all the things!" We say, "Bring your laptop, your A-game, and maybe a spare ego—you’ll probably dent the first one."

Follow RunCode.ninja (@runcode_ninja) for teasers, trash talk, and more details, or visit visit https://bsidesaugusta.org/ctf.

No additional registration is required. Bring your own laptop if you want to participate.

Break

Break

Break

As AI-generated threats evolve—from deepfake content and synthetic identities to autonomous attack scripts—traditional security monitoring systems struggle to keep pace. This talk presents a forward-looking approach to detection engineering, tailored explicitly for synthetic threats in enterprise environments. Grounded in real-world experience with Microsoft Sentinel and MITRE ATT&CK, the session outlines techniques for modeling adversarial behavior, crafting high-fidelity analytics, and integrating automated response mechanisms.

Key focus areas include identifying machine-generated anomalies, detecting adversarial misuse of AI/ML models, and leveraging behavioral telemetry to differentiate between organic and synthetic actions. Attendees will gain practical insights into designing scalable detection rules, minimizing alert fatigue, and operationalizing threat intelligence to counter novel attack vectors. This session is designed for cloud security engineers, SOC analysts, and cyber defenders who aim to modernize their detection strategies against AI-enhanced threats.

Email bombs deluge a mailbox with a huge amount of email in a short time, rendering it useless and enabling some form of attack, perhaps in the form of a fake IT help call scam. They are nearly impossible to detect one message at a time, since the extra messages are often legitimate mail in other contexts. This talk will present a mailbox level detection method that uses unsupervised machine learning to detect anomalous mailbox volumes likely to correlate with email bombs for further detection on individual messages to separate the shrapnel from the email bomb from malicious messages and business as usual. In addition to learning about email bombs, attendees will learn how to apply similar anomaly detection to other scenarios where a large volume is likely to correlate with evil behavior.

This talk will discuss how ransomware groups and infostealers operate, plus take a look under the hood of the dark web. The last part will detail a kill chain from a real pentest where dark web credentials led to network compromise from the external perimeter with privilege escalation to domain admin. It will also offer guidance to help companies prevent such attacks.

Enjoy lunch provided by Chick-fil-A! A vegetarian option will also be available.
Lunch is served in the lobby of Building 200.

Enjoy lunch provided by Chick-fil-A! A vegetarian option will also be available.
Lunch is served in the lobby of Building 200.

Enjoy lunch provided by Chick-fil-A! A vegetarian option will also be available.
Lunch is served in the lobby of Building 200.

Chromium browsers on Windows like Chrome and Edge have adopted App-Bound Encryption to protect browser secrets, but attackers are still hungry and always find a way into the cookie jar. This talk dives into the internals of Chromium’s app-bound encryption mechanisms, revealing how a threat actor can extract sensitive data such as cookies and stored passwords while running as either a regular user or with SYSTEM privileges. We’ll walk through multiple proof of concept techniques for stealing browser secrets, highlight opportunities for detection and response, and show how this tradecraft plays out in real world post exploitation scenarios. And because one cookie is never enough, we’ll wrap up with a bonus: using stolen EntraID cookies to pivot into the cloud.

Paste and run (aka ClickFix, fakeCAPTCHA) has been one of the most successful initial execution vectors in the past year. Since its first reported use in March 2024, it’s been used by a number of adversaries to deliver more than 10 different malicious payloads in a variety of campaigns. Red Canary has certainly seen our fair share of users tricked into copying, pasting, and executing malicious code using this technique. In this talk we’ll scrutinize paste and run, and I’ll dig into some of the threat intelligence challenges we faced tracking and clustering this threat from an endpoint perspective. Attendees will learn about the Red Canary threat intel team's research into this threat over the past year and walk away with practicable detection opportunities.

Suricata, the high-performance, open-source network threat detection engine developed by the Open Information Security Foundation (OISF), is widely deployed for intrusion detection, intrusion prevention, and network security monitoring. In this talk, I’ll provide a brief technical overview of Suricata’s architecture and delve into the new features in the latest release, 8.0. Highlights include performance enhancements, expanded protocol parsing, improved multi-threading efficiency, and improved support for inline deployments with firewalls. I’ll focus on the initiative for this release – “if you log it, you can use it in a rule”. I’ll walk through key use cases, explain how these updates improve detection fidelity and operational flexibility, and share practical tips for maximizing the new features in production environments.

In a digital economy where every click counts, adversaries have found a lucrative attack surface: online advertising. In this fast-paced, data-backed session, we’ll expose how fraudsters use emulators, botnets, spoofed domains, and rogue mobile apps to siphon billions from ad networks—often going undetected. Known as click fraud or invalid traffic, this growing threat not only wastes marketing spend but also inflates KPIs, distorts procurement decisions, and introduces cybersecurity risk through compromised ad placements.

Attendees will:
- Understand the tactics behind ad fraud, including real-world breakdowns of operations like Methbot and Vastflux.
- Learn how fraudsters manipulate platforms like Google and Microsoft to profit from fake engagement.
- Discover how click fraud intersects with cybersecurity, insider threat, and contractor oversight.
- Walk away with strategies to recognize and mitigate clicksploitation.

Whether you're in charge of digital strategy, cyber defense, or compliance reporting, this session will arm you with the tools to recognize fraudulent patterns, reduce wasted spend, and defend against a threat hiding in plain sight.

Phishing attacks remain one of the most pervasive and successful tactics used by cybercriminals to get into organizations. But how do you create a phishing awareness program that goes beyond checking boxes and truly changes behavior? In this presentation, we’ll dive into the art and science of building an engaging, effective phishing program that empowers your workforce to recognize and respond to threats.

This session will blend actionable strategies with real-world stories, including insights from several years of crafting phishing simulations. You’ll discover how to design realistic campaigns, analyze results, and tailor training to address gaps—all while keeping employees motivated and engaged. Learn how to educate without alienating and evolve your program to ever-changing phishing tactics.

Whether you’re just starting your phishing awareness journey or looking to enhance an existing program, this presentation will equip you with the tools, best practices, and memorable anecdotes to hook your employees’ attention and build a better culture of security.

This talk will walk through how to structure and execute effective identity centric hunts. Identity is the new perimeter and a critical component in modern threats, as attackers increasingly exploit tokens, sessions, and human behavior.
We’ll start by discussing how to baseline normal behavior, formulate hunting hypotheses, and identify meaningful deviations in authentication. You’ll learn how to differentiate between false positives and benign true positives, avoid common pitfalls in chasing low-context anomalies, and uncover how seemingly benign events can offer deep insight into user behavior, misconfigurations, and organizational risk.
We will examine patterns observed after account compromise, focusing on how threat actors quietly maintain access, explore systems, and attempt to achieve their objectives. Whether working in Microsoft Entra, Okta, AWS, or GCP, this session will provide a practical approach to identity focused threat hunting in modern environments.

Break

Break

Break

In this talk, we’ll explore real-world attack scenarios, recent security incidents, and live demonstrations to show how LLM-based systems are being abused.

Attendees will gain practical insights on exploitation techniques, the latest adversarial AI tactics, and defensive strategies that can be implemented to secure LLM applications.

Scattered Spider has escalated its exploits in 2025, expanding beyond telcos to target enterprises across industry verticals. After gaining initial access through social engineering, the threat group is increasingly targeting cloud workloads, to elevate permissions for lateral movement. Attacks targeting the cloud control plane, focused on the IAM service, provide the attacker access to high-value assets and sensitive data. These attacks, known as Living off the Cloud attacks, avoid malware and leverage built-in cloud primitives for offensive activity.

This session focuses on identity exploits as part of the overall attack lifecycle of Scattered Spider. Through real-world attack demonstrations and analysis, the session outlines the stealthy enumeration tactics to identify privileged identities, IAM-specific exploits to elevate permissions, and lateral movement.

The session covers the defender’s perspective, what makes detection challenging as attackers pivot across control and data planes, and provides a practitioner’s learnings on countermeasures to defend against cloud identity exploits.

Modern security operations face a tough reality, given that attackers are faster and more creative than ever, but most teams don’t have unlimited budgets or staff. The good news? You don’t need a giant stack of expensive products to build real capability.

Throughout this presentation, we’ll explore practical ways to combine free and community-supported tools into a cohesive security program that can handle modern threats.

You’ll see how to:

• Detect phishing and email-based attacks before they reach users

• Monitor browser activity to catch risky clicks and malicious content

• Track wireless networks for rogue devices and close-access attacks

• Leverage network traffic and complementary logs to uncover suspicious behavior

• Quickly investigate endpoints to corroborate or correlate network-based activity

• Enrich events with network-based threat intelligence for better prioritization

We’ll walk through real-world examples showing how these capabilities work together to find and stop attacks across multiple layers without spending a fraction of what you might dole out in those big box IT data stores. Whether you’re building a SOC from scratch or looking to augment an existing setup, you’ll leave with practical ideas and proven approaches you can put to work right away.

Cyberpunk authors, like Neal Stephenson in Snow Crash, have long envisioned a world run by ruthless mega-corporations, with more power than governments, engaging in threat activity. We now live in such a world. Tech companies wield immense, often invisible power, far beyond what they admit to users. We’ve caught glimpses:
• A cloud provider scanning customer data for offensive content
• A rideshare app tracking users after the ride ends
• A robotic vacuum that builds maps of your home
• A respected security company bricking systems across the globe… accidentally

These aren’t theoretical. They’re the tip of the iceberg. The real capabilities, the ones no one talks about, are far more dangerous.

Governments know it. That’s why some ban certain apps and hardware.
Threat actors know it. That’s why they break in.
The question is: do you know what’s really possible?

This talk explores the dark potential of modern tech platforms, the things they’re structurally able to do, whether or not they intend to. We’ll walk through scenarios where companies might be tempted to go offensive, where insiders (or outsiders) could gain and weaponize access, and how these powers could be misused at scale.

Because in security, it’s never about what a system claims to do.
It’s about what it can do.

Cyber operators and SOC teams routinely endure chronic fatigue, hypervigilance, and compassion fatigue, but few organizations know how to measure, quantify it, or address it.

This talk introduces the Copenhagen Burnout Inventory (CBI) as an open-source, practical method to quantify burnout in cybersecurity environments. I’ll explain how we adapted CBI specifically for analysts, incident responders, and blue teams, using real-world insights from Managed SOC operations.

Attendees will leave with a usable, validated framework to assess burnout levels across their teams, enabling leadership to act before burnout leads to turnover or worse.

When you ship new detection, are you crossing your fingers in hopes you did everything correctly? When there is a subtle problem in your detection pipelines, will you learn about it before a major incident occurs?

A former Red Teamer tells the story of the years-long project undertaken to cut down on the amount of broken detection shipped by his Blue Team, and the career move that followed. Starting from the shared pain of seeing a Blue Team come up short in Red Team operations, to bringing highly integrated offensive engineering principles to Detection Engineering.

This talk walks through how to read intelligence reports critically, the process of building a realistic adversary tests based on intelligence sources, establishing a test environment, collecting and analyzing test performance, automating retest activity to detect drift in the environment, and integrating this process into an end-to-end Test-Driven Detection workflow for your team.

This talk is most suitable for detection engineers, their leaders, and those who benefit from an elevated detection engineering practice.