2.0 -//Pentabarf//Schedule//EN

PUBLISH LGQTXM@@pretalx.com

-LGQTXM

Insights from Modern Botnets en

20241022T090000 20241022T093000 003000

Insights from Modern Botnets

Botnets represent a significant and evolving threat in the cybersecurity landscape. This presentation aims to shed light on the inner workings of these networks based on extensive research and real-world examples. Attendees will gain insights into: * Organization and Structure: Understanding how modern botnets are set up and managed. * Code Analysis: A deep dive into the types of code used by botnet operators. * Information Sharing: Exploring whether and how these networks share data amongst themselves. * Victim Selection: Analyzing the criteria and methods used to choose targets. Our aim is to provide a global view of the current state of botnets, offering valuable knowledge that can aid in the detection, analysis, and mitigation of these threats. This talk is designed for security professionals, researchers, and anyone interested in understanding the complexities and dangers posed by botnets in today's digital world. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/LGQTXM/ Europe - Main Room Miguel PUBLISH JJVXKP@@pretalx.com

-JJVXKP

NeuroCTI - a custom LLM for CTI - benchmarking, successes, failures and lessons learned (updates) en

20241022T093000 20241022T100000 003000

NeuroCTI - a custom LLM for CTI - benchmarking, successes, failures and lessons learned (updates)

(This is an update from the FIRSTCON24 talk) Many CTI practitioners and companies experimented with LLMs for extracting information from unstructured CTI reports in the last year. Often, the dream is to automate the analyst's job to correctly identify, copy & paste TTPs, threat actors and relationships from the report and to convert it into STIX. Alas, off-the-shelf LLMs often fail at this task (GPT-4-turbo being already pretty good at the submission time). But there is another caveat: the requirements for IT security often demand that data remains on-premise or at least in a virtual server which is fully and only under the control of the organisation's IT team. For that we need local LLMs (as opposed to cloud bases SaaS/FaaS solutions such as openai.com's API). But how to achieve good results with local LLMs ? Can we beat openai? To address the CTI text summarisation and information extraction problem, we 1. propose an open source CTI LLM benchmark dataset which can be used to compare different LLMs and prompts 2. a fine-tuned custom CTI LLM model ("neuroCTI") and 3. evaluate it (as well as other LLMs) against the benchmark dataset and 4. finally, integrate serving the model via ollama and MISP integration. The model is freely available for local deployments. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/JJVXKP/ Europe - Main Room Aaron Kaplan PUBLISH W9G3B8@@pretalx.com

-W9G3B8

Tales of the Future Past en

20241022T101500 20241022T110000 004500

Tales of the Future Past

In ‘Tales of the Future Past’, Saâd Kadhi, the Director of CERT-EU, invites you to embark on a time-travelling odyssey. The journey commences with a retrospective dive into the past, where attendees will glean insights from CERT-EU’s unique vantage point on the threat landscape, hovering over noteworthy developments the Cybersecurity Service for the Union entities had been observing. As the time machine propels us into the future, the presentation demystifies the complexities of Artificial Intelligence, shedding light on AI’s burgeoning role in cyber threats. It offers foresight and thoughtful projections on potential AI-powered dangers, equipping the audience with the knowledge to anticipate and navigate future challenges. The expedition culminates with a return to the present where Saâd will share his ideas on how to fortify our defences against the cyber threats of today and tomorrow. Designed for a diverse audience, ‘Tales of the Future Past’ promises to be an enlightening journey, offering a unique blend of historical wisdom, futuristic insights, and practical, present-day solutions. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/W9G3B8/ Europe - Main Room Saâd Kadhi PUBLISH KGFZHF@@pretalx.com

-KGFZHF

Integrating New Tools in Your Workflows Within Minutes in MISP en

20241022T110000 20241022T113000 003000

Integrating New Tools in Your Workflows Within Minutes in MISP

This session will walk you through how easy and powerful it can be to integrate new tools into your existing cybersecurity workflows in MISP. You'll learn the practical steps of plugging in external tools using misp-modules and misp-workflows, see a live demo of the process, discuss common integration challenges, and understand how automation with MISP can significantly reduce time to respond to threats and improve efficiency. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/KGFZHF/ Europe - Main Room Sami Mokaddem PUBLISH MMNTPT@@pretalx.com

-MMNTPT

Lessons Learned from (almost) 8 Years of Sigma Development en

20241022T113000 20241022T120000 003000

Lessons Learned from (almost) 8 Years of Sigma Development

Development of Sigma started in the end of 2016 as proof-of-concept of an idea to create a language for detections and developed into an open standard widely used by lots of organizations. In between it took a journey from PoC-grade code that people started to use in production, a complete rewrite of the toolchain and growing from a project maintained by few individuals to multiple projects maintained by a community. In this talk I will share the experience from my perspective as a core maintainer of the [Sigma project](https://sigmahq.io/). Some of the topics are: * Organizing and structuring a growing open source security project. * Ensuring quality. * Keeping to maintain existing code *vs* full rewrite. * Contributions, trust and handing over control. * Staying motivated and handling stress and exhaustion. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/MMNTPT/ Europe - Main Room Thomas Patzke PUBLISH PELM7F@@pretalx.com

-PELM7F

Catching Phish Using Publicly Accessible Information en

20241022T133000 20241022T133500 000500

Catching Phish Using Publicly Accessible Information

The talk will explore how open-source intelligence (OSINT) can be used to identify phishing infrastructure. Whether you're a cybersecurity professional or just looking to protect yourself better, this session offers practical strategies for leveraging public data to catch phishing threats. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/PELM7F/ Europe - Main Room Aurimas Rudinskis PUBLISH 7TBNCY@@pretalx.com

-7TBNCY

Cyrus - The story of no cloud en

20241022T133500 20241022T134000 000500

Cyrus - The story of no cloud

We are 2 researchers in cybersecurity from a belgian research center and we will present to you what Cyrus is. And because we only have 5 minutes let’s explain it to you the quick and fun way. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/7TBNCY/ Europe - Main Room Guillaume Ginis PUBLISH KW9S7Z@@pretalx.com

-KW9S7Z

Latest Updates on Kunai en

20241022T134000 20241022T134500 000500

Latest Updates on Kunai

Kunai is a security monitoring tool for Linux. In this talk, I'll cover the most important updates since last year’s presentation at hack.lu, including the detection and filtering rule engine, IoC-based detections, file scanning with YARA rules, log storage with rotation, and more. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/KW9S7Z/ Europe - Main Room Quentin JEROME PUBLISH SLW7CQ@@pretalx.com

-SLW7CQ

Hacking EV Charging Points, for fun... and fixing the firmware en

20241022T134500 20241022T135000 000500

Hacking EV Charging Points, for fun... and fixing the firmware

Sunday, October 29th 2023, like every Winter, Europe switched to daylight saving time... but my EV Smart Charing Point did not. In this lightning talk, I will explain how I moved from the willingness have a correct a timezone on my charging point, to a full compromise of the appliance. I'll develop the whole process that brought me from a regular user with no access, to root of the charging point, including full disclosure to the company that (partially) developed the product. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/SLW7CQ/ Europe - Main Room Simon Petitjean PUBLISH STA7SL@@pretalx.com

-STA7SL

Running Exercises with SkillAegis en

20241022T135000 20241022T135500 000500

Running Exercises with SkillAegis

SkillAegis is a platform to design, run, and monitor exercise scenarios, enhancing skills in applications like MISP and training users in best practices for information management and protective tools. This short session will show you the tool and what it can do. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/STA7SL/ Europe - Main Room Sami Mokaddem PUBLISH EMPW3K@@pretalx.com

-EMPW3K

QKD - is it worth it? en

20241022T135500 20241022T140000 000500

QKD - is it worth it?

QKD networks have a special interest specifically in Europe since the EuroQCI initiative was signed. Currently across Europe there are more than 20 national QKD projects under development, where in the US NIST is looking at the quantum resistant algorithms. Which is the way to go? PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/EMPW3K/ Europe - Main Room Mihai Carabas PUBLISH VKE3K8@@pretalx.com

-VKE3K8

Nothing to see here! On the awareness of and preparedness and defenses against cloaking malicious web content delivery en

20241022T140000 20241022T143000 003000

Nothing to see here! On the awareness of and preparedness and defenses against cloaking malicious web content delivery

In this talk I present part of my master thesis research in this space, explaining how browser fingerprinting works, and why I think it deserves some more attention from the cyber community and CTI community in particular. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/VKE3K8/ Europe - Main Room Jeroen Pinoy PUBLISH AEV77X@@pretalx.com

-AEV77X

Automating Dark Web CTI Reports with RAG Insight for MISP Sharing en

20241022T143000 20241022T150000 003000

Automating Dark Web CTI Reports with RAG Insight for MISP Sharing

This talk will include the following topic: Introduce dark web forums Dark web crawler BERT classification retrieval augmented generation introduction and application Dark web CTI case study STIX format CTI MISP for sharing CTI PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/AEV77X/ Europe - Main Room Shing-Li Hung PUBLISH QFMBPR@@pretalx.com

-QFMBPR

Dredge: An Open Source Framework for Cloud Incident Response en

20241022T150000 20241022T153000 003000

Dredge: An Open Source Framework for Cloud Incident Response

Working in the SolidarityLabs CSIRT, we help small organizations in Latin America to overcome cybersecurity incidents. Doing so, we found that Cloud incident response can be daunting, requiring a plethora of (expensive) tools and skills, while most Cloud Based companies can’t allocate budget for preventive controls, there is less space for them to understand what to do if they are hacked, specially knowing how hard it is to find (And retain) a security engineer with cloud based skills and incident response mindset. That’s why we created Dredge, an Open Source framework designed to streamline cloud incident investigations, by allowing Cloud Engineers and Incident Responders to execute non-trivial response tasks effortlessly, irrespective of your familiarity with specific cloud platforms nor incident response tactics. The main idea is to empower Engineers to respond to attacks no matter what preparation they had before, taking advantage of most of the out-of-the box security features cloud providers offer but not everybody is aware, like being able to retrieve a forensic image from a running server or getting logs that they didn’t know they had. Some Key Features that differentiate Dredge from existing tooling: - Python-based CLI - Retrieve logs seamlessly from Github, Kubernetes, AWS, GCP or Azure. - Take action: whether it's blocking an IP in an AWS tenant, disabling an AccessKey, isolating an EC2 instance, or strategically extracting crucial post-compromise user data. - Identify tactical misconfigurations that can be exploited by an attacker. - Execute Threat Hunting Techniques - Create an attack timeline based on IOCs. - Analyze retrieved data effortlessly within your terminal, utilizing built-in capabilities from VirusTotal and Shodan. - Cloud Incident Response Guidelines for companies to embrace and build their playbooks. Repo: https://github.com/solidarity-labs/dredge-mvp PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/QFMBPR/ Europe - Main Room Santi Abastante PUBLISH ZTXHFU@@pretalx.com

-ZTXHFU

You just got a CTI program funded - now what? en

20241022T153000 20241022T160000 003000

You just got a CTI program funded - now what?

After COVID, and with an almost completely new SOC team – some processes got left behind, some tools forgotten. What happens when your SOC completely falls outside of the CTI process? Where should you start when your CTI process doesn’t even exist? While CTI is understood to be expensive even for internal SOCs - as an MSSP SOC - we need to fund something that we cannot sell to customers. NRD CS was awarded a grant to build out their cyber threat intelligence maturity, but how does that actually work? After a few months with a fancy new title, but still performing your old duties - you're finally handing off all your clients to your replacement, and are getting ready to jump into your new role. And then, here comes your CEO and SOC manager with news that they've just secured a public grant for a CTI program, and they want you to lead it. Part-time. This talk explores managing every aspect of starting a CTI program from (nearly) scratch, where a completely new SOC team takes over old processes and tools. Where do you start when your CTI program doesn't even exist? Our CTI development has already gone from being a CTI consumer with no practical application for the CTI, to a CTI consumer AND producer with standardized production, in addition to being a sharing community administrator. We will also present plans on increasing automation, quality of output, and more. We'll present various challenged faced in kick-starting a CTI program, from what do when your MISP is full of false-positives, how to motivate analysts to contribute to the program, how to build a 'team' when you don't have dedicated staff. We also explore technical issues faced, from connecting separate SIEMs into a central location, impact of infrastructure changes to development work, just how hard hiring dedicated CTI specialists can be, JIRA automation pricing changes completely ruining our initial plans, and more. In the end, we propose a basic plan comprised of a few simple steps and procedures that nearly anyone can implement to get a basic CTI program going. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/ZTXHFU/ Europe - Main Room Lukas Vytautas Dagilis PUBLISH XAYHMK@@pretalx.com

-XAYHMK

Malware and Hunting for Persistence: How Adversaries Exploit Your Windows? en

20241022T161500 20241022T164500 003000

Malware and Hunting for Persistence: How Adversaries Exploit Your Windows?

This presentation explores my discovery of unconventional malware persistence techniques through registry modifications and DLL hijacking vulnerabilities. We'll delve into cases involving Windows Internet Explorer, Win32API cryptographic features, Windows Troubleshooting, Microsoft Teams (patched), and Process Hacker 2 (patched in v3). The research highlights the exploitation of legitimate Windows resources for persistence and compares these methods with traditional techniques employed by APT groups and ransomware authors. Detailed Proposal: What is Malware Persistence? An introduction to malware persistence, explaining how it allows malicious software to maintain a foothold on a compromised system. User Privileged Techniques: Exploring persistence methods that require only user-level privileges, such as registry modifications and leveraging user-specific settings. Admin Privileged Techniques: Investigating persistence techniques that need administrative privileges, including advanced registry modifications and system-level changes. WinAPI Cryptography Features for Persistence: Analyzing how Windows cryptographic APIs can be misused for maintaining persistence. Vulnerability in Process Hacker 2: A case study on exploiting a vulnerability in Process Hacker 2 for persistence, and the subsequent fix in Process Hacker 3. Using Legitimate URLs for Bypassing and Persistence: Examining the use of legitimate URLs and online services to bypass detection and maintain persistence. Hunting for Persistence: From Zero to Hero: A practical guide on hunting for and identifying new persistence techniques, with step-by-step methodologies and real-world examples. Comparison with Classical Techniques: Comparing these new methods with classical persistence techniques used by APT groups and ransomware authors, highlighting their effectiveness and stealthiness. Explore the integration of machine learning models to predict and identify new persistence techniques. Investigate the potential for automated malware persistence using AI to adapt to and evade AV/EDR solutions dynamically. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/XAYHMK/ Europe - Main Room cocomelonc PUBLISH ZCBUU9@@pretalx.com

-ZCBUU9

Trying Gateway Bugs: Breaking industrial protocol translation devices before the research begins en

20241022T164500 20241022T171500 003000

Trying Gateway Bugs: Breaking industrial protocol translation devices before the research begins

After introducing the very particular world of industrial network protocols and what they are used for, I will go through a vulnerability research process on a protocol gateway, from discovery to disclosure. Three first vulnerabilities discovered on the device tested will be explained and discussed considering common industrial operations, manufacturers' response, customers' remediation and global OT cybersecurity research. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/ZCBUU9/ Europe - Main Room Claire Vacherot PUBLISH UWJCEE@@pretalx.com

-UWJCEE

In-Depth Study of Linux Rootkits: Evolution, Detection, and Defense en

20241022T171500 20241022T174500 003000

In-Depth Study of Linux Rootkits: Evolution, Detection, and Defense

1. Introduction to Linux Rootkits - Overview of Linux rootkit capabilities 2. A History of Linux Rootkits - Early rootkits: origins and initial capabilities - Evolution of rootkit techniques over time 3. Advanced Rootkits: Techniques and Analysis - Kernel-level rootkits: - Techniques for hooking and modifying kernel functions - User-mode rootkits: - Methods for intercepting and manipulating user-space processes - Hybrid rootkits: - Combining kernel and user-space techniques - Rootkit persistence mechanisms and stealth techniques 4. Detection Strategies for Linux Rootkits - Signature-based detection: - Tools and techniques for identifying known rootkits - Limitations of signature-based methods - Behavioral analysis: - Monitoring system behavior for anomalies - Case studies of successful behavioral detection - Integrity checking: - Verifying the integrity of system files and binaries - Challenges in maintaining accurate baselines - Advanced detection tools and frameworks: - Overview of popular rootkit detection tools - Demonstration of practical detection techniques PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/UWJCEE/ Europe - Main Room Stephan Berger PUBLISH LGTEXR@@pretalx.com

-LGTEXR

Decoding Galah: an LLM powered web honeypot en

20241022T174500 20241022T181500 003000

Decoding Galah: an LLM powered web honeypot

In this talk, I will explore the limitations of traditional web honeypots and introduce Galah, an innovative LLM-powered solution designed to dynamically generate realistic HTTP responses. By evaluating the performance of different LLMs, we aim to determine their effectiveness in mimicking web applications and enhancing honeypot authenticity. I will share insights into the development process, including how to structure prompts, generate JSON outputs, and overcome common challenges. Additionally, I will present evaluation results, comparing various large language models to highlight their strengths and weaknesses. The talk will also feature interesting examples of LLM-generated HTTP responses. Finally, I will discuss practical insights and broader applications of LLMs beyond honeypots, offering valuable takeaways for attendees interested in leveraging LLMs for diverse use cases. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/LGTEXR/ Europe - Main Room Adel Karimi PUBLISH YJYZFT@@pretalx.com

-YJYZFT

ROP on ARM64 - a hands-on tutorial en

20241022T140000 20241022T160000 020000

ROP on ARM64 - a hands-on tutorial

### Part 1 - Introduction to essential ARM64 assembly - Introducing ARM64 - Registers and their behaviour on ARM64 - ARM64 vs ARM32 architecture and assembly language - A few ARM64 assembly instructions - Restrictions on operand usage ### Part 2 - ROP Gadgets on ARM64 - Commonly found ROP gadgets on ARM64 - Where to look for ARM64 ROP gadgets - Practical Ret2System ROP chain on ARM64 ### Hands-On Workshop Requirements - Working Laptop running Docker - Linux or macOS preferred as the base OS. Participants will be provided with an ARM64 emulator docker container for use during and after the workshop. PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2024/talk/YJYZFT/ Schengen 1 & 2 Saumil Shah PUBLISH XEUUFC@@pretalx.com

-XEUUFC

Dissecting the Threat: A Practical Approach to Reverse Engineering Malicious Code for Beginners en

20241022T101500 20241022T114500 013000

Dissecting the Threat: A Practical Approach to Reverse Engineering Malicious Code for Beginners

My session is focused on a deep analysis of malicious threats and what could be an imaginable practical approach to reverse engineer these threats (malware) in a controlled environment. Here is a small breakdown of my session: Introduction: Reverse engineering plays a critical role in understanding and mitigating these threats by providing insights into the inner workings of malicious code. In this session, we will delve into the fundamentals of reverse engineering and explore practical approaches to dissecting malicious code effectively. Fundamentals of Reverse Engineering: Reverse engineering is the process of analyzing software or hardware to understand its design, functionality, and operation. Before diving into the analysis of malicious code, it's essential to grasp the foundational concepts and terminology of reverse engineering. This includes understanding assembly language, binary code, and the role of tools such as disassemblers, debuggers, and decompilers. Participants will gain insights into how these tools are used to examine executable files and extract valuable information from them. Understanding Malicious Code: Malicious code comes in various forms, each with its own set of functionalities and objectives. From viruses and worms to Trojans and ransomware, the threat landscape is diverse and constantly evolving. Through real-world examples, participants will learn to identify different types of malware and understand their behaviors. By gaining insight into the tactics employed by threat actors, security professionals can better prepare for and defend against cyber attacks. Practical Approach to Reverse Engineering: A practical approach to reverse engineering involves a systematic and methodical analysis of malicious code. During this segment, participants will be guided through a step-by-step demonstration of how to dissect a sample of malicious code. This will include techniques such as unpacking, disassembly, and code analysis. By leveraging tools like Ghidra, and OllyDbg, attendees will learn to navigate through the intricate layers of obfuscation employed by malware authors. Techniques for Extracting Indicators of Compromise (IOCs): In addition to understanding the inner workings of malicious code, reverse engineering can also help extract valuable indicators of compromise (IOCs). These IOCs include file hashes, IP addresses, domain names, and patterns of behavior that can be used to detect and mitigate threats. Participants will learn techniques for identifying and extracting IOCs from malware samples, thereby enhancing their ability to detect and respond to cyber attacks. Best Practices and Pitfalls: While reverse engineering is a powerful tool for analyzing malicious code, it is not without its challenges. Participants will gain insights into common pitfalls encountered during the analysis process and learn best practices for overcoming them. This includes strategies for handling obfuscated code, managing complex malware samples, and ensuring the integrity of analysis environments. By adhering to these best practices, security professionals can maximize the effectiveness of their reverse engineering efforts. Conclusion: In conclusion, reverse engineering is a vital skill for security professionals seeking to understand and mitigate cyber threats. By mastering the practical approaches and techniques discussed in this session, participants will be better equipped to dissect malicious code, extract valuable insights, and defend against cyber attacks. As the threat landscape continues to evolve, the ability to reverse engineer malware effectively will remain a critical component of any cybersecurity strategy. PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2024/talk/XEUUFC/ Echternach & Diekirch Ankshita Maunthrooa PUBLISH DSHQJ7@@pretalx.com

-DSHQJ7

Lookyloo, Pandora, and all the bells and whistles to go with them. en

20241022T140000 20241022T160000 020000

Lookyloo, Pandora, and all the bells and whistles to go with them.

[Lookyloo](https://github.com/Lookyloo/lookyloo) is an analysis tool to investigate URLs, [Pandora](https://github.com/pandora-analysis/pandora) is a static file analyzer. They both have public demo interfaces ([1](https://lookyloo.circl.lu/), [2](https://pandora.circl.lu/submit)) and I presented them at [last year pass the salt](https://passthesalt.ubicast.tv/videos/2023-analyse-your-weird-urls-the-easy-way/) (and demo effect is still [a thing](https://passthesalt.ubicast.tv/videos/2023-rump-lookyloo-the-missing-demo-from-the-morning/)). I invite you to watch the videos before attending the workshop so we're all on the same page: this workshop will be very dense as we will cover many tools, so we will start with a quick introduction but we will also assume you have a rough idea of what the tools are. This workshop will be similar to the one we gave at [Pass the Salt 2024](https://cfp.pass-the-salt.org/pts2024/talk/9HQ9VQ/), but with new features and improvements. The main tools we will use are the following: * Lookyloo (to analyze URLs) * Pandora (to analyze files) * Lacus (optionally, to capture the URLs when you have a lot of them) * An URL monitoring interface (to compare a specific URL over time) * Phishtank Lookup (to check if a URL is known or not) We will also have a look at what a capture means for Lookyloo, and a deep dive in the settings you can pass when you're triggering one. Due to time constraints, won't have much time to troubleshoot sysadmin issues on your own machines. Do not worry though, there are pre-configured instances of all the tools you'll be able to play with during the session, and use their APIs. If you want to install the tools on your machine, you'll need admin right on a recent linux box, preferably Ubuntu 24.04. PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2024/talk/DSHQJ7/ Echternach & Diekirch Raphaël Vinot PUBLISH 3UBBJQ@@pretalx.com

-3UBBJQ

Exploring OpenSSH: Hands-On Workshop for Beginners en

20241022T101500 20241022T114500 013000

Exploring OpenSSH: Hands-On Workshop for Beginners

Most beginners only use the *ssh* command from OpenSSH to reach a shell on remote machines, and that's it. They don't really know how to deal with features like port forwarding in order to ease their work. This workshop is designed to help them level up their skills with OpenSSH. This workshop is intended for beginners who want to improve their practical knowledge of the OpenSSH tool suite. Knowledge prerequisites: - Basic networking: IP, TCP/UDP, DNS, tcpdump/Wireshark - Classical Linux shell usage: command execution, redirections, pipes, sudo, basic package management, etc - Basic usage knowledge of OpenSSH PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2024/talk/3UBBJQ/ Hollenfels William Robinet PUBLISH UJAWVW@@pretalx.com

-UJAWVW

Operationalization of Sigma Rules with Processing Pipelines en

20241022T140000 20241022T160000 020000

Operationalization of Sigma Rules with Processing Pipelines

The [Sigma project](https://sigmahq.io/) offers thousands of open source detection rules that can be used to conduct threat hunting and detection. But before this can be done the conversion tool has to be configured properly to generate queries that match on the given data model in the used SIEM or EDR. [pySigma processing pipelines](https://blog.sigmahq.io/connecting-sigma-rule-sets-to-your-environment-with-processing-pipelines-4ee1bd577070) offer a feature-rich YAML-based language for this purpose that allows a wide range of transformations like: * simple field mappings * value transformation with regular expressions * Addition of conditions * Handling of placeholders * conditional Jinja2-based templating Transformations can be applied conditionally to rules with specific attributes or detection items that match a given pattern. In this hands-on session you will learn some common use cases for processing pipelines and have the opportunity to discuss real-world challenges you encountered while operationalization of Sigma rules in your environment. PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2024/talk/UJAWVW/ Vianden & Wiltz Thomas Patzke PUBLISH JDM9V7@@pretalx.com

-JDM9V7

Hands-on Kubernetes security with KubeHound (purple teaming) en

20241022T161500 20241022T181500 020000

Hands-on Kubernetes security with KubeHound (purple teaming)

There’s no two ways about it: Kubernetes is a confusing and complex collection of intertwined systems. Finding attack paths in Kubernetes by hand is a frustrating, slow, and tedious process. Defending Kubernetes against those same attack paths is almost impossible without any third party tooling. In this workshop we will present KubeHound - an opinionated, scalable, offensive-minded Kubernetes attack graph tool used by security teams across Datadog. We will cover the custom KubeHound DSL to demonstrate its power to identify some of the most interesting and common attack primitives living in your Kubernetes cluster. If the DSL is not enough, we will cover the basics of Gremlin, the language used by our graph technology so you can find relevant attack paths that matter to you. As attackers (or defenders), there's nothing better to understand an attack than to exploit it oneself. So in this workshop we will cover some of the usual attack paths and exploit them. This way you will see by yourself, the difficulty (or not) to fully compromise a Kubernetes cluster (#DontDoThisAtHome). At last, is this workshop we will also demonstrate two ways of using KubeHound: * As a standalone tool that can be run from a laptop * Or deployed as a service in your own Kubernetes clusters (KubeHound as a Service) The main goal of this workshop is to show how defenders can find and eliminate the most dangerous attack paths and how attackers can have a treasure map to fully compromise a Kubernetes cluster by using the free and open source version of KubeHound. PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2024/talk/JDM9V7/ Vianden & Wiltz Julien PUBLISH 8FR7FH@@pretalx.com

-8FR7FH

CSIRT and the Chocolate Factory en

20241023T090000 20241023T093000 003000

CSIRT and the Chocolate Factory

Our CSIRT team responded to a ransomware attack at a small company specialized in the production of chocolate machines. All their documentation (technical, commercial, administration, …) was ransomed, and they would go out of business if they could not recover their documentation soon. To prevent this, they paid the ransom and obtained a decryption tool and a key, but it malfunctioned. The files were still ransomed. At this point, our CSIRT was called in and successfully decrypted the ransomed documentation. It turned out that, due to some malfunction, the original ransomware did not encrypt the original files (just changed their extension and added ransomware metadata), while the decryptor then actually encrypted the files (and restored the original extension and removed the ransomware metadata). After this success, research into the algorithms implemented in this ransomware strain started. It became clear that this sample contains inherent flaws in its cryptographic design. Although well-established cryptographic primitives are used (like AES), they are used in a flawed way and introduce vulnerabilities that when exploited, lead to the decryption of ransomed files without knowing the encryption password and/or key. The vulnerabilities are caused by the combination of 1) the use of AES CTR (counter) mode, 2) partial encryption of ransomed files, and 3) reuse of encryption keys across same and different ransomed files. These vulnerabilities enabled our CSIRT to develop decryptor scripts that can decrypt ransomed files in most cases. For example, the redundancy in ransomed ZIP files (like .docx, .xlsx, …) can be used to decrypt a collection of these files. The more ransomed ZIP files available, the better for this decryption method. We will cover different decryption methods during the presentation. Finally, during this presentation, we will demo and share YARA rules to detect this ransomware and new variants (associated with Scarab/Spacecolon), together with our decryption scripts. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/8FR7FH/ Europe - Main Room Didier Stevens PUBLISH GMEUXG@@pretalx.com

-GMEUXG

The Gist of Hundreds of Incident Response Cases en

20241023T093000 20241023T100000 003000

The Gist of Hundreds of Incident Response Cases

After this talk, the audience understands the top artifacts evaluated in every incident response case. For example, we will discuss a variety of event logs, starting from the classic Security event logs to the Remote Desktop event logs, to Amcache, Shimcache, Prefetch files, and more. This discussion will lay the groundwork for how we approach large-scale incident response investigations, how we can track down remote access tools installed by attackers as legitimate backdoors, or how to spot new and unusual services within the environment in no time. Speaking of essential event logs, we will discuss the importance of PowerShell event logs and logging, as these are still up to date and frequently used by ransomware groups and APTs. We will showcase how to find suspicious files, which might point out a staging directory from the attacker, as well as the importance of checking the antivirus logs carefully (which is always my first step into a new investigation). On the other hand, we will discuss other important forensics concepts like Shellbags and how you can present them to the customer in which directories the threat actor(s) roamed around. As one must work smarter, not harder, we extensively use the Velociraptor artifact DetectRaptor from Matt Green, which works for Rapid7 now. This Velociraptor hunts will find evil within minutes, allowing the Incident Responders responsible for the investigation to concentrate on other aspects of the case or to dig deeper into the hosts where the detections occurred. At the end of the presentation, we will discuss lesser-known artifacts like the Defender MPLogs, which can be a goldmine, the bitmap cache, or the SRUM database. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/GMEUXG/ Europe - Main Room Stephan Berger PUBLISH QJAJJK@@pretalx.com

-QJAJJK

IoT hacks humans - unexpected angles of Human Process Compromise en

20241023T101500 20241023T104500 003000

IoT hacks humans - unexpected angles of Human Process Compromise

1. Introduction (4m) - Human Process Compromise is Business Process Compromise moved one step closer to the human. -- Why Human Process Compromise is a fragile chain under Business Process Compromise umbrella -- How HPCs completely bypass this entire classes of security measures. - IoT angle of HPC - What IoT knows about humans. - Technology enablers for attacks - Techniques to manipulate humans and public opinions. 2. Tools and technologies used (6m) - Use of the connected world data to choose appropriate targets. -- Profiling humans for criminal monetization attacks -- Choosing a targets for espionage operations -- Affecting critical events, like elections - Weaponization - extracting human, social groups and society habits and weaknesses to target - Actions on target - empowering and boosting manipulation techniques with IoT and connected world data. -- Boosting Fake News and Opinion manipulation campaigns with IoT data -- Reshaping Identity linked attack surface like bank account MFA, voice authentication, SIM card based identities using HPC. -- Targeting physical events. - Required knowledge, technologies and cost of operations. 3. Connecting the dots: Attack scenarios and cases studies (15 m) - Underground actors approach and criminal monetization -- Services and Technologies: use and abuse of big data, generative AI, Biometrics, PII, voice, face, source phone number substitution, IoT and cloud IoT technologies and credentials market. -- Typical targets (victims) and attack scenarios -- Criminal business processes and monetization options - State sponsored attack scenarios -- Espionage with HPC -- Forced and disruptive physical actions against critical assets -- Manipulations of negotiations outcomes -- Manipulating the crowds and societies attack scenarios. - Privacy breaches scenarios which leverage IoT connectivity(4m) How to deal with it (3m) Conclusion(2m) PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/QJAJJK/ Europe - Main Room Vladimir Kropotov PUBLISH HWDZGZ@@pretalx.com

-HWDZGZ

KubeHound: Identifying attack paths in Kubernetes clusters at scale with no hustle en

20241023T104500 20241023T111500 003000

KubeHound: Identifying attack paths in Kubernetes clusters at scale with no hustle

There’s no two ways about it: Kubernetes is a confusing and complex collection of intertwined systems. Understanding interdependencies in a Kubernetes cluster, in particular gaps left open by seemingly innocent configuration changes, is beyond human capability. But all misconfigurations are not equal, some are not a big deal, but some can lead to the full take of an entire Kubernetes cluster. This illustrates the well-known adage: "Defenders think in lists, attackers think in graphs; as long as this is true, attackers win". In this talk we will introduce how KubeHound, an opinionated, scalable, offensive-minded Kubernetes attack graph tool used by security teams across Datadog, can help you pinpoint the most critical attack within your Kubernetes cluster: From a defender’s point of view, it means how to prioritize which security initiative is more important built on concrete Security KPI. From an attacker’s point of view, it means finding the lowest effort attack path that will lead to his goal, usually full take over of the entire cluster. Having a treasure map saves a ton of time for the attacker. In short, single point security findings have little traction either for an attacker or defender. So we will demonstrate how KubeHound being a queryable, graph database of attack paths makes reasoning about security problems via data-driven testing of hypotheses extremely efficient. At the end of the talk, we will leave you with an open-source version of KubeHound designed to be run from a laptop to evaluate the attack paths within a single cluster from an attacker or defender point of view. Finally, we will discuss the approach and challenges of implementing a distributed, large-scale version of the tool at Datadog and how you might implement a similar solution in your own environment. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/HWDZGZ/ Europe - Main Room Julien PUBLISH 9SSSTW@@pretalx.com

-9SSSTW

The Web of cognitive warfare en

20241023T111500 20241023T114500 003000

The Web of cognitive warfare

In this talk, I use CTI methods to analyse influence operations and cognitive warfare to showcase the ongoing operation done by the threat actor in their new modus operandi - use of paid adds based targeting, combination with finance scams and vast data collection on social networks. The OPSEC of the actor allows for long term campaigns with low levels of detection, even by the AI. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/9SSSTW/ Europe - Main Room Jindrich Karasek PUBLISH DNBRHN@@pretalx.com

-DNBRHN

It Has Been [0] Days Since the Last Edge-Device Security Incident en

20241023T114500 20241023T121500 003000

It Has Been [0] Days Since the Last Edge-Device Security Incident

Over the past 12 months, Volexity has identified two security incidents in customer environments caused by zero-day exploits: CVE-2023-46805 & CVE-2024-21887 (Ivanti Connect Secure), and CVE-2024-3400 (Palo Alto Networks Global Protect). This talk will explore why security issues affecting edge devices remain a persistent problem, examine common detection approaches used by Volexity to identify such incidents, and outline methods organisations can employ to detect similar incidents within their own environments. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/DNBRHN/ Europe - Main Room Rascagneres PUBLISH NXFR3H@@pretalx.com

-NXFR3H

A quick monologue on global inefficiency en

20241023T133000 20241023T134000 001000

A quick monologue on global inefficiency

A new threat emerges. This could be new malware, new exploitation techniques, new types/classes of vulnerabilities, new cloud attack vectors, whatever it is - the new threats leave every SOC globally, and individually, struggling to understand the threat in order to mitigate and detect This is horribly inefficient. We need something that scales better! I want point out this global inefficiency in order to explain why we need to issue a call for action. What's being done today is that researchers are trying to document their work researching malware, or forensically following the traces of attackers in networks/clouds, or detection teams sharing detections they built to address MITRE ATT&CK techniques. But they're sharing without a standard methodology or framework or even approach, and it also does not scale very well and the shared knowledge is never incorporated into a global body of knowledge. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/NXFR3H/ Europe - Main Room Claus PUBLISH ZBCZDB@@pretalx.com

-ZBCZDB

Flowintel - flow your management en

20241023T134000 20241023T134500 000500

Flowintel - flow your management

Quick presentation of the tool and main features. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/ZBCZDB/ Europe - Main Room Cruciani David PUBLISH WDD9BU@@pretalx.com

-WDD9BU

How I Learned to Stop Worrying and Love the NLF en

20241023T134500 20241023T135000 000500

How I Learned to Stop Worrying and Love the NLF

This lightning talk aims at summarising upcoming EU product and service regulations and how they relate. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/WDD9BU/ Europe - Main Room fukami PUBLISH TQZPPU@@pretalx.com

-TQZPPU

Any sufficiently advanced technology is indistinguishable from 01 January 1970 en

20241023T135000 20241023T135500 000500

Any sufficiently advanced technology is indistinguishable from 01 January 1970

The 2038 problem will soon start to get picked up by the popular press, which will lead to significant public pressure to do something before our technology stack crashes. However our technology stack is getting so complex with abstraction layers that by 2038 it might positively unmanageable. This presents us with an opportunity to refit our social tech stack with something not only "secure-by-design" but also maintainable-by-future-generations-by-design. Behind all this drama lurks the challenge that as 19 January 2038 draws closer, ever more hands from around the globe will be frantically reaching for increasingly scarce components from one hotly contested island off the coast of the PRC. This is the truly hard problem which lies before us today. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/TQZPPU/ Europe - Main Room Trey Darley PUBLISH HGC9ZR@@pretalx.com

-HGC9ZR

How much time we had for IPv6 preparation? en

20241023T135500 20241023T140000 000500

How much time we had for IPv6 preparation?

The movement to the IPv6 is not only something, what will happen in the future. It has already happened and we often see that crazy thing in logs. How come, that it has happened so fast? Why we have not been prepared? Well, in fact... :) PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/HGC9ZR/ Europe - Main Room Nicol Dankova PUBLISH WM93CN@@pretalx.com

-WM93CN

I Need Access: Exploit Password Management Software To Obtain Credential From Memory en

20241023T140000 20241023T143000 003000

I Need Access: Exploit Password Management Software To Obtain Credential From Memory

Passwords have long been a fundamental aspect of cybersecurity, with numerous attacks targeting the covert acquisition of user passwords. Password management software (PM) has emerged as a crucial defense mechanism against such attacks. Despite the security measures embedded in these applications, misconfigurations and user errors can still result in sensitive data breaches. In this context, the current presentation introduces a newly developed red teaming tool called Pandora (https://github.com/efchatz/pandora). Pandora is capable of extracting end-user credentials from 18 widely-used PM implementations, including MS Windows 10 desktop applications and browser plugins. The sole requirement for Pandora to function is for the PM to be active, enabling the tool to dump the PM’s processes. Through experimentation, it was found that only 1Password necessitates high integrity privileges for an attacker to dump the relevant processes. Once executed on a host machine, Pandora will dump the PM’s processes, analyze them, and extract any user credentials it finds. The tool offers various modes to support penetration testers and can provide an additional attack vector in red team engagements, given the widespread use of PMs today. Methodologically, Pandora operates based on the specific implementation of each PM. Many PMs store their entries or master credentials in plaintext format within the corresponding memory processes. Consequently, Pandora consists of different autonomous scripts tailored to each PM implementation. Following a Coordinated Vulnerability Disclosure (CVD) process, most vendors responded that these issues fall outside their scope, as the attacker requires local access, or the antivirus/endpoint detection and response (AV/EDR) systems might prevent such attacks. To date, only two vendors have acknowledged the problem, with one already reserving a CVE ID: CVE-2023-23349 (Kaspersky). It is important to note that this issue is not entirely new. It has long been recognized that there is no foolproof method for desktop applications to be protected against such attacks. However, to the best of our knowledge, this is the first time such a tool has been publicly discussed and made available. Since various PMs use different encryption and obfuscation methods, it is up to the pentesting community to encourage vendors to implement protections that will safeguard user credentials. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/WM93CN/ Europe - Main Room Efstratios Chatzoglou PUBLISH YYCNKP@@pretalx.com

-YYCNKP

Empowering Cybersecurity Outreach and Learning through Collaborative Challenge Building, Sharing, and Execution en

20241023T143000 20241023T150000 003000

Empowering Cybersecurity Outreach and Learning through Collaborative Challenge Building, Sharing, and Execution

## Outline 1. Why a CTF at FIRST and Its Specificities? 2. How Gamification Supports Spreading Knowledge? 3. Are CTFs the Sole Approach? 4. Pitfalls and Points of Attention 5. Statistics and Figures 6. Conclusion ## Why Have a CTF at FIRST and Its Specificities? The FIRST.org CTF is designed to reinforce the FIRST community, spread knowledge, and foster trust and collaboration. The focus is placed on defensive and constructive aspects rather than offensive ones. Players are strongly encouraged to participate in teams. Tools are provided to help find potential teammates, resulting in teams composed of players who have not previously worked together. An interesting example was observed at the latest FIRST annual conference, where the team holding the 1st position for most of the week was formed in this manner. This section will, therefore, cover how a CTF, using the FIRST event as an example, is an effective way to contribute to establishing vibrant communities. ## How Gamification Supports Spreading Knowledge? Through challenges, players encounter intellectual hurdles designed for learning. Each challenge is built to ensure that the player learns by doing. Participation motivates players to strive and solve as many puzzles as possible. Working in teams encourages players to contribute to the collective effort and collaborate to maximize their results. A CTF combines rewards for collaborative efforts with a learn-by-doing approach. The CTF team itself demonstrates how organizations that might not typically collaborate can unite efforts toward a common goal. ## Are Only CTFs Useful for Gamification of Training? While CTFs are perhaps the most obvious technique, we will discuss an alternative option that could be offered to communities: [hackathons](https://en.wikipedia.org/wiki/Hackathon). As previously stated, the FIRST CTF is built with a constructive approach: players defend and are not rewarded for breaking things. Hackathons extend this concept further. A group of people collaborates on a dedicated task during a limited time, producing something that yields actual results. This might range from contributing to an existing tool to creating a proof of concept for a new tool. ## Pitfalls and Points of Attention In this section, we will discuss the challenges we encountered and the lessons learned. These encompass various aspects such as addressing cheating, providing on-site assistance, and aligning diverse expectations... ## Statistics and Figures In this section, we will revisit a decade of CTF at FIRST and compile notable statistics. It is particularly significant to highlight the considerable effort required to construct a high-quality CTF and illustrate how this effort is rewarded by robust participation at the conference. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/YYCNKP/ Europe - Main Room Alexandre Dulaunoy David Durvaux PUBLISH 88DSDM@@pretalx.com

-88DSDM

Artemis: how CERT PL improves the security of the Polish internet en

20241023T150000 20241023T153000 003000

Artemis: how CERT PL improves the security of the Polish internet

Since the beginning of 2023, CERT PL has been periodically scanning more than 500 thousand domains and subdomains of universities, hospitals, government institutions, schools, banks and other organizations, and detecting hundreds of thousands of issues (including high-severity ones, such as SQL Injection, in important entities). For that task we built a custom tool: Artemis (https://github.com/CERT-Polska/Artemis). It checks various aspects of website security and builds easy-to-read messages informing organizations about the scanning results. During the presentation, I will describe the way Artemis works, what we are looking for, and most significantly - lessons we've learned during our large-scale scanning project. As the tool is open-source, I will touch upon how to set up your own scanning pipeline. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/88DSDM/ Europe - Main Room Krzysztof Zając PUBLISH JU3CXK@@pretalx.com

-JU3CXK

Spicy — Generating Robust Parsers for Protocols & File Formats en

20241023T153000 20241023T160000 003000

Spicy — Generating Robust Parsers for Protocols & File Formats

[Spicy](https://docs.zeek.org/projects/spicy/en/latest/) is a parser generator that makes it easy to create robust parsers for network protocols, file formats and more. Spicy is a bit like a "yacc for protocols", but it is much more than that: It is an all-in-one system enabling developers to write attributed grammars that describe both syntax and semantics of an input format using a single, unified language. Think of Spicy as a domain-specific scripting language for all your parsing needs. In the last couple of years we have evolved and used Spicy as a tool in the [Zeek network monitoring ecosystem](https://zeek.org/) to make it easier for researchers and domain experts to surface information transmitted live over the network. Spicy includes dedicated support to work with lossy captures or malformed traffic. By providing an API Spicy can be embedded into other projects (like Zeek embeds Spicy). This talk gives a practical overview and introduction of Spicy. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/JU3CXK/ Europe - Main Room Benjamin Bannier PUBLISH NUZYZK@@pretalx.com

-NUZYZK

Securing the Stars: Comprehensive Analysis of Modern Satellite Vulnerabilities and Emerging Attack Surfaces en

20241023T161500 20241023T164500 003000

Securing the Stars: Comprehensive Analysis of Modern Satellite Vulnerabilities and Emerging Attack Surfaces

In the past, due to the high costs of satellite manufacturing, design, and launch, as well as regulatory restrictions, satellite research and production were closely linked to government agencies, research institutions, and military defense. In recent years, with the small size and light weight of small satellites, the widespread use of commercial components, and the significant reduction in satellite launch costs, the development and extensive use of small satellites have emerged. As a result, there has been a substantial increase in projects involving self-developed open-source satellite protocols and DIY small satellites. This article will share classic vulnerabilities from past satellite-related attacks and discuss new security vulnerabilities in open-source satellite protocols. The case studies include three vulnerabilities related to CAN bus transmission in the open-source library SPACECAN, which is used for internal satellite communication in the LibreCube project, an open-source satellite project. It also covers issues with libcsp, an open-source satellite communication protocol with a 10-year history that has been used by several satellites, including those of the European Space Agency (ESA). Additionally, the article includes a special case study of a ground station-like system, analyzing the process and implications of achieving remote code execution (RCE) and affecting satellites. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/NUZYZK/ Europe - Main Room Vic Huang PUBLISH MLBVAR@@pretalx.com

-MLBVAR

DFIQ - Codifying digital forensic intelligence en

20241023T164500 20241023T171500 003000

DFIQ - Codifying digital forensic intelligence

High level talk overview: * DFIQ - in theory * DFIQ objects: Scenarios, Facets, Questions, and Approaches * Codifying a common scenario with DFIQ objects * DFIQ - in practice * open source challengesDFIQ Schema evolution, * Implementation * Storing, editing, building a DFIQ graph in Yeti * Using DFIQ to structure an investigation in Timesketch * Examples of full end-to-end evidence collection and analysis workflows with dfTimewolf, GRR / Velociraptor, Plaso, Timesketch PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/MLBVAR/ Europe - Main Room Thomas Chopitea PUBLISH FZ3WJ9@@pretalx.com

-FZ3WJ9

Cyber Threats to Advanced Intelligent Connected Vehicle Systems en

20241023T171500 20241023T174500 003000

Cyber Threats to Advanced Intelligent Connected Vehicle Systems

To begin with, we analyze vehicle systems and assess hardware such as the T-Box and IVI for shell access. Furthermore, we detail methods for gaining elevated permissions within ICV systems, which include collecting network configurations and accessing critical components like the Driver Monitoring System (DMS) and Main Camera System (MCS). Our file analysis of nine ICV systems reveals significant information leaks, including certificates and private keys, while also identifying vulnerabilities in communication logic and memory management. Notably, key threats arise from remote operation risks via compromised T-Boxes and the potential exploitation of the Controller Area Network (CAN) interface, which could allow manipulation of vehicle control systems. Overall, this research underscores the urgent need for enhanced security measures in the design and implementation of ICVs. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/FZ3WJ9/ Europe - Main Room Shihao Xue Yuqiao Ning PUBLISH HFN9BP@@pretalx.com

-HFN9BP

APT28: Following bear tracks back to the cave en

20241023T174500 20241023T181500 003000

APT28: Following bear tracks back to the cave

In this talk we will cover all aspects of ITG05's most recent campaigns, carefully following the timeline of evolving TTPs resulting from shifts in priorities and resources. The most recent lures are indicative of high-profile targets across the globe, and the continuous improvement of malware deployment and capabilities are evidence of the significant threat posed by ITG05. The audience will experience an in-depth analysis tracing malware such as Headlace, Masepie and Oceanmap back to its origins. Finally, we will take a quick peek into the crystal ball and discuss what the future might hold. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/HFN9BP/ Europe - Main Room Golo Mühr PUBLISH L7UTNJ@@pretalx.com

-L7UTNJ

MISP Kickstart en

20241023T140000 20241023T160000 020000

MISP Kickstart

In this training session we'll cover setting up your own test or development instance of MISP, working through configuration, understanding the security and diagnostics. After that we'll cover everything you'll need to know about events, communities, and feeds. We'll also look at some practical use cases for MISP, whether you're a SOC analyst, intel analyst, or IR consultant. PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2024/talk/L7UTNJ/ Schengen 1 & 2 Shanna Daly James Garratt PUBLISH PTAEB8@@pretalx.com

-PTAEB8

Malware Development and Persistence en

20241023T161500 20241023T181500 020000

Malware Development and Persistence

Whether you are a Red Team or Blue Team specialist, learning the techniques and tricks of malware development gives you the most complete picture of advanced attacks. Also, due to the fact that most (classic) malwares are written under Windows, as a rule, this gives you tangible knowledge of developing under Windows. The course will teach you how to develop malware, including classic tricks and tricks of modern ransomware found in the wild. Everything is supported by real examples. The course is intended for Red Team specialists to learn in more detail the tricks of malware development (also persistence and AV bypass) and will also be useful to Blue Team specialists when conducting investigations and analyzing malware. The course is divided into four logical sections: - Malware development tricks and techniques (classic injection tricks, DLL injection tricks, shellcode running) - AV evasion tricks (Anti-VM, Anti-Sandbox, Anti-disassembling) - Persistence techniques - Cryptographic functions in malware development (exclusive) Most of the example in this course require a entry-level understanding of the Python and C/C++ programming languages. Knowledge of assembly language basics is not required but will be an advantage PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2024/talk/PTAEB8/ Schengen 1 & 2 cocomelonc PUBLISH 3X7WPD@@pretalx.com

-3X7WPD

A New (free) Internet Listener in Town en

20241023T190000 20241023T190500 000500

A New (free) Internet Listener in Town

The mission of Seika.io is to provide context from IP addresses we observed in various context. In addition, we aim at detecting and tracking exploitation of most well-known exposed device. It can be useful combined with a SIEM or a case management (like DFIR IRIS) system for instance. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/3X7WPD/ Schengen 1 & 2 Mathieu LE CLEACH PUBLISH JNVUN9@@pretalx.com

-JNVUN9

Unlocking BEAM's Pandora's Box: Security Pitfalls in Distributed Erlang and Elixir Systems en

20241023T190500 20241023T191000 000500

Unlocking BEAM's Pandora's Box: Security Pitfalls in Distributed Erlang and Elixir Systems

Key Demonstrations depending on time and preparation -_-: - Show how easily nodes can be connected, and how one can execute code on remote nodes (it's a feature, not a bug) - Show how to use :erlang.term_to_binary and Base.url_encode64 to serialize and transmit malicious functions. - Show basics Reverse Shells running on the BEAM - Show how one can replace Modules using Code.compile_string/1 and hot code swapping. - Show what the BEAM can do with SSH (an attacker can start an SSH server inside the BEAM VM, and also initiate SSH connections to further exploit remote systems.) - Illustrate how to spread malicious code to connected nodes using spawn and rpc:cast. - Discuss the risk of connecting to a unknown remote node PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/JNVUN9/ Schengen 1 & 2 PUBLISH LYXZQN@@pretalx.com

-LYXZQN

Sharing IoC - Wrong Answers Only en

20241023T191000 20241023T191500 000500

Sharing IoC - Wrong Answers Only

Quick presentation of the worst sharing methods I came across while looking at OSINT reports. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/LYXZQN/ Schengen 1 & 2 Deborah Servili PUBLISH ACPFRF@@pretalx.com

-ACPFRF

The Heist: get your hands on the goods! en

20241023T101500 20241023T114500 013000

The Heist: get your hands on the goods!

In a 90 minute workshop a team of max. 5 persons can enter the room. During the first 15 minutes they will receive a briefing on the mission. The countdown timer starts the mission (60 minutes) Goal is to get your hands on the goods that are protected by an alarm system. Triggering the alarm makes the mission fail. PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2024/talk/ACPFRF/ Echternach & Diekirch Stijn Tomme Dominiek Madou PUBLISH ACPFRF@@pretalx.com

-ACPFRF

The Heist: get your hands on the goods! en

20241023T140000 20241023T153000 013000

The Heist: get your hands on the goods!

-ACPFRF

The Heist: get your hands on the goods! en

20241023T161500 20241023T174500 013000

The Heist: get your hands on the goods!

-HXTFKM

Defeating Encryption By Using Unicorn Engine en

20241023T140000 20241023T160000 020000

Defeating Encryption By Using Unicorn Engine

Applications, binaries, and frameworks often contain complex functionalities like encryption and decryption methods that are hidden from the user. Reverse-engineering these can be difficult and time-consuming, especially when they involve non-standard, proprietary or non-documented cryptographic functions. This is where Unicorn Engine comes in. It enables us to execute code dynamically without the need for the proper environment or hardware. By emulating the execution, we can analyse and understand the underlying operations, making the reverse-engineering process more effective. With Unicorn Engine, you can dissect and manipulate code in a controlled environment. Whether you are dealing with malware analysis, software debugging, or vulnerability research, Unicorn Engine is an awesome tool in your reverse-engineering toolkit. This training will focus on reverse-engineering one or more binaries with Ghidra. Participants will identify various encryption or obfuscation functions and write code for Unicorn Engine in Python to utilise these functions without ever executing the binary. No special knowledge is required, but familiarity with Python, Ghidra, and assembly would be beneficial. The training will introduce Unicorn Engine to the audience and explain it in depth. PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2024/talk/HXTFKM/ Hollenfels Balazs Bucsay PUBLISH UXQXUT@@pretalx.com

-UXQXUT

Unleashing the power of purple teaming with OpenTIDE en

20241023T161500 20241023T174500 013000

Unleashing the power of purple teaming with OpenTIDE

### Workshop objectives This workshop will introduce the opensource Threat-Informed Detection Engineering framework [OpenTIDE](https://code.europa.eu/ec-digit-s2/opentide) and how it can support collaborative work between the Cyber Threat Intelligence and Detection Engineering teams. The workshop will use a repository on gitlab.com and participants will have the opportunity to develop some models using Visual Studio code. From some example of CTI reports and research, we will showcase how to develop the chained Threat Vector Models (TVMs) that capture the key points of the procedure followed by an attacker to conduct the attack with the granularity required below the kill chain stage and the ATTACK (sub-)techniques to steer the work of the Detection Engineering team in defining the detection objectives resulting from that knowledge gain on the attacker. The workshop should allow to see in practice the benefit of having structured and machine-ready models to automatically build the knowledge graph to maintain over time the detection coverage (and also the threat coverage). In particular, we will demonstrate how to deduplicate the information received from the TI PDF reports, often in PDF, or blog ### Agenda - Introduction to DetectionOps with OpenTIDE with Q&A - Setup – see below - From Intelligence to OpenTIDE – Drafting & Reviewing Threat Vector Models - From TVMs to detection - Building and Deploying detections - Wrap-Up ### Preparation if you plan to attend the workshop You are more than welcome to join this workhop. For a good experience, please read below: * We provide a **private project** on Gitlab.com [Hack.lu OpenTIDE Workshop](https://gitlab.com/moloch_project/hack.lu-opentide-workshop) * Create/Prepare a free **account on [gitlab.com](https://gitlab.com/users/sign_up)** that we will add to the project. Please mention the handle on this [pad](https://hebdo.framapad.org/p/l0z8x0iwps-aaq8?lang=en) it is public. * [Visual Studio Code](https://code.visualstudio.com/) is the main editor we will refer to and use during the workshop; any other IDE you are familiar with should work provided you can easily git clone, commit and push to the gitlab project. * Interest in making CTI actionable / in Detection Engineering - We will propose some CTI reports to turn into Threat Vector Models - You are more than welcome to come with some reports you would like to integrate into OpenTIDE framework. ### Resources * [Main OpenTIDE repository](https://code.europa.eu/ec-digit-s2/opentide) including presentations and other supporting documentation * [Github repository for active development on CoreTIDE](https://github.com/EC-DIGIT-CSIRC/CoreTIDE) including raising issues and proposing pull requests. PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2024/talk/UXQXUT/ Hollenfels Remi Seguy Amine Besson PUBLISH MGZEXX@@pretalx.com

-MGZEXX

Chrome V8 exploitation training for beginners en

20241023T140000 20241023T160000 020000

Chrome V8 exploitation training for beginners

Section 1. About V8 Engine The first section focuses on the basic theories necessary to analyze vulnerabilities in V8 and perform exploits. V8 is one of the JavaScript engines and uses a JIT compiler. We talk about the JIT compiler and then explain the V8 compiler mechanism including the newest compiler, Maglev. Section 2. Let’s Debug The second section details how to debug V8 Engine using d8 in the provided VDI environment. We explain the memory structure of V8, the role and operation of the GC (Garbage Collection), and analyze V8 objects via d8. Through this section, the audience will be able to understand the object structure and learn basic V8 debugging techniques. Section 3. Exploiting in V8 In the third section, we exploit V8 after analyzing a bug that was found in V8. First, we analyze a bug that was found in V8 and perform PoC (Proof of Concept). Then we examine the optimization process via Turbolizer and analyze in detail the point where the bug occurs. We provide a detailed step-by-step explanation of the exploitation process. Then we create an OOB array using a bug and bypass the V8 sandbox to read/write to arbitrary memory. Eventually, this leads to modifying the RIP to jump to an arbitrary address and executing shellcode. [Requirements] - We provide virtual environments for practice (only need a personal laptop) - Experience using GDB for debugging - Basic JavaScript knowledge - Interest in Browser Exploits PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2024/talk/MGZEXX/ Vianden & Wiltz hoseok Lee PUBLISH JDM9V7@@pretalx.com

-JDM9V7

Hands-on Kubernetes security with KubeHound (purple teaming) en

20241023T161500 20241023T181500 020000

Hands-on Kubernetes security with KubeHound (purple teaming)

-SVGPXT

Back to the failure - Did your physical security really evolve in the last 40 years? en

20241024T090000 20241024T093000 003000

Back to the failure - Did your physical security really evolve in the last 40 years?

In this presentation we will see how this mindset still survives nowadays in the physical security realm. We will see how the very same mindset leads to the very same errors, false beliefs, and often very expensive false sense of security. A realm which should be blessed by nowadays hackers as doing tourism in so-called "highly secured" data centers and industrial sites is just so fun, and a mindset which should be avoided by the responsible of such sites who actually care about their security. A part of our job is to do physical pentest assessments on those “secure” facilities which usually spend huge amounts of money in various security bell and whistles, from the concrete wall surrounded by shiny barb wire up to highly technological access control, intrusion or theft detection systems such as biometric sensors and some mantraps, all this surrounded by hundreds of surveillance cameras and 24/7 on-site security teams. Too often I encounter the same dated mindset, where all these features are actually thought by vendors to impress honest people (starting with the facility owners themselves) without effectively taking offensive mindset into account. The consequences are usually multiple, but usually end up as our teams getting uninvited free access to the targeted most critical area, with just $30 worth of tools, without feeling concerned by all this costly stuff and without being actually noticed by anyone. The real issue here is not money, it is the mindset, the same security mindset that has been built during the last decades in the cyber world and is, more often than not, totally lacking in the physical realm. The goal of this presentation is therefore to raise awareness about this situation, and by comparing obsolete IT habits from the early 2000s with current physical security practices we will see which kind of vulnerabilities can often be encountered, how they could be exploited, and how they should be prevented. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/SVGPXT/ Europe - Main Room Simon Geusebroek PUBLISH V3JMCZ@@pretalx.com

-V3JMCZ

Blowing up Gas Stations for fun and profit en

20241024T093000 20241024T100000 003000

Blowing up Gas Stations for fun and profit

In the recent years, an increasing number of cyber attacks have been targeting critical infrastructure, especially since the war in Ukraine has started. Automated Tank Gauging (ATG) systems are critical components in the infrastructure of fuel storage and distribution across various sectors, including commercial gas stations, military facilities, and emergency services. These systems monitor fuel levels, detect leaks, and ensure regulatory compliance, but they also present an alarming attack surface when exposed to the Internet and, by their very nature, an interesting target for malicious actors. This presentation will cover the findings of both past and recent investigations, which identified multiple critical vulnerabilities in ATG systems from various vendors, as well as our quest to physically damage such systems remotely. We will explore how these vulnerabilities can be exploited to alter system behaviors, disrupt fuel supply chains, potentially cause significant physical and environmental damage, as well as other out of the box scenarios. We will show global prevalence data from our latest scans, and talk about both our coordination with CISA in order to responsible disclose all these vulnerabilities and our efforts to try to mitigate these risks at a wider scale, in several fronts - one of which is raising awareness within the infosec community. This session is for cybersecurity professionals, industrial system operators, and anyone interested in the security of critical infrastructure. Attendees will leave with a deeper understanding of the risks posed by ATG systems and how to secure them against potential attacks. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/V3JMCZ/ Europe - Main Room Pedro Umbelino PUBLISH NNFQ3G@@pretalx.com

-NNFQ3G

The good, the bad, and the ugly: Microsoft Copilot en

20241024T101500 20241024T104500 003000

The good, the bad, and the ugly: Microsoft Copilot

Outline: 1. Where we are 1.1. Everybody racing to build GenAI applications and not thinking about implications - Microsoft Copilots, Github Copilot, every major security vendor releasing a security Copilot 1.2. Common concerns that are being ignored - prompt injection, circumventing data classification, inherent uncertainty of what applications will choose to do in production 1.3. GenAI is a No Code movement - drag a few boxes and have your GenAI application ready to use 1.4. Distinction between Copilots and Agents - how Copilots aim to address concerns by tying AI actions to user interaction and therefore intentions 2. Intro to Microsoft Copilot Studio 2.1. Explain focus on Microsoft - tied to OpenAI and already built into every enterprise and their enterprise data 2.2. Brief intro to Copilot Studio - the platform that runs Microsoft Copilots and their extendability, and a platform to build your own Copilots on top of enterprise data 2.3. Capabilities - how GenAI gets plugged into enterprise data, with over 1500 data connectors and user impersonation by design 3. Breaking Copilots 3.1. A methodological breakdown of how Copilot Studio works and a threat analysis for Copilots built with that technology 3.2. User access to Copilot - showing how default configuration leads to publicly accessible bots and sharing with your entire organization. These defaults include: bot is Internet facing with no auth (yes, really), bot is shared with the entire organization (why not?), bot can require authentication but not enforce it (indeed), bot shares maker identity with bot users (identity is best when shared). 3.3. Copilot access to data - Microsoft claims that Copilots are secure because they inherit user permissions and controls. In practice this means user impersonation by by design, no way to distinguish between Copilot and user activity, and embedded credentials (including OAuth refresh tokens) leveraged implicitly without user knowledge 3.4. User-isolation breakdown - how one user can get Copilot to act on behalf of another 3.5. Data classification becomes obsolete - how Copilot can read a document classified sensitive and spew it out without the classification label. So long DLP and thanks for all the fish. 4. Exploitation 4.1. Copilot predictable misconfiguration lead to easy enumeration of publicly accessible copilots 4.2. Once you identify a publically accessible Copilot you need to extract data from it. Show how you can fight fire with fire, using GenAI to fuzz the Copilot into spewing sensitive enterprise data 4.3. Dropping CopilotHunter, a red teaming tool that automates all of the above 5. Where do we go now? 5.1. Bad default configuration in Microsoft Copilot Studio and how to avoid it - clear actionable changes to do today 5.2. Generalizing - how do we build secure and reliable Copilots? Separation of control plane and data plane, not putting too much power in the hands of AI, isolation of user-context PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/NNFQ3G/ Europe - Main Room Inbar Raz PUBLISH PPTEWY@@pretalx.com

-PPTEWY

Scam as a Service powered by Telegram en

20241024T104500 20241024T111500 003000

Scam as a Service powered by Telegram

The case study explores real-world scenarios where groups of cybercriminals operate as service providers, offering fake invoices, financial fraud, crypto and NFT investment advisement, data breach, escort and blackmailing services. Furthermore, the study investigates the consequences of this "Scam as a Service" model on individuals, businesses, and society, emphasizing the financial losses, reputational damage, and regulatory challenges resulting from these activities. During the talk, I will cover: - Tactics, techniques and procedures the scammers utilize. Including the recruitment process, what types of services are available, and how the infrastructure is set up. - Insights backed by findings. I got operating manuals, tools and access to the infrastructure. - My experience from several years of analyzing these services and lessons learned. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/PPTEWY/ Europe - Main Room Aurimas Rudinskis PUBLISH MAVVT3@@pretalx.com

-MAVVT3

From 0 to millions: Protecting against AitM phishing at scale en

20241024T111500 20241024T120000 004500

From 0 to millions: Protecting against AitM phishing at scale

After a quick technical overview of the capability, and how it was designed to scale, we'll dive into the data from millions of weekly logins to sites across the web. The token has been deployed to some of the largest Azure tenants out there, large financial sites, and healthcare providers--we'll get to explore phishing data at scale. We'll dive into: - The scale of AitM phishing - TTPs of AitM attackers: - Time from infrastructure start-up to first alert - Domain seasoning - Cross-tenant drag-net attacks Finally, we'll talk about response to these types of alerts, what attackers can do to disrupt our alerts, and how we can flow some of this data into networks like MISP. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/MAVVT3/ Europe - Main Room Jacob Torrey PUBLISH PVQXTF@@pretalx.com

-PVQXTF

Running circles around threat actor tooling using Javascript data visualisation en

20241024T133000 20241024T133500 000500

Running circles around threat actor tooling using Javascript data visualisation

There's a wealth of data visualisations that are easy to produce using generic frameworks, but often they're an answer in search of a question. In this session, I'll briefly talk about some questions I had around a dataset concerning tools used by Russian threat actors, the data visualisation principles used, how it was built, and the insights gained. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/PVQXTF/ Europe - Main Room Chris Horsley PUBLISH YVZXTW@@pretalx.com

-YVZXTW

Using LLM locally en

20241024T133500 20241024T134000 000500

Using LLM locally

It has become easy and convenient to use LLM locally on your machine, even for a couple of gigabytes of RAM. Usage includes: text generation, summarization, question-answering, even local design RAGs. All this is available for free and open-source, with minimal setup. This talk will show a quick demo of some tools and provide references to help you set up your own LLM app. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/YVZXTW/ Europe - Main Room Pauline Bourmeau (Cookie) PUBLISH ZFPPKY@@pretalx.com

-ZFPPKY

Future of websites without DDoS en

20241024T134000 20241024T134500 000500

Future of websites without DDoS

The topic of website safety and ways to manage it on both personal and application levels. Basics about encryption, certificates, DNS, WAF and other various confusing abbreviations. We will be taking you on a trip through the most interesting technologies used nowadays to ensure a comfortable and safe experience browsing the internet. In this presentation, we will delve into ways to safeguard websites from cyber threats. How to get multi-layered protection against DDoS attacks, ensuring your website remains accessible even during severe cyber onslaughts. By leveraging BGP Anycast technology and a reverse proxy to efficiently distributes and filter traffic, blocking malicious requests and allowing only legitimate users to access your site. We will also explore the role of CDN caching in speeding up website content delivery across the globe. By caching data and connecting users to the nearest server, reducing response times, enhancing user experience and improving SEO. Additionally, the Web Application Firewall (WAF) provides robust security by monitoring and blocking suspicious activities. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/ZFPPKY/ Europe - Main Room Lukáš Kršek PUBLISH 7YHE8M@@pretalx.com

-7YHE8M

Analysis and Forecasting of Exploits with AI en

20241024T134500 20241024T135000 000500

Analysis and Forecasting of Exploits with AI

We propose a simple, explainable, effective and fast threat analysis method, which is based on artificial intelligence and can support security experts in threat modelling, organization’s protection strategy planning, and allow them to quickly adopt suitable protection measures for current and future periods. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/7YHE8M/ Europe - Main Room Roman Graf PUBLISH TGV7MK@@pretalx.com

-TGV7MK

Improving the CVD Process en

20241024T135000 20241024T135500 000500

Improving the CVD Process

Vulnerability Lookup (https://github.com/vulnerability-lookup/vulnerability-lookup) facilitates quick correlation of vulnerabilities from various sources, independent of vulnerability IDs, and streamlines the management of Coordinated Vulnerability Disclosure (CVD). It is a rewritten and enhanced version of cve-search, an open-source tool originally designed to maintain a local CVE database. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/TGV7MK/ Europe - Main Room Cédric Bonhomme PUBLISH VVF3AU@@pretalx.com

-VVF3AU

MISP playbooks, Proving the Value of Cyber Threat Intelligence and ICS-CSIRT.io en

20241024T135500 20241024T140000 000500

MISP playbooks, Proving the Value of Cyber Threat Intelligence and ICS-CSIRT.io

- https://github.com/misp/misp-playbooks - https://github.com/cudeso/proof-value-cti - https://www.ics-csirt.io/ PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/VVF3AU/ Europe - Main Room Koen Van Impe PUBLISH VQGFDL@@pretalx.com

-VQGFDL

Quantum Cybersecurity - Pioneering a Secure Future en

20241024T140000 20241024T143000 003000

Quantum Cybersecurity - Pioneering a Secure Future

Introduction Quantum computing is set to revolutionize various industries like AI by providing powerful computational capabilities that far exceed those of classical computers. However, this technological leap also introduces significant security risks, particularly to existing cryptographic systems that protect the world's digital information. Quantum cybersecurity emerges as a crucial field, promising enhanced security mechanisms through QKD and PQC to withstand quantum computing threats. Advantages of Quantum Cybersecurity Quantum cybersecurity technologies, such as QKD, offer the promise of unbreakable encryption by utilizing the principles of quantum mechanics. Unlike traditional methods, where security is based on the computational difficulty of certain mathematical problems, QKD uses the quantum properties of particles to ensure secure communication that can immediately detect any interception attempts. PQC provides algorithms that are resistant to quantum attacks, aiming to secure our digital infrastructure both now and in the future. Necessity for Quantum-Resistant Solutions The development of quantum computers poses a significant threat to the cryptographic standards currently protecting global communications, financial transactions, and government data. Quantum-resistant cryptographic methods are essential to prevent the quantum threat and safeguard information integrity in the forthcoming quantum era. Current Problems and Future of Quantum Cybersecurity While quantum cryptography offers robust security, it currently faces significant challenges such as high costs, limited range of operation, and complex integration with existing technologies. The future of quantum cybersecurity lies in overcoming these barriers and facilitating widespread adoption. Innovations in satellite quantum communications and the development of quantum repeaters are among the advances that could extend the range and feasibility of QKD systems. Interoperability Challenges A significant obstacle in the deployment of quantum cryptographic solutions is the lack of interoperability between different systems, which often use incompatible protocols and technologies. This challenge hinders the creation of a unified quantum-safe network necessary for global security. Solutions and Challenges of Current Solutions Addressing interoperability involves developing universal standards and protocols that can seamlessly integrate various quantum and classical cryptographic systems. The solution proposed includes creating adaptable interfaces and middleware capable of translating between different quantum cryptographic protocols. However, these solutions must navigate the sophisticated balance between maintaining high security and offering the flexibility to support a diverse ecosystem of technologies. Conclusion Quantum cybersecurity stands at the forefront of the next revolution in digital security. By addressing the challenges of interoperability and advancing the development of user-friendly, cost-effective quantum cryptographic systems, we can pave the way for a secure transition into the quantum computing age. This talk will explore these aspects, offering insights into both the current landscape and the future directions of quantum cybersecurity. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/VQGFDL/ Europe - Main Room Samira Chaychi Sharif Shahini PUBLISH TFYNSZ@@pretalx.com

-TFYNSZ

Making IOT great again en

20241024T143000 20241024T150000 003000

Making IOT great again

## Agenda 1. The story of Powerdale EV charger from success to bankrupt 2. How to regain controls over the devices: success and failures 3. What all this says to IOT and their (software) lifetime? 4. Thoughts and conclusions ## Powerdale EV charger from success to bankrupt - Relatively popular brand of EV chargers in Belgium - About 50 000 devices installed in the Belgium - Went out of business in July 2023 - Cloud platform taken over by MyDiego - private customers abandoned with no access to their EV charger - WIFI connected appliances configuration change to slowest charge speed - some installers under heavy pressure to fix unsupported devices - ... ## Gaining access to device - The naive approach (and the failures) - open the box search for available ports - try to reverse the protocol without a functioning app ;) - BLE implementation on PicoW not so easy... - ... - The success: Google - an open-source based on ESPHome was launched by Geert Meersman - extend the solution to address needs on a standalone solution - build scripts to deploy at scale ## What all of this says to IOT? - Why the bankrupt was an issue? - Authentification on cloud (no cloud, no app, no configuration) - No way to configure appliances without mobile application - WIFI connected devices could be reconfigured without user consent - Is this unique? - No... Siemens abandoned its IOT line without notice. - Issues with bike in the Netherlands - Could we act? - Partially... - But this shows that a community can bring back to life our devices ## Thoughts and conclusions - Some idea to avoid such issues - Making code to be stored in source code escrow a legal obligation? - Forcing vendor to allow local configuration of devices (without cloud authentication) - Open APIs - ... PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/TFYNSZ/ Europe - Main Room David Durvaux Marc Durvaux PUBLISH D7FGK9@@pretalx.com

-D7FGK9

Ghosts'n'gadgets: common buffer overflows that still haunt our networks en

20241024T150000 20241024T153000 003000

Ghosts'n'gadgets: common buffer overflows that still haunt our networks

I will start the talk with an introduction of the two vulnerable devices, followed by a quick overview of the vulnerability research activities we have performed against them. Next, we will go over the root-cause analysis of these vulnerabilities, focusing on two stack buffer overflow vulnerabilities that allow for Remote Code Execution. I will then demonstrate how we used these vulnerabilites to pop a root shell on both devices (interestingly, they are designed not to allow any kind of root access to the users). I will discuss the binary hardening mechanisms we had to bypass (or lack thereof), and demonstrate the exploits in action. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/D7FGK9/ Europe - Main Room Stanislav Dashevskyi PUBLISH GFM8HN@@pretalx.com

-GFM8HN

SQL Injection Isn't Dead: Smuggling Queries at the Protocol Level en

20241024T153000 20241024T160000 003000

SQL Injection Isn't Dead: Smuggling Queries at the Protocol Level

Using vulnerable database driver libraries as case studies, we will bring the concept of HTTP request smuggling to binary protocols. By corrupting the boundaries between protocol messages, we desynchronize an application and its database, allowing the insertion of malicious messages that lead to authentication bypasses, data leakage, and remote code execution. To put our findings into context, we will explore the real-world applicability of this new concept by comparing how robust various languages and frameworks are against these attacks. We will also discuss how smuggling attacks are not specific to database wire protocols but affect all kinds of binary protocols, from databases over message queues to caching. We will end the session with inspirations for future research to explore the topic further. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/GFM8HN/ Europe - Main Room Paul Gerste PUBLISH XDFR83@@pretalx.com

-XDFR83

Keys to the City: The Dark Trade-Off Between Revenue and Privacy in Monetizing SDKs en

20241024T161500 20241024T164500 003000

Keys to the City: The Dark Trade-Off Between Revenue and Privacy in Monetizing SDKs

This presentation provides an in-depth examination of Advertisement SDKs, particularly focusing on their widespread use of webviews and the potential security risks these may introduce for end users. It explores how these SDKs integrate webviews into their functionality and offers technical insights into the mechanisms behind their implementation. Additionally, the presentation considers the broader security implications that may arise from this usage, aiming to raise awareness about potential areas of concern for developers and users alike. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/XDFR83/ Europe - Main Room Dimitrios Valsamaras PUBLISH EZ7Z7M@@pretalx.com

-EZ7Z7M

Understanding file type identifiers en

20241024T164500 20241024T171500 003000

Understanding file type identifiers

There's a lot of misconception around file type identifications and scanning: the existing tools have different needs and use cases, requirements and limitations (that could be abused). Warning: contains raw bytes. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/EZ7Z7M/ Europe - Main Room Ange Albertini PUBLISH DFES8D@@pretalx.com

-DFES8D

Reversing Flutter with Blutter and Radare2 en

20241024T101500 20241024T114500 013000

Reversing Flutter with Blutter and Radare2

Pre-requisites: - It is preferable to have basic experience in reading Assembly (but it is not necessary to be fluent). - Pre-Install Radare2 (https://rada.re/n/radare2.html) and Docker (https://docs.docker.com/engine/install/) on your laptop, before the workshop. - If possible, come with an ARM64 Android smartphone. If not, I'll lend one (we only need it shortly). On ARM-based MacOS, instead, you can use an ARM64 Android emulator from Android Studio: download and install Android 14, Google APIs (but not Google Play), ARM64. - Access to Internet. Not necessary: - You do *not* need to install Blutter: we'll learn how to install and use a patched version during the workshop. That patched version runs in a Docker container. - You do *not* need to know how to use Radare2: we'll cover all basic commands you need to use during the workshop. PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2024/talk/DFES8D/ Schengen 1 & 2 Axelle Apvrille PUBLISH E93DZB@@pretalx.com

-E93DZB

Cryptography: from zero to dont-shoot-yourself-in-the-foot en

20241024T140000 20241024T160000 020000

Cryptography: from zero to dont-shoot-yourself-in-the-foot

The training will start from the very basics to allow anyone interested to join, so there is no particular presequisite, just really basic math and the willingness to learn without being scared (or to learn regardless of being scared or not :-) ). We will roughly follow the following syllabus: - Encryption 101 - Randomness & entropy - Block ciphers - Stream ciphers - Hash functions - Key generation and key derivation functions / algorithms - RSA - Elliptic curves We only have a couple of hours, so we will not dig deep into algorithms' math and internals, also because this is not the goal of the training. If you are a cryptography expert and you want to join to add details, insights or correct the trainer if needed (we all do mistakes sometimes and we should all keep learning and improving), you are absolutely welcome! PS: the course is partially based on the content of the "Serious Cryptography: A Practical Introduction to Modern Encryption" by Jean-Philippe Aumasson book (ISBN-13: 9781593278267 - No Starch Press). PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2024/talk/E93DZB/ Schengen 1 & 2 Lorenzo Nicolodi PUBLISH TJUNCH@@pretalx.com

-TJUNCH

Open source Intelligence and Command line based BGP Hijacking Detection en

20241024T161500 20241024T181500 020000

Open source Intelligence and Command line based BGP Hijacking Detection

# Introduction BGP hijacking involves illegally redirecting internet traffic from its intended path by manipulating the Border Gateway Protocol (BGP), which exchanges routing information between different networks. In a BGP hijacking attack, an attacker advertises false routing information to routers on the internet, causing traffic to be routed through their network. This can be done for malicious purposes, such as intercepting sensitive data or launching a denial-of-service attack. BGP hijacking can have serious consequences, as it can disrupt internet connectivity and compromise the security and privacy of user data. BGP hijacking is an attack that undermines IP-based defense systems. When an attack occurs, all traffic directed to the hijacked destination IP is routed to an arbitrary location specified by the attacker, incapacitating all existing defense mechanisms. This hands-on training session will use fully open-source-based intelligence and command-line analysis tools to identify and visualize BGP hijacking incidents in any network. After taking this training, trainees are supposed to carry out the BGP hijacking detection process when suspicious activity occurs. To reduce the time wasted in environment settings, trainees are supposed to prepare notebooks with WSL/LINUX/OSX terminals and network connections. # Training Details This training program uses real-world data that has not been artificially modified or generated. The skills acquired in this training can be immediately applied to all networks. The training provides expertise in threat modeling, visualization, and detection methods through case studies of significant historical BGP hijacking incidents. ## Data Source The data used in this course is broadly divided into two categories. To analyze BGP communications, we use archived data provided by the University of Oregon RouteViews Archive Project from 2001 to the present. We utilize data from regional Internet address registries to verify IP address variability. ### Regional Internet Address Registries Data - https://ftp.apnic.net/stats/apnic/delegated-apnic-extended-latest - https://ftp.afrinic.net/stats/afrinic/delegated-afrinic-extended-latest - https://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-extended-latest - https://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-extended-latest ### BGP Archive Data - http://archive.routeviews.org/bgpdata/ ### Tools used - awk, bgpdump, graphviz, feedgnuplot, and other basic bash commands and shell scripts ## BGP Hijacking Incidents Following is the list of possible analysis candidates for well-known BGP hijacking incidents, which can be analyzed in this training session ### Italian Hacking Team BGP Hijacking The Italian group "Hacking Team" was implicated in a state-sponsored BGP hijacking incident. They worked with the Italian Special Operations Group to manipulate the Border Gateway Protocol (BGP) and reroute internet traffic. The release of confidential data unveiled their involvement, and the hacker "Phineas Fisher" admitted to the breach. BGP hijacking poses substantial risks to internet connectivity and the security of user data. ### Amazon DNS BGP Hijacking In 2016, Amazon DNS servers in Route53 experienced a BGP hijacking incident. Attackers manipulated the Border Gateway Protocol (BGP) to redirect traffic intended for Amazon's DNS servers. This misdirection allowed the attackers to intercept and manipulate DNS queries, potentially redirecting users to malicious websites or intercepting sensitive information. The incident underscored the vulnerabilities in BGP and the critical need for enhanced security measures to protect internet infrastructure. ### BGP Man In the Middle Attack China Telecom has been accused of engaging in extensive BGP hijacking activities, redirecting internet traffic through its infrastructure to spy on data and disrupt global communications. This practice, "Leave No Access Point Unexploited," involves manipulating the Border Gateway Protocol (BGP) to reroute traffic from its intended path. These activities have raised significant concerns about the security and integrity of global internet traffic, highlighting vulnerabilities in the BGP system and the potential for state-sponsored cyber espionage. ### Klayswap BGP Hijacking On January 3, 2022, at 11:31 AM, there was a BGP hijacking incident at KlaySwap, a decentralized finance (DeFi) platform in South Korea that operates on the Klaytn blockchain network. The incident led to BGP hijacking attacks on two service-provider networks, resulting in approximately 2.2 billion KRW worth of virtual asset damage and nationwide service disruptions for around one hour. Affected services included QR check-in, Kakao Map Service, and Daum portal services. This incident raised concerns about South Korea's vulnerability to BGP hijacking attacks, highlighting that South Korea is no longer a safe zone from BGP hijacking attacks. PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2024/talk/TJUNCH/ Schengen 1 & 2 Joon Kim PUBLISH ACPFRF@@pretalx.com

-ACPFRF

The Heist: get your hands on the goods! en

20241024T101500 20241024T114500 013000

The Heist: get your hands on the goods!

-ACPFRF

The Heist: get your hands on the goods! en

20241024T140000 20241024T153000 013000

The Heist: get your hands on the goods!

-ACPFRF

The Heist: get your hands on the goods! en

20241024T161500 20241024T174500 013000

The Heist: get your hands on the goods!

-SQUPHL

NLP deep-dive: Transformers for Text Mining and Text Generation in Cybersecurity en

20241024T101500 20241024T114500 013000

NLP deep-dive: Transformers for Text Mining and Text Generation in Cybersecurity

The workshop provides a hands-on, iterative deep dive into transformer-based NLP techniques and their applications in text mining and generation for cybersecurity threat intelligence and response strategies. It is dedicated to people who have already an experience using natural language processing and LLM or LLM only, to deeper their understanding and skills. Program: - Quick Introduction to Transformers, best current models - Hands-on: Text Preprocessing and Tokenization - Text-preprocessing - Transformer-Based Sentiment Analysis - Choose and load a pre-trained transformer model - Step-by-step building of an NLP pipeline using transformers library - Run the sentiment analysis task on an imported dataset - Same adapted the pipeline to Named Entity Recognition (NER) - Results interpretation - Same adapted pipeline to text-generation - Compare basic and light models (e.g., BART, T5, Llama) - Discussion: Applications in Cybersecurity - Apply transformer-based NLP techniques to cybersecurity problems - Limitations and future directions of transformer-based NLP in cybersecurity By the end of this workshop, you will have a deep understanding of transformer-based NLP techniques and their applications in text mining and generation for cybersecurity. You will be able to apply your new skills to real-world problems and develop practical solutions for threat intelligence and incident response. You'll be able to work directly on the code and scale your analysis. Familiarity with Python programming is expected. Prior experience with deep learning libraries such as PyTorch is a plus, along with practice of LLMs (with frontend). PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2024/talk/SQUPHL/ Hollenfels Pauline Bourmeau (Cookie) William Robinet PUBLISH JMKWXX@@pretalx.com

-JMKWXX

Scanning with the Artemis security scanner en

20241024T140000 20241024T160000 020000

Scanning with the Artemis security scanner

During the training, you will learn how to set up and use Artemis. For best results you are encouraged to have a Linux virtual machine with Docker and Docker Compose and a list of domains to scan. During the training, you’ll configure Artemis and initiate a scan that will end with a package of e-mails ready to be sent to the affected entities. We recommend starting with a list of 100 domains. Note that having a list of domains is not required. If you don't bring one, you will still learn how Artemis works and how to use it in practice. You will configure Artemis (or use a demo instance I will set up) and scan exemplary domains. PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2024/talk/JMKWXX/ Hollenfels Krzysztof Zając PUBLISH GCYGYP@@pretalx.com

-GCYGYP

From protocol analysis to actionable algorithmic and signature detection with Suricata en

20241024T140000 20241024T160000 020000

From protocol analysis to actionable algorithmic and signature detection with Suricata

Suricata is an versatile open source engine that has been evolving beginning in 2009 to currently being able to provide network protocol, flow, alert, anomaly logs, file extraction and PCAP at very high speeds. It is being used currently across the world as Network Security Monitoring, Intrusion Detection System, Intrusion Prevention System and even firewall.. The training will employ actual hands-on review of malware network pcap traces. Starting from protocol analysis and generic signatures events, the attendee will discover the different queries and techniques that could be applied to detect the malware activity on the network. All of that keeping noise reduction in mind. The training aims to review a few cases of recent samples of malware families to give attendees practical experiences defending against modern threats. Attendees can expect to leave prepared to to use algorithmic detection formulas, methods and signatures that can be implemented at home or at work. In addition, they will gain experience finding relevant malware data. PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2024/talk/GCYGYP/ Vianden & Wiltz Eric Leblond Peter Manev PUBLISH YYNBVZ@@pretalx.com

-YYNBVZ

iOS Compromise Detection using open source tools en

20241024T161500 20241024T181500 020000

iOS Compromise Detection using open source tools

Are you, or your organisation, concerned about potential compromise on your iPhone, iPad, or Apple Watch? This workshop equips you with the knowledge and tools to identify red flags on your iOS device. We delve into the world of sysdiagnose and explore methods to verify potential breaches. During this workshop we will be: - discussing some ways to know if an iOS device may be compromised - explore which opensource tools exist to perform analysis - generating a sysdiagnose file on an iPhone, iPad iWatch, ... (bring your own device) - use multiple methods to collect the sysdiagnose (sharing, custom app, PyMobileDevice3, ...) - use the open source sysdiagnose parser to convert the diagnostics data to something usable - explore what data it contains - generate a timeline and load it in timesketch - ... PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2024/talk/YYNBVZ/ Vianden & Wiltz David Durvaux Christophe Vandeplas PUBLISH YLWAQJ@@pretalx.com

-YLWAQJ

The Ouroboros of Cybercrime: Witnessing Threat Actors go from Pwn to Pwn'd en

20241025T090000 20241025T093000 003000

The Ouroboros of Cybercrime: Witnessing Threat Actors go from Pwn to Pwn'd

Through a meticulous investigation of stealer logs, an ironic twist in the cyber threat landscape has been unveiled: C2 operators falling prey to their own skim. In this presentation, we will explore stealer logs of (C2) operators, offering an unparalleled opportunity to delve into the backstage of cybercriminal networks. By analyzing these compromised logs, we have uncovered detailed information about the hidden criminal infrastructure operated by C2 operators. The captured data includes sensitive details such as computer information, browser autofill content, usernames and passwords, and active browser cookies. Notably, we have identified numerous logs containing cybercrime credentials, revealing the administrative access to various C2 platforms and databases. The investigation highlighted five specific C2 operators, exploring their use of different malware families, locations, and operational tendencies. One operator stood out: "The Dutch Man," also known as the Malware Maestro, who demonstrated sophisticated management of multiple malware types, including Private Loader, Mystic, Asuka, and Raccoon Stealer, forming a versatile malicious ecosystem. Join us as we dive into the trail of the cybercrime ecosystem provided by the threat actors’ own compromise. This talk will provide invaluable insights into the operation of a versatile malicious ecosystem, highlighting the complexity of C2 networks. Discover how analyzing stealer logs from operators associated with known C2 IPs can uncover and allow the study of hidden criminal infrastructure, identify new, previously unknown, C2 endpoints, and create indicators of compromise (IOCs). PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/YLWAQJ/ Europe - Main Room Estelle Stuart Beck PUBLISH UURWBY@@pretalx.com

-UURWBY

The XE Files - Trust No Router en

20241025T093000 20241025T100000 003000

The XE Files - Trust No Router

On the 16th October 2023 Cisco Talos shared intelligence about a handful of compromised routers discovered while resolving customer support requests. As the full story unfolded, a handful of backdoored devices turned into tens of thousands, and the massive mobilisation of incident response teams as patches were applied and workarounds implemented. Many months later, the incident may be largely forgotten by Cisco customers and the cyber-security community, but working on these routers remains an objective for somebody. In this talk we explore the world of compromised IOS XE devices using data from weekly scans of all the potentially affected systems. The number of infected routers has changed over time showing a persistent motivation to maintain the backdoor’s installed base and giving insights in to the life of the adversary. At the time of writing, two-thirds of all exposed devices show signs of compromise. We investigate who was quick to apply the vendor’s advice, and what kind of organizations the compromised devices belong to. We observe that some mature organizations with competent cyberdefence teams seem to be maintaining affected routers. Finally we look at the potential utility of a network of compromised routers, making the link to Operational Relay Box (ORB) networks as recently defined by Mandiant (Google Cloud), and the challenge this poses for Threat Intelligence analysts and cyber-defence teams more broadly. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/UURWBY/ Europe - Main Room James Atack PUBLISH QLCNGS@@pretalx.com

-QLCNGS

New features in the Zeek Network Monitor en

20241025T101500 20241025T104500 003000

New features in the Zeek Network Monitor

Network monitoring is key for understanding your infrastructure, whether that's your home network or a thousand-seat corporate environment. Zeek is the world's de-facto open-source standard for longitudinal network monitoring — a permissively licensed, mature, battle-hardened platform and ecosystem that runs on anything from Raspberry Pi's to industrial-scale deployments like Microsoft Defender. Over the past year Zeek has made important strides into new areas, which I'll present in this talk. Top among those are support for scripting Zeek's network events in JavaScript, opening up the Node ecosystem to network analysis; ZAM, the Zeek Abstract Machine, bringing substantial improvements to Zeek's script interpretation performance; expanded use of the Spicy parser generator, and an expansion of Zeek's telemetry framework for easy scraping via Prometheus. I'll also cover how to get started with Zeek via our Docker images, binary packages, or building it yourself, and will give a sneak preview of our upcoming roadmap. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/QLCNGS/ Europe - Main Room Christian Kreibich PUBLISH TLGDKX@@pretalx.com

-TLGDKX

Sigma Unleashed: A Realistic Implementation en

20241025T104500 20241025T111500 003000

Sigma Unleashed: A Realistic Implementation

In this talk, we will mainly talk about how we implemented Sigma in a practical way and about [droid](https://github.com/certeu/droid) that unlocks the following use cases: - Detection content versioning - Vendor agnostic approach - Cross-tool detection content - Testing and validating detection rules, by taking advantage of Atomic Red Team - Automation of exporting the rules to multiple SIEMs and EDRs. The tool is under development and we aim at adding more platforms and testing features. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/TLGDKX/ Europe - Main Room Mathieu LE CLEACH PUBLISH KTE9WR@@pretalx.com

-KTE9WR

Predictive Analytics for Adversary Techniques in the MITRE ATT&CK Framework using Rule Mining en

20241025T111500 20241025T114500 003000

Predictive Analytics for Adversary Techniques in the MITRE ATT&CK Framework using Rule Mining

### Detailed Outline 1. Introduction (3 minutes) - Greeting and Introduction - Brief introduction of Tristan Madani and his credentials. - Overview of the presentation’s objectives. 2. Overview of MITRE ATT&CK Framework (5 minutes) - Introduction to MITRE ATT&CK - Explanation of the framework's purpose and structure. - Importance in the cybersecurity community. - Challenges Addressed - Discuss the vast number of TTPs and their evolution. - Need for prioritizing and predicting critical techniques. 3. Methodology (7 minutes) - Data and Tools Used - Description of the dataset (version 13.1, May 2023) and STIX 2.1 format. - Tools used for data manipulation (Python). - Rule Mining Techniques - Explanation of Apriori and FP-Growth algorithms. - Definition of key parameters: min_support (0.2) and min_threshold (0.7). - Process - Conversion of TTP data into transactional data. - Generation of frequent itemsets and association rules using the Mlxtend library. - Filtering and sorting rules based on support, confidence, lift, and Zhang's metric. 4. Key Findings (10 minutes) - Top Association Rules - Presentation of the top 5 rules using different metrics (confidence, lift, conviction, Zhang's metric). - Significant Associations - Brief discussion of notable associations: - T1204.001 (Malicious Link) with T1566.002 (Spearphishing Link). - T1059.005 (Visual Basic) with T1204.002 (Malicious File) and T1566.001 (Spearphishing Attachment). - T1203 (Exploitation for Client Execution) with T1566.001 and T1204.002. - Insights on Tactics - Key findings related to specific tactics like Initial Access, Execution, Command and Control. - Importance of associations involving PowerShell, Windows Command Shell, etc. 5. Visual Representations (3 minutes) - Heat Maps and Parallel Coordinates - Explanation of these visual tools. - Brief examples to illustrate strong relationships and patterns. 6. Conclusion (2 minutes) - Implications for Cybersecurity - Practical benefits of the predictive approach for threat hunting and proactive defense. - How organizations can prioritize security resources based on predictions. - Future Enhancements - Potential for enhancing the dataset with more comprehensive data. - Importance of ongoing research to keep up with evolving threats. 7. Q&A (5 minutes) - Open the Floor for Questions - Encourage audience questions and discussion. ### Total Time: 30 minutes PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/KTE9WR/ Europe - Main Room Tristan MADANI PUBLISH DJ7SZA@@pretalx.com

-DJ7SZA

Introducing the ACTOR Model: Adversary Simulation is dead, long live Adversary Simulation! en

20241025T133000 20241025T133500 000500

Introducing the ACTOR Model: Adversary Simulation is dead, long live Adversary Simulation!

The landscape of cyber threats has outgrown many of the traditional methods used in adversary simulation. Enter the ACTOR Model: a fresh and comprehensive framework that addresses the limitations of current simulation tools. In this talk, titled "Adversary Simulation is dead, long live Adversary Simulation!", Tristan Madani takes you through a humorous yet deeply technical journey of how adversary simulation has evolved. The session will explore the five key components of the ACTOR Model—Adversary, Capabilities, Target, Operations, and Results—while showing how they interconnect to create realistic, customizable simulations that reflect modern-day cyber threats. Whether you're a security practitioner looking to refine your approach to adversary simulation or simply intrigued by the future of cybersecurity, this talk will offer valuable insights into how the ACTOR Model bridges the gap between theory and practical defense strategies. It’s not just about surviving the cyber battlefield; it's about simulating it with precision, foresight, and strategy. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/DJ7SZA/ Europe - Main Room Tristan MADANI PUBLISH GUYCCV@@pretalx.com

-GUYCCV

AIL Project: Secrets in Squares - QR Codes en

20241025T133500 20241025T134000 000500

AIL Project: Secrets in Squares - QR Codes

AIL Project is an open source framework to collect, crawl, dig and analyse unstructured data. The framework can be used to find information leaks, intelligence, insights and much more. AIL includes an extensible Python-based framework for analysis of unstructure information collected via an advanced Crawler manager or from different feeders (such as Twitter, Discord, Telegram Stream providers) or custom feeders. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/GUYCCV/ Europe - Main Room Aurelien Thirion PUBLISH Y8AAE9@@pretalx.com

-Y8AAE9

Pentests using LLMs en

20241025T134000 20241025T134500 000500

Pentests using LLMs

Conjunction of LLMs and GANs in cybersecurity: network, OSINT, social engineering. Active probing techniques. Relation to LLM-based coding, TDD, test oracles, fuzzing. Next steps: adversarial SUT replication, humans as weakness, arms race dilemma. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/Y8AAE9/ Europe - Main Room Al Mochkin PUBLISH AK3C7H@@pretalx.com

-AK3C7H

Learn anything - reload en

20241025T134500 20241025T135000 000500

Learn anything - reload

There's no secret: you can actually learn anything. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/AK3C7H/ Europe - Main Room Pauline Bourmeau (Cookie) PUBLISH WYPGG7@@pretalx.com

-WYPGG7

Luks Full Disk Encryption Upside-Down en

20241025T135000 20241025T135500 000500

Luks Full Disk Encryption Upside-Down

A live demo where I show, what happen with plaintext data, that was stored on the disk before full disk encryption got activated. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/WYPGG7/ Europe - Main Room Michael Hamm PUBLISH RMMUL7@@pretalx.com

-RMMUL7

Phantom DLL Hijacking in Powershell.exe (aka Backdooring Powershell for Fun and Profit) en

20241025T135500 20241025T140000 000500

Phantom DLL Hijacking in Powershell.exe (aka Backdooring Powershell for Fun and Profit)

This technique requires local administrator or system privileges to exploit, but it could be enticing for threat actors or red teams as it allows the loading of malicious code from a trusted process and a signed binary. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2024/talk/RMMUL7/ Europe - Main Room Tristan MADANI PUBLISH VLZFAQ@@pretalx.com

-VLZFAQ

Internal Domain Name Collision 2.0 en

20241025T140000 20241025T143000 003000

Internal Domain Name Collision 2.0

During our research, we examined how legacy systems configured before the TLD boom can become susceptible to these collisions, potentially allowing threat actors to redirect or intercept sensitive internal traffic. This vulnerability can have a ripple effect, impacting even newly installed systems that rely on configurations from those legacy systems (e.g. DHCP, DNS Suffix, etc.). This presentation will showcase our methodology for identifying vulnerable domains and present real-world examples of high-value targets at risk, including a major European city, a US Police Department, and critical infrastructure companies. These examples underscore the scale and the urgency of addressing this know but often overlooked aspect of internal domain name collisions. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/VLZFAQ/ Europe - Main Room Philippe Caturegli PUBLISH 99DP7K@@pretalx.com

-99DP7K

Lucky leaks: 400+ mln files are worth a thousand words en

20241025T143000 20241025T150000 003000

Lucky leaks: 400+ mln files are worth a thousand words

Me and my good friend Eireann spent the last two years collecting and studying the activity of 50+ ransomware groups through their DLS (Data Leak Site), more often than not hidden by the Tor network. We discovered that the list of the files inside the leaks can provide plenty of information about the gang's TTP, the impact for the victim and the most effective countermeasures. We also started in August 2024 to automatically analyse leaks at scale, to better understand the real impact for the compromised entity. We want to present the current results of this ongoing research effort, together with some methodologies we used and some mistakes criminals did that we were able to exploit. The talk will not be recorded and is tagged TLP:RED. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/99DP7K/ Europe - Main Room Lorenzo Nicolodi PUBLISH JKUEDF@@pretalx.com

-JKUEDF

Reverse engineering Android apps with ACVTool en

20241025T150000 20241025T153000 003000

Reverse engineering Android apps with ACVTool

ACVTool was initially developed within University of Luxembourg with an idea of driving the coverage guided fuzzing and other automated testing frameworks for closed-source Android apps. Turned out, Android bytecode has many interesting peculiarities, which made ACVTool a highly challenging project. Over the past year, ACVTool project underwent a major revision. ACVTool has evolved into a well defined tool capable of effectively depicting executed code when reverse engineering Android apps. The 2024 ACVTool release solved the major Multidex instrumentation challenge making it possible to handle modern Android apps. ACVTool also has learnt to deal with multiple APKs as Google Play nowadays delivers bundles apps in several APKs. This requires maintaining same signature over all APKs when repackaging only one of them. When it comes to repackaging, we learnt that Apktool, the most widely used repackaging tool, fails too often on complex applications. Therefore, ACVTool now implements more effective solution moving away from Apktool to the baksmali project. ACVTool runs baksmali to rewrite instrumented DEX files, and then we patch and rewrite AndroidManifest right inside the APK, which was apparently another challenge. Additionally, ACVTool now allows for highlighting a particular feature execution. This may help reverse engineers significantly narrow the scope of analysed code and also better depict a feature execution. We demonstrate how it works on a preselected app. Finally, ACVTool includes an experimental shrinking functionality to further limit the analysis surface. From our experience, an average app may run less than 20% of its code when tested exhaustively. Usually, this still results in a huge pile of smali code to examine. Thus, instruction coverage of a single feature combined with shrinking gives a perfect slice of just executed code. Convenient to analyse! ACVTool is freely available on GitHub under Apache 2.0 License. The Multidex instrumentation technique was patented, however, its implementation is free and fully available under ACVTool repository https://github.com/pilgun/acvtool. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/JKUEDF/ Europe - Main Room Aleksandr Pilgun PUBLISH VAZ8JH@@pretalx.com

-VAZ8JH

Detection And Response for Linux without EDR en

20241025T153000 20241025T160000 003000

Detection And Response for Linux without EDR

In modern, networked, enterprise IT environments, the focus of defense teams has shifted from monitoring network infrastructure towards endpoints. Installing endpoint detection and response (EDR) software on user workstations and servers – and actually monitoring their activities and findings – has become an easy default choice. However, it appears that in development of most EDR products, with their heritage in antivirus software, a very Windows-centric worldview is retained. Support for other operating systems, especially Linux, seems to come as an afterthought, leaving visibility gaps that may be easily exploited by skilled attackers. After evaluating several EDR vendors' products specifically for use in a large, heterogeneous Linux server landscape, we found that the capabilities were no match to our existing near-real-time detection mechanisms. We couldn't even replicate our previous work using the products. Deciding against any EDR product meant that we need to find an alternative approach to building out response capabilities. This talk illustrates mostly home-grown approaches to detection and response engineering that provide analysts with tools for generating context and for large-scale threat hunting while making it as pleasant as possible for operations teams to integrate the required components into their systems. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/VAZ8JH/ Europe - Main Room Hilko Bengen PUBLISH TNXGJL@@pretalx.com

-TNXGJL

Mercator - Mapping the information system en

20241025T161500 20241025T164500 003000

Mercator - Mapping the information system

Creating a detailed map of the Information System provides a holistic view of all its components, enhancing readability and control. This cartography is crucial for the protection, defense, and resilience of the information system. It serves as an essential tool for managing information systems effectively and is mandatory for essential entities (NIS2) as part of a broader risk management framework. GitHub of the project : https://github.com/dbarzin/mercator PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/TNXGJL/ Europe - Main Room Didier Barzin PUBLISH 8GX8MS@@pretalx.com

-8GX8MS

Disconnecting games with a single packet: an Unreal untold story en

20241025T164500 20241025T171500 003000

Disconnecting games with a single packet: an Unreal untold story

## Introduction Cheating is a major threat to the Multiplayer Online Game industry, undermining the fairness among players and impacting their user experience. ## Unreal Engine: crucial common pieces of many games Game engine are software framework designed for the creation of video games, providing core functionalities to developers. Vulnerabilities within the engine, shared by multiple games can spread widely. This talk focuses on Unreal Engine (UE), powering some of the most famous games in the industry. We introduce UE's network architecture, highlighting the UDP-based application-layer protocols used for communication, as well as the encryption components available. ## A new attack exploiting Unreal Engine security features We introduce new attacks that we have reported to all affected games through a responsible disclosure process. The general idea is to disconnect opponents within the same match by sending a single, specific packet. The attack exists under several flavors, with different packets, for different reasons. We present concrete examples of the attack in practice with three video demonstrations on the following games: Fortnite, The Finals, and Valorant. We present the methods we applied to investigate the root causes behind these vulnerabilities, combining static code analysis and dynamic profiling using an experimental game, developed with Unreal Engine. We present and explain our findings: When parsing a received packet, the engine checks the data's validity to detect corrupted values that could propagate to errors in the game logic. In some specific cases, this can lead to the client being disconnected from the ongoing game. This feature is likely to have been designed for security purposes to disconnect suspicious clients trying to tamper with the game packets. However, a malicious player A can exploit this by spoofing player B's IP address and sending a single faulty packet to disconnect B from the game, performing a Denial-of-Service attack against B. We explain the limitations of Unreal Engine’s encryption components in preventing those attacks. ## Practical exploitability of the attack We present two detailed procedures to carry out this attack in different contexts. 1. By broadcasting the specific packet within a LAN. 2. In an online Game context over the Internet. We outline the steps required: finding the target's IP address (using the ICE protocols to establish a P2P communication traversing firewalls), spoofing an IP address over the Internet (bypassing Source Address Validation), and launching the attack. We discuss potential mitigations that Unreal developers could implement. ## Conclusion While making the task easier for game developers, game engines inadvertently broaden the scope of vulnerabilities. Consequently, achieving security at the engine level is primordial to strengthen the overall game industry. New powerful attacks targeting big names in the video games industry are disclosed and explained, with a focus on the limitations of the network devices used for security: firewall traversal, and IP address spoofing. It is an eye-opener for that community. Beyond video games, Unreal Engine is also used in VR, digital twins, automotive HMI, and more. While we haven't identified other exploitations of this vulnerability yet, it could lead to more critical issues in the future. Therefore, it's crucial to raise awareness and fix it. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2024/talk/8GX8MS/ Europe - Main Room Hugo Bertin PUBLISH 3FRCUT@@pretalx.com

-3FRCUT

XOR Cryptanalysis en

20241025T101500 20241025T114500 013000

XOR Cryptanalysis

In this 2 hour workshop, Didier will guide you through XOR Cryptanalysis exercises using several open source tools (several of these tools are created and maintained by Didier). After an introduction to the XOR operator and its use in cryptography, we will work through several exercises that will familiarize you with tools like: CyberChef translate.py XOR 010 Editor script XORSearch xor-kpa.py And we will end with exercises using custom ransomware decryption tools that Didier developed for a particular ransomware strain with flawed crypto. PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2024/talk/3FRCUT/ Schengen 1 & 2 Didier Stevens PUBLISH VZN7KU@@pretalx.com

-VZN7KU

Exploring Firmwares: Tools and Techniques for (New) Cartographers en

20241025T140000 20241025T160000 020000

Exploring Firmwares: Tools and Techniques for (New) Cartographers

*Each section will start by a quick theoretical introduction, then attendees will practice a lot through guided examples or real hands-on. The number of exercises done will depend of the workshop duration.* **Extraction** is the acquisition of the filesystem contained in the firmware. Classically, two types of techniques could be employed, either using hardware access to dump its content or directly having the firmware accessible as an archive file. This workshop will only discuss the second one. Firmware files could have various formats, from the most classical ones which can be easily mount or extracted to the undocumented handmade ones. In this case, a format reverse-engineering should be done to create the appropriated unpacker. Labs: Using Binwalk[3]/Unblob[4] to extract a firmware. - Extraction of a router firmware using binwalk or unblob, discussion of the limits of these tools. - Create your own extractor using Kaitai Struct[4]. **Cartography** consists in gathering any information about the firmware and to identify points of interest which will require deeper analysis to potentially find a vulnerability or assess the correct security of it. First, we will introduce what we are usually looking for in a firmware: - boot process and initialization system; - attack surface; - classic weaknesses like SSL NO_VERIFY_PEER option; - deprecated OpenSSL options; - strcpy calls; - etc. Lab: - Navigation into the firmware executables and their imports with Pyrrha. Manipulation of the different views proposed by the UI to identify potential entrypoints that will lead to a given binary (identified as the "vulnerable" one). The router firmware extracted at the previous step will be used as an example. **Develop your own tools** As seen in the previous sections, some steps of the analysis could be supported by some tools/scripts. This last part of the workshop tends to offer attendees tools to help this development. Two main ideas will be introduced: first, integrate a new mapper in Pyrrha based on a new heuristic or to handle a specific need. The second relies on Numbat, the API used by Pyrrha to create a graph that could be rendered and looked in, in a user-friendly UI. The idea is to quickly develop a UI for already existing tools --- [1] Quarkslab. Pyrrha. 2023. url: https://github.com/quarkslab/pyrrha. [2] Quarkslab. Numbat. 2024. url: https://github.com/quarkslab/numbat. [3] ReFirm Labs. Binwalk. 2010. url: https://github.com/ReFirmLabs/binwalk. [4] Onekey. Unblob. 2021. url: https://github.com/onekey-sec/unblob. [5] Katai Struct. 2015. url: https://github.com/kaitai-io/kaitai_struct. PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2024/talk/VZN7KU/ Schengen 1 & 2 Eloïse Brocas PUBLISH ACPFRF@@pretalx.com

-ACPFRF

The Heist: get your hands on the goods! en

20241025T101500 20241025T114500 013000

The Heist: get your hands on the goods!

-ACPFRF

The Heist: get your hands on the goods! en

20241025T140000 20241025T153000 013000

The Heist: get your hands on the goods!

-SM9XM3

Zeek and Destroy with Python and Machine Learning Workshop (Part 1/2) en

20241025T101500 20241025T120000 014500

Zeek and Destroy with Python and Machine Learning Workshop (Part 1/2)

The Zeek open-source NSM platform is so much more than just the vanilla Zeek log files. With a bit of Zeek scripting and Python bindings, you can connect it via Zeek Broker to your Python programs and libraries like Numpy, Pandas, and Tensorflow. Join us and use Python with machine learning to supercharge your Zeek environment! PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2024/talk/SM9XM3/ Vianden & Wiltz Eva Szilagyi David Szili PUBLISH KRJMJB@@pretalx.com

-KRJMJB

Zeek and Destroy with Python and Machine Learning Workshop (Part 2/2) en

20241025T140000 20241025T154500 014500

Zeek and Destroy with Python and Machine Learning Workshop (Part 2/2)

The Zeek open-source NSM platform is so much more than just the vanilla Zeek log files. With a bit of Zeek scripting and Python bindings, you can connect it via Zeek Broker to your Python programs and libraries like Numpy, Pandas, and Tensorflow. Join us and use Python with machine learning to supercharge your Zeek environment! PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2024/talk/KRJMJB/ Vianden & Wiltz Eva Szilagyi David Szili