2.0 -//Pentabarf//Schedule//EN PUBLISH 93TYFR@@pretalx.com -93TYFR Hacking - 30+ years ago en en 20251021T090000 20251021T100000 010000

Hacking - 30+ years ago

Since the internet exists, people have been trying to circumvent security. Whereas most people nowadays do so for financial gain, 30+ years ago the world looked different. The internet connected academia. The people hacking were students, almost the only people who had access. Not many system administrators were paying much attention to security and for hackers, breaking into sites such as that of NASA, were ways to gain a reputation. In this presentation, "one of the Dutch hackers" will take a look at the hacking scene in the late 1980s, early 1990s PUBLIC CONFIRMED Keynote https://pretalx.com/hack-lu-2025/talk/93TYFR/ Europe Walter Belgers PUBLISH WHX9KY@@pretalx.com -WHX9KY Anti-Forensics - You are doing it wrong (Believe me, I'm an IR consultant) en en 20251021T101500 20251021T104500 003000

Anti-Forensics - You are doing it wrong (Believe me, I'm an IR consultant)

In this talk, we'll dissect common anti-forensics strategies—like USN Journal deletion, shellbag clearing, timestamp manipulation, and disabling access time updates—and reveal how they are often executed ineffectively or misunderstood. From registry edits like masking user account activity to configuring Windows EFS, we'll examine why these techniques often fail against modern investigative workflows and how defenders use these "footprints of erasure" to uncover malicious intent. Attendees will gain a comprehensive understanding of what works and what doesn't and how to identify these techniques during incident response. Whether you're an IR consultant, security analyst, or blue teamer, this talk offers actionable knowledge to outsmart adversarial anti-forensics tactics. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/WHX9KY/ Europe Stephan Berger PUBLISH B3UDM8@@pretalx.com -B3UDM8 Confessions of a Linux Drama Queen: Incident Response When Hackers Try to Steal Your Spotlight en en 20251021T104500 20251021T111500 003000

Confessions of a Linux Drama Queen: Incident Response When Hackers Try to Steal Your Spotlight

1. About Me 2. Oops, they did it again - What hackers do after they break in. 3. Hackers be like "Why are you so obsessed with me" - Understanding the attacker's goals. Pyramid of pain. 4. Diamonds might be forever, but logs are a girl's best friend - Logs and other mitigation strategies. XDRs are like a beauty bag, they can be customized with all your essentials (correlation searches) and pretty useful in case of an emergency fix! (Note: I will be showing relevant logs needed to detect post compromise activity). 5. Getting our hands dirty. Note: I will be providing demos for these: - Start With Your EDR Logs: Uncover the juicy secrets. • High Risk Folders: Check high-risk directories for changes, such as /tmp, /var, and /usr/local. Attackers often hide malware in these directories, so flag unusual folder activity. • IPs: Use commands like netstat, ss, or ip addr show to monitor unusual outbound or inbound IP connections. Watch for IPs that are outside your organization or connected to known malicious domains. If it feels shady, it probably is! - Shell History: Linux’s way of spilling the tea! • Focus on logs from /var/log/secure or /var/log/auth.log to track shell access. Check for any unusual command executions that could indicate privilege escalation, file tampering, or lateral movement. - Newly Created Services: When new isn’t always better. • Attackers may install services under false pretenses. Look for services you didn’t authorize by running systemctl list-units --type=service. If it looks out of place, it probably shouldn't be there! Think of new services like "syscleaner" or "tempd". Sometimes they might look really legit like LenovoAutoUpdater.sh. • Dive into configuration files in /etc/systemd/system/ or /etc/init.d/ for service details. If anything looks too good to be true, it probably is. - Remote Monitoring & Management (RMM): Legit or suspect? • Attackers love to piggyback on legitimate RMM tools like OpenSSH or VNC, but they’ll use them to control your environment. Review /var/log/secure and /var/log/messages for abnormal usage of these tools. - Kernel Modules: Spotting the cheap knockoffs. • Check for suspicious kernel modules that could indicate privilege escalation or unauthorized system access. Commands like lsmod or modprobe are your best friends for this. If you spot unfamiliar modules, that's a massive red flag! - Check Event Logs Like you're reading gossip! • Dig into /var/log/syslog and /var/log/messages for general system events. Anything out of the ordinary, like strange restarts or crashes, could be the result of a compromise. • Use journalctl to filter and search logs for specific keywords like "failed," "error," or "unauthorized." Think of this as going through the receipts, everyone leaves a trail! - Suspicious Locations: The wrong wide of the internet. • Keep an eye out for login attempts from unusual geolocations or times. The last and lastb commands can show you the recent logins and failed attempts. • Review ss or netstat for abnormal network traffic. If connections are being made to strange, distant locations, you’ve likely got a problem on your hands. - A glimpse into the past. • Attackers might leave traces of their activity in system caches, especially if they’re interacting with the GUI. Look for artifacts in /home/user/.cache/ or /root/.cache/ directories. Tools like strings can extract any useful text from these cache files, like sifting through old screenshots and desktop snapshots. - Monitoring Resource Use and DHCP Logs: Your digital paparazzi. • You can use tools like atop to monitor resource usage. Look for CPU or memory spikes that could indicate hidden malicious processes. • DHCP Logs: Use logs from /var/lib/dhcp/ or /var/log/syslog to check for network traffic anomalies or devices connecting to your system. An unfamiliar device could be the hacker’s backdoor. - Automate the Hunt: Keep it stylish. • Set up automated detection with tools like auditd or OSSEC to keep tabs on file changes, service modifications, and unexpected network activity. Automation is like having your personal stylist, everything stays polished while you focus on bigger things. • Use security frameworks like AppArmor or SELinux to limit the damage attackers can do. They’re your invisible bodyguards, protecting critical files from being tampered with. 6. How to shut it down - Mitigation and response. 7. Final Thoughts: - Audit your logs regularly - Think of it as your daily dose of gossip! - Baseline, baseline, baseline! - Know what "normal" looks like. - Automate where you can. - Hardening your systems - Why security is like a skin care routine. - Practice incident response drills. - Stay in style. Stay up to date. - Trust your gut. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/B3UDM8/ Europe Melina Phillips PUBLISH W9DSRP@@pretalx.com -W9DSRP Containing the Threat: Analyzing cryptomining campaigns en en 20251021T111500 20251021T114500 003000

Containing the Threat: Analyzing cryptomining campaigns

Container technologies have revolutionized application deployment and scalability, but they've also introduced new attack surfaces for threat actors. This presentation delves into the tactics, techniques, and procedures (TTPs) employed by some of the notorious cybercrime groups, such as TeamTNT, in exploiting container vulnerabilities. We'll begin with an overview of container security fundamentals and common misconfigurations. We'll demonstrate how TeamTNT has evolved their tactics over time, adapting to improved security measures and expanding their target scope. Attendees will gain insights into: TeamTNT's malware and C2 infrastructure Best practices for hardening container environments against similar attacks The importance of runtime security and continuous monitoring in containerized environments This talk is aimed at security practitioners, DevOps engineers, and IT professionals looking to deepen their understanding of real-world container security threats and mitigation strategies. The presentation will provide actionable recommendations for security professionals to enhance their container security posture and stay ahead of emerging threats in this domain. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/W9DSRP/ Europe Bogdan Trufanda Mihai Vasilescu PUBLISH WKQ8EM@@pretalx.com -WKQ8EM LOLBlue : Living Off the Land with Blue Team tools en en 20251021T114500 20251021T121500 003000

LOLBlue : Living Off the Land with Blue Team tools

Our talk introduces a comprehensive and novel perspective on the offensive use of Blue Team and forensic tools — an area that has seen limited but growing interest among threat actors and red teams. While a handful of drivers and utilities have been publicly identified for such purposes, our research expands the known toolkit by presenting a systematic review of underexplored DFIR tools that can be repurposed to access system memory or protected files. We analyze how these tools operate under the hood and demonstrate real-world scenarios where they can bypass security tools. In addition to cataloguing and evaluating these capabilities, we introduce original research on the offensive use of pre-installed or commonly deployed forensic software for data extraction and covert exfiltration. We also provide actionable guidance on detection and defence strategies, addressing a blind spot in current security literature and detection frameworks. This talk bridges the gap between DFIR tooling and offensive tradecraft, challenging defenders to reassess their trust assumptions and tool visibility. As a company which specializes both in red teaming and incident response, Synacktiv thrives on pushing the boundaries in offensive and defensive security. As such, this joint talk will use the personal experience of both speakers to explore a fun new technique in red teaming. Whether using pure collection tools such as DFIR-ORC or KAPE, or (ab)using the client/server architecture of Velociraptor live-forensics tool, LOLBlue offers interesting alternatives in the late stages of a red team engagement. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/WKQ8EM/ Europe Maxence Fossat Antoine C PUBLISH U3WC88@@pretalx.com -U3WC88 BoD: Bytes Over DNS en en 20251021T134500 20251021T135000 000500

BoD: Bytes Over DNS

Although the format of the labels in a DNS request are limited to just letters, digits and a hyphen character, there are implementations that allow more than that. A small overview will be presented. Scripts will be shared that allow attendees to do their own testing of the DNS servers of their choice. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/U3WC88/ Europe Didier Stevens PUBLISH 7FRGDY@@pretalx.com -7FRGDY Red Team Story: Offline SCCM backup secrets decryption en en 20251021T135000 20251021T135500 000500

Red Team Story: Offline SCCM backup secrets decryption

This lightning talk presents a real red-team case study focused on SCCM backup secret decryption. Using a public SCCM lab environment (GOAD SCCM), we demonstrate the complete offline process for decrypting SCCM backup secrets, without requiring access to a live SCCM server. Although the approach has been briefly mentioned in a few articles and tweets, it has never been shown concretely from start to finish. So, we went deep to clearly reproduce and document each step, making it easier for you to use it in your future red-team operations. The technique is especially valuable when SCCM backups are found on network shares or other exposed locations, a scenario that is surprisingly common in real-world environments. We will explain how SCCM backup-secret encryption works, highlight the artifacts that must be collected, and present a step-by-step decryption workflow. To support this, we will also share a decryption script, enabling you to reproduce the process during your next assessments and SCCM hacking. Have fun, as we did! PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/7FRGDY/ Europe Martino PUBLISH A33UYD@@pretalx.com -A33UYD Detection coverage in today's blue team world en en 20251021T135500 20251021T140000 000500

Detection coverage in today's blue team world

The truth of the pudding for detection coverage is that if you ask ANY blue teamer that isn't using OpenTide what their detection coverage is, you're going to get at best a feeling-based qualitative answer such as 'I think so' 'I feel that we are' 'I believe that we are able to detect what we need to'. Because no one has the data to prove it. Before OpenTide, no framework existed to provide any sort of data-driven answer. So, ultimately, NO ONE actually knows if they're able to detect what they need to be able to detect. Many try to mature this using red or purple teaming, or using vendors to supplement their detection coverage, but ultimately, unless you can map out threats at the level of granularity that 'Atomic red team' works at, you never really know. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/A33UYD/ Europe Claus PUBLISH JU89ZD@@pretalx.com -JU89ZD Fearless File Identification en en 20251021T140000 20251021T140500 000500

Fearless File Identification

We’ll dive into the motivations behind this port: the inherent risks of running C parsers on untrusted input, and how Rust’s safety guarantees can mitigate these concerns without sacrificing performance. The project aims for near-full compatibility with *libmagic*’s rule format, ensuring seamless integration for existing users while unlocking new possibilities for portability across Rust’s supported platforms. Attendees will get a sneak peek at the current state of the implementation, which already identifies common file types like MS-DOS executables, ELF binaries, and scripts. We’ll also discuss the roadmap, including plans to publish a Rust crate, complete a CLI tool equivalent to `file`, and create bindings for other languages. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/JU89ZD/ Europe Quentin JEROME PUBLISH CMLHHF@@pretalx.com -CMLHHF Hunting for Linux Extended File Attributes en en 20251021T140500 20251021T141000 000500

Hunting for Linux Extended File Attributes

In this lightning talk will show how xattr's can be used to hide a payload, then I'll introduce a quick script that will help to find potentially malicious xattr's on a filesystem. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/CMLHHF/ Europe Xavier Mertens PUBLISH ZDKXEN@@pretalx.com -ZDKXEN Incident reporting made easy, using Draugnet en en 20251021T141000 20251021T141500 000500

Incident reporting made easy, using Draugnet

Draugnet is a relatively new OSS tool that facilitates the reporting of incidents, threat intel and other similar matters to an organisation (such as a CSIRT). This lightning talk aims to introduce the tool and quickly describe why anyone should care. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/ZDKXEN/ Europe Andras Iklody PUBLISH FXR3DQ@@pretalx.com -FXR3DQ From Buzzword to Battlefield: The Cybersecurity Challenges of Smart Cities en en 20251021T141500 20251021T144500 003000

From Buzzword to Battlefield: The Cybersecurity Challenges of Smart Cities

This talk aims to expand our definition of Smart Cities; discuss the data, human, and technological risks that they face; and share resources on how to deal with them. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/FXR3DQ/ Europe Marina Bochenkova PUBLISH DPNKRE@@pretalx.com -DPNKRE Fake Jobs, Real Malware. Uncovering How Cybercriminals are Exploiting the Employment Market en en 20251021T144500 20251021T151500 003000

Fake Jobs, Real Malware. Uncovering How Cybercriminals are Exploiting the Employment Market

In this session, we will take a deep dive into a sophisticated recruitment scam run by the well-known Lazarus Group on LinkedIn and other job-related platforms. We will start by analyzing the interaction between a Bitdefender employee and a fake recruiter on LinkedIn, while also explaining what the so-called recruiter is after and what are the known tactics that are used in these kinds of scenarios. Given the fact that the scam is enabled by job-seeking developers that set out to finish the coding assessment given by the fake recruiter, we will continue with a bird’s eye view on the received code repositories. Among thousands of lines of code, stolen from public repositories, the threat actors hide an obfuscated Javascript snippet that begins the malware infection chain. Moving forward, the complexity of the infection chain increases. A comprehensive breakdown of each step involved will be provided, with insights about malware analysis and the necessary protective measures to prevent infection: - Downloading more malicious, self-unpacking Python scripts - Using public services to store information (e.g: pastebin) - Downloading a malicious binary that doubles down the infostealing efforts, while also exfiltrating data through TOR The presentation will end with conclusions and take aways, while also leaving plenty of time for Q&A. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/DPNKRE/ Europe Ionuț Baltariu PUBLISH U3ZG7S@@pretalx.com -U3ZG7S intelmq.ai - adding ML model support to intelmq en en 20251021T151500 20251021T154500 003000

intelmq.ai - adding ML model support to intelmq

Integrating "AI" into deterministic data-flow frameworks such as IntelMQ has its challenges. For example, AI tends to give stochastic answers, which might be correct or - sometimes - might not be. How to deal with these challenges will be also discussed. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/U3ZG7S/ Europe Aaron Kaplan Sebastian Wagner Jürgen Brandl PUBLISH BDUTYD@@pretalx.com -BDUTYD No way to enable SSH access to your new router? The vendor might have something to hide en en 20251021T154500 20251021T161500 003000

No way to enable SSH access to your new router? The vendor might have something to hide

N/A PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/BDUTYD/ Europe Stanislav Dashevskyi Francesco La Spina PUBLISH TYQJK3@@pretalx.com -TYQJK3 Oops, I Hacked It Again: Tales and disclosures en en 20251021T163000 20251021T170000 003000

Oops, I Hacked It Again: Tales and disclosures

Description ======= The talk is divided into 6 chapters. In the first one, I’ll relate what an Ethical Hacker is and what he does, and I’ll also prepare the audience for the upcoming hackings tales. Chapter 2: Hacking tales. In this chapter I’ll talk about different ethical hacker stories that happened to me recently. Each story will have the technical part about how I exploit it and what I can do in the system, the way that I communicate it to the company and their responses. The first story is a small update about my last talk(Insert coin: Hacking arcades for fun), where we can basically get all the customer data, charge money for free and emulate all debit cards. It affects more than 2.3k installations in more than 70 countries. But the most interesting part was the in-person meeting with the company. Second story is about a large supermarket chain. After escalating in some web servers and getting root access, I had read/write access to the customer and employee database and was even able to modify product prices among other things. The third one is about a ticket sales and distribution company. The results were similar, getting all the tickets, customers and employees, being able to generate some free tickets and getting admin access. But the way to get access was different, and the response from the company was the best, ending in a request for pentesting and a security talk to the entire company. A transportation company, after some idors and business logic vulnerabilities were able to get all tickets, user data and generate free tickets. The last tale, an e-commerce platform that allows businesses to create and manage their online stores: A bunch of exposed files, some .js files with the body of apis. After reading some code, we were able to login as any user in any business(Insurance, airlines, banks) including some CEO accounts. Chapter 3: In this chapter I’ll dive into the different tools(90% open source) that I use on a daily basis, methodologies and the most common mistakes that we can find. Chapter 4: Different types of disclosure. I’ll explain why this is important, from the point of view of hackers, companies and the community. Below I’ll show the way I always present my reports, following the examples used by my friends and others. Also, in this chapter I'll show the normal responses from the companies and the way to handle it, cause in some cases it can be frustrating and even threatening. To close the chapter I’ll talk a bit about BBP and VDP. Chapter 5 will discuss the impact we can get from good feedback from companies, seeing how more companies have improved their security posture and relationship with hackers. Also, perhaps the most important part, personal growth, recognition and learning new methods/attacks in a real world scenario. Chapter 6: Ending and conclusions. Part of the takeaways are to encourage new generations to do ethical hacking and help generate a good relationship between hackers and companies. The idea of ​​promoting the "ethical" part arises because unfortunately every day we see more cybercriminals selling user data and other confidential information of third parties. We have a responsibility to educate, identify and work on security vulnerabilities. Outline ======= - Introduction - Whoami - Disclaimer - What's an “ethical hacker”? - Hacking tales - Conclusion from the arcade company of last year - Large supermarket chain - Tickets sales and distribution company - Transport company - E-commerce platform - Essentials - Tools - Methodology - Common mistakes - Disclosures - Types - Why is it important? - My way to report - Other ways to report - Handling responses from companies - BBP/VDP - Impact of ethical hacking - Feedback from companies who I hacked - Encouraging others to get involved in ethical hacking - Conclusions - Takeaways - Q/A PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/TYQJK3/ Europe Ignacio Navarro PUBLISH Y3DGVG@@pretalx.com -Y3DGVG OverLAPS: Overriding LAPS Logic en en 20251021T170000 20251021T173000 003000

OverLAPS: Overriding LAPS Logic

LAPS "v1" (legacy Microsoft LAPS) and "v2" (current Windows LAPS) have been studied by numerous people. However, past research has focused on attacking LAPS from the server side, i.e. recovering passwords from AD/Entra with high privileges on the infrastructure. This research takes a different approach: client-side approaches that grant users control over their own LAPS password, changing the LAPS password on demand. This talk explores a new angle and shares practical techniques that hackers can experiment with and apply in their own work. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/Y3DGVG/ Europe Antoine Goichot PUBLISH EXYEBP@@pretalx.com -EXYEBP Phishing detection using various parts of DNS ecosystem en en 20251021T173000 20251021T180000 003000

Phishing detection using various parts of DNS ecosystem

DNS (Domain Name System) is one of the cornerstones of the internet. Its various parts create a rather complex, interconnected ecosystem, with many observation points for phishing detection. Some of those are covered by CERT.PL monitoring systems as our contribution to the DNS4EU project – an entirely European DNS resolver. In our presentation we will show our three approaches for phishing detection. Firstly, how we identify new phishing domains in .pl by looking into DNS registry data. Secondly, We will show how we monitor DNS requests at .pl TLD nameserver level for early phishing campaign detection. Thirdly, we will present how we analyze requests at resolver level in order to detect phishing at various TLDs. We will discuss when we use rule based approach/heuristics, and when we decided to use machine learning/AI methods to boost our analytics. We will talk about pros and cons of our systems, and how good they are on phishing detection. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/EXYEBP/ Europe Piotr Białczak Michał Hałoń PUBLISH V3GFCH@@pretalx.com -V3GFCH RomCom exploits Firefox and Windows zero days in the wild en en 20251021T180000 20251021T183000 003000

RomCom exploits Firefox and Windows zero days in the wild

In October 2024, we discovered, in the wild, a zero-click exploit that combines two previously unknown vulnerabilities: one in Mozilla products, and the other in Microsoft Windows. We attribute the exploit to the Russia-aligned group RomCom. This is at least the second time that RomCom has been caught exploiting a significant zero-day vulnerability, after the abuse of CVE-2023-36884 in June 2023 against Microsoft Word documents related to the Ukrainian World Congress and the NATO summit. The compromise chain is composed of a fake website that redirects the potential victim to the server hosting the exploit, and if successful, the latter downloads and executes the RomCom backdoor. We don’t know how the link to the fake website is distributed; however, if the page is reached using a vulnerable browser, a payload is dropped and executed on the victim’s computer with no user interaction required. Analysis of the hosted files revealed a weaponized vulnerability for the latest versions of Firefox and Tor Browser at that time. The bug is a use-after-free vulnerability in the animation timeline, allowing arbitrary code to be executed in the context of Firefox’s sandboxed content process. While we’re not certain whether RomCom developed or bought the exploit, the code demonstrates deep knowledge of Firefox’s internals. We reported this vulnerability to the Firefox team, who acknowledged it and released a patch in an impressive 25 hours. In the meantime, we analyzed the second stage of the exploit and discovered a sandbox escape vulnerability in Windows. An undocumented and permissive RPC endpoint allowed execution of code at the medium integrity level, regardless of the privilege level of the calling process, resulting in an elevation of privileges on the system. RomCom exploited this bug to break out of Firefox’s sandbox and download further components in order to deploy the group’s backdoor. Microsoft released a security advisory and released a patch in early November. Studying RomCom’s arsenal highlights a high level of sophistication and the group’s ongoing effort to arm itself with powerful capabilities. The combination of the two zero-day vulnerabilities allowed this threat actor to compromise computers without any user interaction. This presentation provides a comprehensive overview of RomCom, its usual TTPs, this compromise chain, and its victimology. We also include a detailed technical analysis of the exploits and the corrective measures implemented by Mozilla and Microsoft. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/V3GFCH/ Europe Damien Schaeffer PUBLISH SLSQAL@@pretalx.com -SLSQAL From Achilles to NIS2: Slovakian Lessons on Proactive Cybersecurity and Vulnerability Disclosure en en 20251021T183000 20251021T190000 003000

From Achilles to NIS2: Slovakian Lessons on Proactive Cybersecurity and Vulnerability Disclosure

The NIS2 directive allows CSIRTs to carry out active, non-intrusive scanning of publicly accessible networks and information systems of entities. In Slovakia, proactive vulnerability scanning is already a cornerstone of government unit CSIRT.SK activities within its constituency, exemplified by the Achilles project. The recently amended Slovak Cybersecurity Act further clarifies that all CSIRT units have the legal authority to conduct non-invasive vulnerability detection and assessments within their scope. These assessments explicitly avoid negative impacts on the networks, systems, or services being evaluated, maintaining a balance between proactive security and minimal disruption. From the perspective of the Slovak CSIRT.SK, Poland's draft Cybersecurity Act under NIS2 introduces a more invasive approach, allowing Polish CSIRTs to bypass system protections for security assessments, resembling red teaming. For Slovakia to conduct similar assessments, clear legal frameworks (including mandates, consent protocols, and GDPR compliance), technical capabilities (such as secure testing environments and skilled personnel), and organizational structures (governance, risk management, and cooperation protocols) would be essential. In the area of coordinated vulnerability disclosure mandated under Article 12 of the NIS2, Slovak law already contains an obligation for public organizations to publish rules for reporting vulnerabilities on their website. The idea behind this legal regulation is based on the fact that it does not directly oblige researchers but entities responsible for the operation of information systems and technologies of public administration. They are obliged to publish rules on how security research can be carried out and the procedure for responsible publication of vulnerabilities. We believe it is appropriate to issue a framework policy for responsible vulnerability disclosure as a generally binding legal act. In addition, it is appropriate to use proper reporting channels. For this purpose, it is possible to use the security.txt concept. The vulnerability assessment process is intertwined with cyber threat intelligence, as it relies on up-to-date insights into emerging threats and adversary tactics. Threat intelligence analysts populate the MISP (Malware Information Sharing Platform) with data on threat actors, their tactics, techniques, and procedures (TTPs), as well as known vulnerabilities exploited in active campaigns. The vulnerability assessment team uses this intelligence to prioritize assessments, focusing on specific threat actor campaigns and the vulnerabilities they exploit, thereby enhancing proactive defense measures and risk mitigation strategies. The presentation examines how these approaches reflect the broader goals of proactive cybersecurity and security research while addressing the challenges of harmonization and trust in public-private partnerships. Additionally, it concludes with recommendations for CSIRTs to balance proactive assessments with legal and ethical considerations, including developing clear testing policies, ensuring transparency with affected entities, and fostering collaboration through secure information-sharing frameworks. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/SLSQAL/ Europe Michal Rampášek Alexander Valach PUBLISH L8UDVY@@pretalx.com -L8UDVY API Underworld: Red Team Hacking Secrets en en 20251021T101500 20251021T114500 013000

API Underworld: Red Team Hacking Secrets

Session 1: Introduction to API Security Overview of API Security Real-world examples of API security breaches Importance of securing APIs Session 2: Reconnaissance Techniques Introduction to reconnaissance Using Shodan for API recon Google Dorking for API endpoints Practical exercise: Recon on a sample API Session 3: Identifying API Vulnerabilities Common API vulnerabilities Demonstration: SQL Injection, XSS on APIs Hands-on: Scanning an API with Burp Suite Session 4: OSINT for API Security What is OSINT? Tools: Maltego, theHarvester,Wayback Practical exercise: Conducting OSINT on an API target Session 5: Hands-On Vulnerability Exploitation Step-by-step guide to exploiting API vulnerabilities Practical exercises on various vulnerabilities Group activity: Find and exploit vulnerabilities on a mock API Session 6: Wrap-Up and Q&A Recap of key points Final thoughts and best practices Open Q&A session for participants PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/L8UDVY/ Schengen 1 & 2 Parth Shukla PUBLISH FZDEPW@@pretalx.com -FZDEPW Crafting an Infoleak exploit - A Hands On tutorial en en 20251021T141500 20251021T161500 020000

Crafting an Infoleak exploit - A Hands On tutorial

Memory corruption bugs don't always have to result in arbitrary code execution. Sometimes a memory corruption bug can be put to an entirely different purpose, in this case turning it into an Infoleak bug to bypass ASLR. This workshop demonstrates how to make infoleak bugs happen seemingly from thin air. Students will work with a 12 year old vulnerability in a popular web server and turn it into a brand new Infoleak bug. **Outline** - Case study of an integer overflow bug in a popular web server. - Understanding the chain of function calls and frames on the stack. - Understanding the basis of an infoleak. - Using GDB to hit trace black box binaries to analyse the sequence of function calls. - Diverting the flow of functions after memory corruption to produce meaningful output. - Populating the output with arbitrary values. - Leaking the stack pointer address. - Leaking libc base address. - Putting the infoleak exploit together The case study will be presented for X86 as well as ARM32 binaries. *Theory* - 1 hour *Exercise* - 1 hour **Students will be provided with** a docker container with the necessary debugging and exploit development tools. Students are expected to bring a laptop with a working Docker installation. PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2025/talk/FZDEPW/ Schengen 1 & 2 Saumil Shah PUBLISH XGVKFA@@pretalx.com -XGVKFA Kunai: From Zero to Ninja en en 20251021T163000 20251021T183000 020000

Kunai: From Zero to Ninja

In this workshop, participants will learn everything they need to know to install Kunai and start monitoring their Linux environment to spot attackers or simply for fun. ### Part 1: Introduction to Kunai - **Essential Information**: Cover all the essential information about Kunai. - **Documentation Walkthrough**: Quick walkthrough of the Kunai documentation, explaining what participants can expect from this tool. - **Hands-on Exercises**: Conduct exercises to help participants become familiar with the tool, its command line, and configuration file. ### Part 2: Advanced Kunai Usage - **Custom Detection Rules**: Building custom detection rules to detect specific anomalies or malware. - **Indicators of Compromise (IoCs)**: Learning how to load IoCs into the detection engine. - **Integration with MISP**: How to integrate Kunai with your favorite MISP instance. - **Additional Topics**: If time allows, we will also cover additional advanced topics. PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2025/talk/XGVKFA/ Schengen 1 & 2 Quentin JEROME PUBLISH K8ACJX@@pretalx.com -K8ACJX Web forensic with Lookyloo en en 20251021T101500 20251021T114500 013000

Web forensic with Lookyloo

This workshop will start by explaining how modern websites are often implemented. We will then give an introduction of the tool and a demonstration of the modules. And continue with an introduction to the API and how to integrate it with your own tools. PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/K8ACJX/ Hollenfels Raphaël Vinot PUBLISH EEZ3PN@@pretalx.com -EEZ3PN Detection Engineering with Sigma en en 20251021T141500 20251021T161500 020000

Detection Engineering with Sigma

This workshop will cover the following topics: * Introduction to the [Sigma detection format](https://sigmahq.io/docs/basics/rules.html). * Don't reinvent the wheel: searching existing Sigma rules. * Developing simple Sigma rules for single events. * Developing [Sigma correlation rules](https://sigmahq.io/docs/meta/correlations.html) to detect event relationships. * Validation of Sigma rules. * Using LLMs to support Sigma rule development. PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2025/talk/EEZ3PN/ Hollenfels Thomas Patzke PUBLISH 7K3DUQ@@pretalx.com -7K3DUQ Flowintel - Flow your management en en 20251021T101500 20251021T114500 013000

Flowintel - Flow your management

In this workshop, participants will learn how to install, configure, and start using Flowintel. By working on a sample case, the audience will be guided through the tool and discover its key features, including creating cases and tasks, assigning users, integrating with MISP in different ways, and much more. PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/7K3DUQ/ Vianden & Wiltz Cruciani David PUBLISH AMCS8W@@pretalx.com -AMCS8W Payload Obfuscation for Red Teams en en 20251021T141500 20251021T171500 030000

Payload Obfuscation for Red Teams

In this workshop we will leverage the RISC-V architecture and the LLVM ecosystem to build a simple obfuscation pipeline. The VM interpreter code is small and once it is loaded, you do not need to allocate additional executable pages to execute arbitrary payloads. Covered topics: - Introduction to VM-based obfuscation - Basics of the RISC-V architecture - Compiling payloads for the RISC-V architecture - Obfuscating the VM interpreter for evasion - VM Hardening to complicate reversing the payloads (as time allows) - Building a basic C2 framework (as time allows) The bulk of the work will be done in a GitHub Codespace (Linux), which makes it easy for participants to get started. However, the final payloads need to be executed in a Windows VM (which you have to prepare beforehand). **Note**: Participants need C programming and Linux command line experience to follow along with the workshop. Reverse engineering experience is highly recommended. The concepts covered in the second half of the workshop are quite advanced PUBLIC CONFIRMED Training (long) https://pretalx.com/hack-lu-2025/talk/AMCS8W/ Vianden & Wiltz Duncan Ogilvie PUBLISH MJDURG@@pretalx.com -MJDURG Tech Duel: The Escape Battle en en 20251021T141500 20251021T154500 013000

Tech Duel: The Escape Battle

Each team consists of max. 5 persons. During the first 10 minutes they will receive a briefing on the mission. The countdown timer starts the mission (60 minutes) PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/MJDURG/ Echternach & Diekirch Stijn Tomme Dominiek Madou PUBLISH MJDURG@@pretalx.com -MJDURG Tech Duel: The Escape Battle en en 20251021T163000 20251021T180000 013000

Tech Duel: The Escape Battle

Each team consists of max. 5 persons. During the first 10 minutes they will receive a briefing on the mission. The countdown timer starts the mission (60 minutes) PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/MJDURG/ Echternach & Diekirch Stijn Tomme Dominiek Madou PUBLISH GGT3WY@@pretalx.com -GGT3WY Tracking and documenting Threat Actors using MISP - A slightly different approach en en 20251022T083000 20251022T090000 003000

Tracking and documenting Threat Actors using MISP - A slightly different approach

This technical talk is about a development project involving a toolset that enhances MISP's ability to store and update Threat Actor profiles. The presenter will introduce the initial problem and describe the concept of the solution and the details of the implementation. Besides this the audience will see the toolset in action while the presenter goes through the lifecycle of a threat actor profile (e.g. initial creation, updates) #### Agenda - Initial problem statement - Concept and technical details - Demo with TA profile lifecycle (showing the toolset in action using an imaginary Threat Actor Profile) PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/GGT3WY/ Europe Csaba Barta PUBLISH 7XNVBR@@pretalx.com -7XNVBR A pragmatic approach to build a threat landscape en en 20251022T090000 20251022T093000 003000

A pragmatic approach to build a threat landscape

"What are the threats relevant for us?" is likely one of the most common question the threat intelligence team is asked for by the management as well as technical stakeholders. Answering the question is challenging. Just picking some random insights from recently read threat reports certainly doesn't gives a holistic view. Not all threats that were reported publicly are relevant for the own organization and the other way around, the own sector is possibly underrepresented in public reporting and some threats like ransomware are opportunistic and simply don't care about the sector they attack. There are lots of further questions, e.g. if the usage of a technique that is mentioned in a threat report from ten years ago is still relevant? And what's about the observations of the own operational security teams? In this talk I will show a pragmatic approach with reasonable-effort for building a technical threat landscape that results in a MITRE ATT&CK map of techniques by utilizing different (open and private) sources and own observations. All techniques are mapped to a relevance that allows to focus further efforts to the most relevant techniques. Furthermore, I will show how this threat landscape can be used to support governance and purple teaming efforts. The talk will be concluded with some experiences and statistics to answer questions like: * How much of the techniques documented in ATT&CK are really relevant? * Are there really irrelevant techniques? * How often should so a thread landscape be updated? * How much value do the used sources provide? Are they possibly biased? PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/7XNVBR/ Europe Thomas Patzke PUBLISH 8A9RUW@@pretalx.com -8A9RUW Exploring Threats Leveraging Blockchains en en 20251022T093000 20251022T100000 003000

Exploring Threats Leveraging Blockchains

Nothing to add I cover the entire agenda in the abstract. If you have any questions ping me. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/8A9RUW/ Europe Rascagneres Paul PUBLISH UYUQFR@@pretalx.com -UYUQFR Reversing a Pay Phone for Fun but No Profit en en 20251022T101500 20251022T104500 003000

Reversing a Pay Phone for Fun but No Profit

In this talk I tell the story of how I decided to reverse engineer the Israeli payphone, which was nothing short of an engineering marvel for its time. The talk is laid out according to the MITRE ATT&CK tactics and shows how the same principles apply to fun projects and not just CNE. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/UYUQFR/ Europe Inbar Raz PUBLISH 7XPR8X@@pretalx.com -7XPR8X Slipping Through the Cracks: How Malicious Emails Evade Detection en en 20251022T104500 20251022T111500 003000

Slipping Through the Cracks: How Malicious Emails Evade Detection

This talk will present the evasion techniques extracted from user-reported messages, along with an overview of our analysis infrastructure, CrawlerBox, designed to overcome cloaking tactics that exploit browser fingerprinting and bot detection challenges. CrawlerBox is made available as an open-source tool to assist other researchers in pursuing further studies. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/7XPR8X/ Europe Elyssa Boulila PUBLISH QSWNWS@@pretalx.com -QSWNWS Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation Campaign en en 20251022T111500 20251022T114500 003000

Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation Campaign

- CPR uncovered a large-scale ongoing campaign involving thousands of first-stage malicious samples used to deploy an EDR/AV killer module in its initial stage. This module was first detected and recorded in June 2024. It was observed leveraging and exploiting more than 2,500 distinct variants of the legacy version **2.0.2** of the known vulnerable driver **Truesight.sys**, which is the RogueKiller Antirootkit Driver and part of Adlice’s product suite. This driver has a known vulnerability in versions below 3.4.0. - The attackers exploited the legacy version 2.0.2 of the Truesight driver to take advantage of a Windows policy loophole (Exception in Driver Signing Policy), allowing the driver to be loaded on the latest versions of Windows OS. Notably, the attackers specifically selected the 2.0.2 version because it retains the vulnerable code while also bypassing the latest Microsoft Vulnerable Driver Blocklist and common detection mechanisms, such as those introduced by the LOLDrivers project, none of which detect this version. - To further evade detection, the attackers deliberately generated multiple variants (with different hashes) of the 2.0.2 driver by modifying specific PE parts while keeping the signature valid. We detected over 2,500 validly signed variants of this driver. - The attackers leveraged infrastructure in a public cloud's China region to host payloads and operate their C2 servers. Around 75% of the victims are located in China, while the remainder come from other parts of Asia (e.g., Singapore, Taiwan). - The initial-stage samples act as downloaders/loaders and often disguise themselves as well-known applications. They are typically distributed via phishing methods, including deceptive websites and phishing channels in messaging apps. Along with the EDR/AV killer module, they are designed to prepare the infected machine to deliver final-stage payloads, such as Gh0st RAT variants. - CPR reported this issue to MSRC, leading to an updated version of the Microsoft Vulnerable Driver Blocklist (available since December 17, 2024), effectively preventing all variants of the legacy driver exploited in this campaign. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/QSWNWS/ Europe Jiří Vinopal PUBLISH YXLGPP@@pretalx.com -YXLGPP Smack my LLM up! en en 20251022T114500 20251022T121500 003000

Smack my LLM up!

In this talk, I present a forensic case study detailing how a threat actor compromised Meta’s LLM-driven moderation system to systematically hijack verified accounts, using prompt injection, linguistic manipulation, and automation loopholes to trigger platform-enforced takedowns and force ransom-based negotiations. The incident involved a globally active cybercrime network and exposed critical flaws in the trust models of cloud-native AI enforcement systems. We will walk through the forensic process behind the investigation, analyze prompt-level exploit vectors, and demonstrate how attackers craft model-passing language to elicit beneficial outcomes from black-box systems. Moving from the operational to the analytical, I will also introduce Python-based techniques from forensic linguistics and stylometry that aid in detecting AI-generated text, model hallucinations, and adversarial prompt traces—applicable to both post-mortem analysis and real-time detection pipelines. Finally, the talk explores the ethical grey zones emerging at the intersection of synthetic content detection, digital identity, and model-assisted enforcement. In the wrong hands, detection tools can become instruments of censorship or control—making it critical to understand both the how and the why behind these systems. This is a talk for red teamers, detection engineers, AI researchers, and anyone standing at the fault line between automation and abuse. Audience Takeaways: Real-world attack path exploiting LLM-based automation in platform support Techniques for detecting AI-generated text via forensic linguistic analysis Python-based NLP tools for stylometry and prompt anomaly detection (will share my code) Ethical considerations around AI-generated content detection in moderation and compliance Operational guidance for improving LLM security posture in cloud deployments. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/YXLGPP/ Europe Jindrich Karasek PUBLISH 7RCD77@@pretalx.com -7RCD77 Malware Investigation Pipeline: From Honeypot to Threat Intel en en 20251022T134500 20251022T135000 000500

Malware Investigation Pipeline: From Honeypot to Threat Intel

Threat hunters are frequently faced with large volumes of compromised artifacts that demand fast triage and mitigation. Manual analysis often becomes a bottleneck, limiting the ability to respond effectively at a large scale. MIP addresses this challenge by automating the end-to-end forensic investigation of QCOW2 disk images collected from Cowrie SSH honeypots. The pipeline extracts relevant forensic data using Dissect, validates findings against VirusTotal, and disseminates verified IOCs to MISP. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/7RCD77/ Europe Andreia-Irina Ocanoaia PUBLISH TNJYVT@@pretalx.com -TNJYVT May the world ever again experience such a Christmas night! en en 20251022T135000 20251022T135500 000500

May the world ever again experience such a Christmas night!

. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/TNJYVT/ Europe Christophe Vandeplas PUBLISH PAHBU9@@pretalx.com -PAHBU9 Nmap Scanning, Fast and Slow en en 20251022T135500 20251022T140000 000500

Nmap Scanning, Fast and Slow

Slides will be published on: https://github.com/x41sec/slides *Update:* they have been published here: https://github.com/x41sec/slides/blob/master/2025-hacklu/hacklu2025_Nmap-scanning-fast-and-slow.pdf PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/PAHBU9/ Europe Luc Gommans PUBLISH K79YTL@@pretalx.com -K79YTL Port Mimic: It's a Trap! (And so is every other port) en en 20251022T140000 20251022T140500 000500

Port Mimic: It's a Trap! (And so is every other port)

## How it works Port Mimic uses nftables to set up a trap. It will listen to every port on the given interface and redirect the traffic to a honey port. As soon as a threshold of packets are received on trap ports, it will put the offender on a bad IP list and redirect all traffic to a our mimic program. So what a attacker will see has nothing to do with the real target, think internet connect teapot or the worlds most welcoming database. Ideally that will waste their time, alert defenders to set countermeasures or if the machine is connected to the internet, it will muddy the waters and make port scanners less reliable for target discovery. Listening ports are excluded from the trap, so you don't have to worry about users being affected. ### Credits This project is inspired by [portspoof](https://github.com/drk1wi/portspoof) Major differences: - This project is written in Python and uses nftables to set up the trap, so it doesn't require root or you fiddling with iptables. - There is no need to manually exclude ports from the trap, it will automatically exclude the ports that are open on the interface. - The mimic will cover your regular ports as soon as it detects a port scanner, so you don't have to worry about it. - Instead of opening all ports, we will pretend to be something else, so an attacker will not notice or be alerted to our shenanigans (ideally). PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/K79YTL/ Europe Jürgen Brandl PUBLISH UJWRHX@@pretalx.com -UJWRHX RANGE42 - An open source cyber range en en 20251022T140500 20251022T141000 000500

RANGE42 - An open source cyber range

Discover RANGE42, our open source cyber range project, started a few months ago, aims to turn your on premises infrastructure into realistic hacking and/or defense playgrounds within minutes. We'll briefly show what we've built, what we're doing and what we plan to do next. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/UJWRHX/ Europe Benjamin Collas PUBLISH X9XNMG@@pretalx.com -X9XNMG Meet Plum, the challenge of your own ASR for free en en 20251022T141000 20251022T141500 000500

Meet Plum, the challenge of your own ASR for free

Plum is a young developpement of CIRCL D4 project. With simple agent deployement in mind. The goal of this lighting talk is to talk about the Luxebourgish IP space. I will Explain the Challenges of scanning the IP Space. and show some funny results and effective use case that we had after just 2 weeks of production. But the real goal of this talk is to collect interest, need of people, and why not, some pull request too. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/X9XNMG/ Europe Paul JUNG PUBLISH PVSLFP@@pretalx.com -PVSLFP Open source is a virus en en 20251022T141500 20251022T144500 003000

Open source is a virus

Former Microsoft CEO Steve Ballmer once said that Linux and open source was a cancer. But "developers, developers, developers !!!" know that Linux and open source are not a cancer, but a virus because you can use virus scanning techniques and tools to discover (vulnerable) open source software :) We hacked YARA to build rules and more effectively detect open source software sources and binaries as if it were malware, generating rules on demand for fun and profit, and integrate software composition analysis with malware hunting! PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/PVSLFP/ Europe Philippe Ombredanne Prabhu Subramanian PUBLISH HBRVAC@@pretalx.com -HBRVAC Security Monitoring and Response in Large Linux Environments en en 20251022T144500 20251022T151500 003000

Security Monitoring and Response in Large Linux Environments

. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/HBRVAC/ Europe Hendrik Schmidt Hilko Bengen PUBLISH 3UEDY8@@pretalx.com -3UEDY8 Digic8 Oracle en en 20251022T151500 20251022T154500 003000

Digic8 Oracle

The presentation will introduce the technical context: what kind of computing platform a recent DSLR/Mirrorless camera is, with several computing units (ARM, Xtensa...) and operating systems (Real time or not). Then previous hacking activities on this platform will be described, as well as recent work by Magic Lantern team on EOS R. Next step will describe how a camera update is done, using the FIR file format: 1 - verifiying digital signatures, 2 - decrypting a mini OS version, rebooting on it, then 3 - applying the software updates: writing them in Flash ROM and reboot to main software. We will explain for the first time how the FIR format is providing confidentiality (AES encryption) and content authentication (based on digital sighatures). Before 2018, signature scheme was based on HMAC-SHA1 with complex key generation. Because the key material was inside firmware and Magic Lantern reversed the whole mechanisms, they were able to forge valid FIR signatures to later launch their payload 'autoexec.bin' in memory. But this changed in 2018 and release of the EOS R model. Do not be afraid, only high level cryptography concepts will be used. It must be reminded that dumping the firmware of some cameras using an hidden Basic interpreter is possible on EOS R, RP (digic 8 hardware generation), and EOS R5 / R6 cameras (digic 10 hardware). This was discovered years ago on Powershots models. The original approach of this talk is to use a dump of the EOS R to decrypt, first, its own FIR updates, without doing deep reverse engineering. We use a trick -because it is more elegant- : by emulating the cryptographic functions embedded in the obtained firmware dump, as an Oracle, almost as black box. And because a same decryption key is used for all Digic 8 cameras, our trick will also work for another Digic 8 models. Then our python tool based on Unicorn emulation will be enhanced to also decrypt firmware updates records. This gives access to all Digic 8 camera updates content to port Magic Lantern or other hacking projects for cameras you do not own yourself. The python decryption tool based on emulation **d8_oracle.py** will be released before the talk. No firmware dumps neither decryption key will be released along this presentation, you'll need to obtain a dump by yourself, which is easy, and we'll explain how. Because we are not so lazy and you're hopefully curious, decryption and signature algorithms will be explained, and you'll be able to verify yourself ECDSA signatures for Digic8 and Digic 10 camera updates (FIR files) with a dedicated python tool : **d810_verify.py**. Evolution and improvements of the FIR features will also be compared. Now we can emulate this ECDSA implementation, we can easily study it. Because unless a serious problem, as an asymnetric signature algorithm, it will be not possible to forge valid signatures for recent FIR updates without the private key, which make native code execution on recent camera a problem, as opposite as before 2018. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/3UEDY8/ Europe laurent clevy PUBLISH GLE99H@@pretalx.com -GLE99H The “S” in IoT: Tales from inside the IoT industry en en 20251022T154500 20251022T161500 003000

The “S” in IoT: Tales from inside the IoT industry

This talk offers an IoT industry insider’s candid perspective on why the IoT industry treats security as an afterthought. We’ll start with a review of the IoT landscape, drawing on input from experienced IoT developers in the consumer audio and toy domains as well as from IoT platform developers. We’ll examine the commercial and marketing pressures, the technical “best practices” and the obvious problems of time, money, and available talent. Next, we’ll dive into a real-world case study: the design and development of a kids screen-free audio speaker developed by a Belgian IoT startup. We’ll explore key business and engineering decisions and their consequences. Finally, we’ll look at where the IoT industry is headed, what it would take to nudge it in the right direction, and how the cybersecurity community can help. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/GLE99H/ Europe Will Moffat PUBLISH YMT98Q@@pretalx.com -YMT98Q The Parking Chronicles - A DIY Guide to Agents Detection en en 20251022T163000 20251022T170000 003000

The Parking Chronicles - A DIY Guide to Agents Detection

Bluetooth and BLE are everywhere - powering everything from smart devices to parking controllers agents. How secure are these invisible signals we rely on daily? In this talk, we’ll take a deep dive into the lesser-known risks of Bluetooth communication, using a real-world case study that challenges both privacy and device security. Join David as he unpacks his journey of detecting parking municipal agents, uncovering unexpected security challenges along the way. Using practical hacking techniques , this session will make you rethink how "safe" your wireless interactions really are. Whether you're a security professional or just someone who uses Bluetooth every day, you’ll walk away with new insights into how these signals can be detected and exploited. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/YMT98Q/ Europe David Sopas PUBLISH FJ3JBL@@pretalx.com -FJ3JBL What Malware Leaves Behind: Analysing Forensic Traces of Ransomware en en 20251022T170000 20251022T173000 003000

What Malware Leaves Behind: Analysing Forensic Traces of Ransomware

Ransomware attacks have surged in both frequency and sophistication, but even after the malicious code has been executed and removed, remnants of the attack linger. This session will delve into the forensic analysis of a ransomware infection, using open-source tools to uncover what happens after the initial compromise. Through a controlled lab scenario, we’ll simulate the infection of a Windows VM with ransomware, and then use a triage approach to collect and analyze digital artifacts that remain on the system. The primary focus will be on using Autopsy, RegRipper, and Velociraptor to uncover forensic traces and attack patterns, such as: 1. File remnants, including encrypted files, ransom notes, and deleted files. 2. Registry artifacts that could reveal malware persistence techniques. 3. Behavioral artifacts, such as network traffic and execution traces left by the malware. The session will be split into two parts: Part 1: Live Demo (5 minutes): This will include a brief walkthrough of the infected machine, showing evidence of the ransomware attack such as the encrypted files and the ransom note. It will also include a live demonstration using Autopsy or Velociraptor to extract critical forensic data from the infected system. Part 2: Post-Infection Analysis (25 minutes): This part will involve a deeper analysis of the system, explaining how these tools work together to detect and reconstruct the attack. It will answer several questions about post infection analysis like: - How to correlate the findings across multiple tools (Autopsy’s file-level analysis, RegRipper’s registry examination, Velociraptor’s live endpoint queries). -Mapping artifacts to attacker TTPs (Tactics, Techniques, and Procedures) using the MITRE ATT&CK framework. By the end of this session, attendees will gain a solid understanding of what to look for when investigating ransomware incidents and how to use these open-source tools to piece together the story of the attack. Whether you're working in DFIR, SOC, or threat hunting, this talk will provide the practical skills to identify and analyze ransomware behavior through forensic investigation. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/FJ3JBL/ Europe Ankshita Maunthrooa PUBLISH FEBNLJ@@pretalx.com -FEBNLJ Integrating Zeek With Third-Party Applications en en 20251022T173000 20251022T180000 003000

Integrating Zeek With Third-Party Applications

(See abstract.) PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/FEBNLJ/ Europe Christian Kreibich PUBLISH WSLDVZ@@pretalx.com -WSLDVZ The cloud journey 2013-2025 of the European Commission en en 20251022T180000 20251022T183000 003000

The cloud journey 2013-2025 of the European Commission

In this talk I will present both how public cloud adoption should be done in 2025 and how EC has done it since day 1 of our experimentation with public cloud starting in 2013. The talk will present how you can control the security debt you allow to be created and the plus/minuses of each type of approach. Then the talk will present the new security framework/paradigm of EC in public cloud and how this has been put in place to address many of the real, measureable threats/risks of public cloud adoption. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/WSLDVZ/ Europe Claus PUBLISH 9FBZYF@@pretalx.com -9FBZYF Kaitai Struct: a tool for dealing with binary formats en en 20251022T183000 20251022T190000 003000

Kaitai Struct: a tool for dealing with binary formats

Kaitai Struct has got you covered: it introduces a declarative domain-specific language (based on YAML) for describing the structure of arbitrary binary formats. Format specifications in this language are consumed by a compiler, which generates ready-to-use parsing modules in 12 programming languages (C++, C#, Go, Java, JavaScript, Lua, Nim, Perl, PHP, Python, Ruby, Rust). It is also possible to generate Java and Python modules that support both parsing and serialization (writing structures to bytes in the specified binary format). There are more than 180 format descriptions in the format gallery and hundreds more in various GitHub projects. This talk will focus on visualization and dumping tools that are part of the Kaitai project: the console visualizer and Web IDE. They are invaluable for debugging file formats, reverse engineering and forensic analysis. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/9FBZYF/ Europe Petr Pucil Mikhail Yakshin PUBLISH LKEYFD@@pretalx.com -LKEYFD Utilman & CMD en en 20251022T191000 20251022T192000 001000

Utilman & CMD

In 2004, a vulnerability (MS04-019 July 2004) in utilman.exe was revealed. Turns out utilman.exe runs with SYSTEM privileges. And any user can just start it by pushing the right keys. This inspired me in 2006 to turn this feature into a backdoor on Windows XP and blog about it. And since then, I've been involved in security incidents where this exact technique was used. Let me share some examples ... PUBLIC CONFIRMED CfF https://pretalx.com/hack-lu-2025/talk/LKEYFD/ Europe Didier Stevens PUBLISH MYVUFV@@pretalx.com -MYVUFV 101: How to break IPS & SIEM en en 20251022T192000 20251022T193000 001000

101: How to break IPS & SIEM

Have you ever thought, how your situation may look like if: - SIEM is blowing up & no ghostbusters around? - NIPS follows RNG freestyle? - No-one thought about back-ups, because they haven't been buzzwords yet? And what about if all of this has happened at one moment? :) PUBLIC CONFIRMED CfF https://pretalx.com/hack-lu-2025/talk/MYVUFV/ Europe Nicol Dankova PUBLISH 7FXZPN@@pretalx.com -7FXZPN A quick retrospective of a student discovering programming & other failures en en 20251022T193000 20251022T194000 001000

A quick retrospective of a student discovering programming & other failures

. PUBLIC CONFIRMED CfF https://pretalx.com/hack-lu-2025/talk/7FXZPN/ Europe Sami Mokaddem PUBLISH RQSWSG@@pretalx.com -RQSWSG All Your CCTV’s are Belong to Us en en 20251022T194000 20251022T195000 001000

All Your CCTV’s are Belong to Us

A true story where an organization has CCTV’s connected to the Internet and they were used to break in and lead to a full compromise with a nice gift: a ransomware. PUBLIC CONFIRMED CfF https://pretalx.com/hack-lu-2025/talk/RQSWSG/ Europe Xavier Mertens PUBLISH SJWVWP@@pretalx.com -SJWVWP Phish Perfect: How I broke the thing while trying to protect it. en en 20251022T195000 20251022T200000 001000

Phish Perfect: How I broke the thing while trying to protect it.

- SOC analyst or internal threat? When the call is coming from inside the house. - Cast and crew: All the people involved, including the lady who nagged me and I didn't even work directly with. - An oblivious girl's guide to threat hunting and phishing: Incident narrative. - Save your tears for another day: Owning up to your screw ups. - Embracing the suck: Lessons learned. PUBLIC CONFIRMED CfF https://pretalx.com/hack-lu-2025/talk/SJWVWP/ Europe Melina Phillips PUBLISH RZCBVH@@pretalx.com -RZCBVH Analysing the 1991 Lips Eloctro mechatronic lock en en 20251022T200000 20251022T201000 001000

Analysing the 1991 Lips Eloctro mechatronic lock

What happens when a hacker and lockpickers gets their hands on an old electromechanical lock? He's going to look at it of course! The talk contains desoldering, ROM dumping, decompiling and more. PUBLIC CONFIRMED CfF https://pretalx.com/hack-lu-2025/talk/RZCBVH/ Europe Walter Belgers PUBLISH RBTA8A@@pretalx.com -RBTA8A Suricata Lua Support en en 20251022T201000 20251022T202000 001000

Suricata Lua Support

An history of Suricata Lua support. How it was the greatest thing ever for detection and custom output but did end up never used. We will also see how it was also an open door on the system running Suricata. And finally, will the new implementation fix the issue ? PUBLIC CONFIRMED CfF https://pretalx.com/hack-lu-2025/talk/RBTA8A/ Europe Eric Leblond PUBLISH ZPQFGH@@pretalx.com -ZPQFGH The beauty of vibe coding en en 20251022T202000 20251022T203000 001000

The beauty of vibe coding

Trials and tribulations of trying to build an application exclusively via vibe coding PUBLIC CONFIRMED CfF https://pretalx.com/hack-lu-2025/talk/ZPQFGH/ Europe Andras Iklody PUBLISH KRNUBT@@pretalx.com -KRNUBT The cve-search design failure(s) en en 20251022T203000 20251022T204000 001000

The cve-search design failure(s)

I developed cve-search some years ago, and I would like to share the challenges we faced, especially the design failures that ultimately led us to redevelop it as vulnerability-lookup. I can certainly blame myself for some of these mistakes, but there are also others to blame along the way. PUBLIC CONFIRMED CfF https://pretalx.com/hack-lu-2025/talk/KRNUBT/ Europe Alexandre Dulaunoy Cédric Bonhomme PUBLISH 7JJNDX@@pretalx.com -7JJNDX BurningPanda en en 20251022T204000 20251022T205000 001000

BurningPanda

What happens when a sophisticated threat actor makes a single, catastrophic, OPSEC failure? This session deep dives into the tradecraft of a threat group running an espionage campaign. We'll deliver a technical deep-dive of the recovered infrastructure: * Emulating C2 - Analysing leaked Cobalt Strike and VShell databases and logs * Initial Access - Use of novel SQL injection and exploiting vulnerable web-apps * Tooling Breakdown - Dissecting web-shells and niche tooling * Timeline - Mapping adversary activity to the timeline and MITRE Learn how you can recover raw intelligence from the failures of a persistent, non-financially motivated adversary. PUBLIC CONFIRMED CfF https://pretalx.com/hack-lu-2025/talk/7JJNDX/ Europe Ben (@polygonben) PUBLISH TEJRGD@@pretalx.com -TEJRGD The Heavy Shadow of Imposter Syndrome en en 20251022T205000 20251022T210000 001000

The Heavy Shadow of Imposter Syndrome

The industry loves to celebrate mastery of the perfect exploit, the great attribution, the confident expert who always knows the answer. But for many of us, that confidence is a mask. I came into this field late, sideways, and what I was missing in credentials I made with a burning desire to learn a hunger and a work ethic. I didn’t have a degree, or the typical origin story of someone who always “knew they’d end up in security.” I arrived with a stubborn case of imposter syndrome. I tried to perform expertise to sound like I belonged among people that had already accomplished and knew so much. The failure I want to share isn’t one specific catastrophic moment. It’s the slow erosion of your confidence that happens when you let the heavy shadow of imposter syndrome bear it's weight on you. Even the most fearsome gangs are performing too. They bluff, break things, and rebuild under new names just like most people in the industry. In the end, this failure became the best teacher. Because the moment I stopped pretending to be the right kind of expert was the moment I started doing real work. PUBLIC CONFIRMED CfF https://pretalx.com/hack-lu-2025/talk/TEJRGD/ Europe Tammy Harper PUBLISH DZHMRR@@pretalx.com -DZHMRR Reverse Engineering Ransomware: Hands-On Malware Analysis & IOCs Extraction en en 20251022T101500 20251022T114500 013000

Reverse Engineering Ransomware: Hands-On Malware Analysis & IOCs Extraction

In this practical, hands-on workshop, participants will learn how to reverse engineer a ransomware sample in a controlled, safe environment. By using tools like Ghidra, OllyDbg, and x64dbg, attendees will gain first-hand experience unpacking, analyzing, and understanding the inner workings of ransomware. This workshop will guide participants through static and dynamic analysis techniques, providing valuable insights into malware behavior, payload delivery, and persistence mechanisms. Here is a detailed breakdown of the session: - Introduction and Set Up (5 mins) This will include a brief introduction to the topic: What is ransomware, why is it important to analyze, and how reverse engineering can help with understanding and mitigating threats, with an overview of the tools used (Ghidra, OllyDbg, x64dbg, Process Monitor, Wireshark, Virtual Machines). - Securely setting up the VM (10 mins) This will take about 15 mins where attendes can set up their VMs securely along with basic guidelines on creating a safe environment to analyze malware in (e.g., sandboxed Windows VM). - Introduction to the Ransomware Sample (5 mins) This will involve a detailed overview of the simulated ransomware sample being used and we will also highlight the types of analysis methods the participants will perform (static vs. dynamic). - Static Analysis (30 Minutes) Here I will Introduce Ghidra for static analysis and guide attendees through the process of importing and analyzing the ransomware binary in Ghidra. We will discuss some key features like identifying functions, finding encrypted data, and examining sections of the binary. We will then perform basic static analysis on the ransomware sample which includes analysis of imports, functions, and strings, encryption routines, command-and-control communication indicators. Participants are strongly encouraged to follow along and ask questions through the live static analysis process. - Dynamic Analysis (30 minutes) Here, we will quickly introduce x64dbg and OllyDbg for dynamic analysis and explain how these tools can be used to observe malware behavior in a running environment. Participants will then be guided through launching the malware in the virtual machine, running it, and monitoring its behavior. This part will explain how to capture memory, file system, and registry modifications during execution as well as show participants how to use Process Monitor to track file system and registry changes. We will also introduce Wireshark for monitoring network activity during the ransomware’s execution, C2 changes are common during execution and identification of specific packets sent and received would be interesting to note. Attendees will also be taught how to identify key behaviors (e.g., encryption of files, registry changes, persistence mechanisms). - Analysis and IOCs Extraction (10 mins) This part will show participants how to extract key IOCs (file names, file hashes, registry keys, network traffic) from the analysis and discuss how these IOCs can be used for detection and response. Briefly, we will also walk through the process of documenting the analysis and IOCs. Participants are encouraged to take notes on what they observed and what could be potential signs of compromise. - Wrap Up and brief QnA with Attendees (5 mins) Any doubts to clarify for attendees and during the wrap up, attendees will be given a detailed white paper along with how reversing complex malware files like this ransomware works - covering set up of a secure VM to dissecting a malware sample using static, dynamic analysis on the sample and extraction of IOCs that can be used in the detection and response. PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/DZHMRR/ Schengen 1 & 2 Ankshita Maunthrooa Ankshika Maunthrooa PUBLISH ZJSGJC@@pretalx.com -ZJSGJC iOS analysis using the Sysdiagnose analysis framework workshop - beginners guide en en 20251022T141500 20251022T161500 020000

iOS analysis using the Sysdiagnose analysis framework workshop - beginners guide

This is an iteration of the workshop that was given at hack.lu 2024. This edition is now split in two sessions: one introductory session and one deep dive. Are you, or your organisation, concerned about potential compromise on your iPhone, iPad, or Apple Watch? This workshop introduces you to some knowledge and tools to identify red flags on your iOS device. We delve into the world of sysdiagnose and explore methods to verify potential breaches. During this workshop we will be: - discussing some ways to know if an iOS device may be compromised - explore which opensource tools exist to perform analysis - generating a sysdiagnose file on an iPhone, iPad iWatch, ... (bring your own device) - use multiple methods to collect the sysdiagnose (sharing, custom app, PyMobileDevice3, ...) - use the open source sysdiagnose parser to convert the diagnostics data to something usable - explore what data it contains - generate a timeline and load it in timesketch or splunk - ... PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2025/talk/ZJSGJC/ Schengen 1 & 2 David Durvaux Christophe Vandeplas PUBLISH YKHLRJ@@pretalx.com -YKHLRJ Threat detection engineering with Suricata en en 20251022T101500 20251022T114500 013000

Threat detection engineering with Suricata

This hands-on workshop provides an in-depth exploration of advanced techniques for maximizing network threat detection using Suricata. Building upon core Suricata capabilities, this session delves into critical areas such as effective utilization of metadata keywords, including MITRE and regular metadata, to enrich detection context. Participants will learn practical methods for achieving fast Indicator of Compromise (IOC) matching and strategies for managing multiple Suricata versions within diverse environments. The workshop will also cover leveraging the Suricata Language Server (SLS) for rule development and optimization, including interpreting performance hints and implementing Continuous Integration (CI) for rulesets using SLS in batch mode. Finally, live measurement of signatures performance will also be experimented with to see how it is possible to detect signatures impacting the overall performance of sensors. This session is designed for cybersecurity professionals seeking to enhance their Suricata expertise and implement cutting-edge threat detection strategies. Attendees will leave equipped with actionable techniques and practical examples to improve their organization's security posture through better description. PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/YKHLRJ/ Hollenfels Eric Leblond Peter Manev PUBLISH ZJTDKJ@@pretalx.com -ZJTDKJ When Netflow meets Pcap - A network forensic approach. en en 20251022T141500 20251022T161500 020000

When Netflow meets Pcap - A network forensic approach.

This workshop explains the approach to merge netflow and pcap data and presents the advantages. The student will have the option for a hands-on experience to work with real data. It is expected that students have basic skills with Linux and the command line. Topics: - Theory and usage of netflow. - Working with nfdump primer. - Using the nfdump toolset to prepare and process large pcaps. - Enrich the netflow data with 3rd party information. ( Geolocation, Tor) - Search for network artefacts. PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2025/talk/ZJTDKJ/ Hollenfels Peter PUBLISH KDUDVC@@pretalx.com -KDUDVC In bed with Qubes OS - tips & tricks exchange party en en 20251022T163000 20251022T180000 013000

In bed with Qubes OS - tips & tricks exchange party

When presenting at conferences, there is always someone who notices that I'm running Qubes OS on the laptop I use for presentations. From that point, the subject of my talk or workshop is set aside and the rest of the discussion shifts around my usage of Qubes OS. Let's use this workshop as an opportunity to talk about Qubes OS. You can bring your own Qubes OS setup, and we'll share our respective tips & tricks. After a quick intro, I'll share some tips & tricks I use and I'll talk about some issues I'm still facing. PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/KDUDVC/ Hollenfels William Robinet PUBLISH GMJD3B@@pretalx.com -GMJD3B Back to basics - Exploring OpenSSH: hands-on workshop for beginners en en 20251022T101500 20251022T121500 020000

Back to basics - Exploring OpenSSH: hands-on workshop for beginners

During this workshop, you will learn how to use the various tools from the OpenSSH suite. We will start with a presentation of the problems that are solved by OpenSSH, then we will dive into the details of its most important and useful features. Among the topics covered, we will discuss about remote host authentication, password and public key client authentication, key generation, local and remote port forwarding, forward and reverse SOCKS proxying, X11 forwarding, jumphosts, connection to legacy systems, and more. Hands-on exercises will be proposed throughout the exploration of the tool suite using real-life scenarios. There will be space for questions and discussion. Basic networking and Linux shell knowledge are required in order to follow this workshop. Each participant will need a Linux machine (on which they have root access) with Docker pre-installed and Internet access. PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2025/talk/GMJD3B/ Vianden & Wiltz William Robinet PUBLISH WVSUHB@@pretalx.com -WVSUHB New advanced network detection with Suricata 8 en en 20251022T141500 20251022T161500 020000

New advanced network detection with Suricata 8

Suricata is a high performance, open source network analysis and threat detection software used by most private and public organizations, and embedded by major vendors to protect their assets. Suricata provides network protocol, flow, alert, anomaly logs, file extraction and PCAP capture at very high speeds. This hands-on training will focus on a few new and ground breaking detection additions of the new Suricata 8 release, like transactional rules, data/datajson sets, new protocols and keywords available such as entropy matching. The training will also cover threat detection engineering by showing how the rules language can be used to add the maximum of useful context to the detection events.  The training will cover actual use cases and the detection benefits of the new features in Suricata 8 alongside with examples that trainees can take away and readily implement at home or work.  The training will also showcase features that provide for substantial detection and deployment improvements in  terms of time and management in digesting shared threat intelligence. We will also review the new features and their benefits with actual malware pcap traces - providing direct mapping of some of the new features and their usability to actual detection.  Attendees can expect to leave with new knowledge , actual use cases and detection deployment techniques that can be implemented right away to give an edge over the adversaries. PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2025/talk/WVSUHB/ Vianden & Wiltz Eric Leblond Peter Manev PUBLISH 9D8WSE@@pretalx.com -9D8WSE Collaborative Detection Engineering with Rulezet: Building a Trusted Community for Detection Rules en en 20251022T163000 20251022T180000 013000

Collaborative Detection Engineering with Rulezet: Building a Trusted Community for Detection Rules

As threat landscapes evolve, managing and trusting detection rules has become as critical as creating them. Detection engineering teams struggle with rule duplication, inconsistent quality, false positives, and the lack of a trusted, community-driven repository to share validated rules. Rulezet is an open-source framework and platform designed to address these challenges. It provides a unified way to normalize, validate, and manage detection rules across multiple formats while fostering a collaborative ecosystem where rule authors, analysts, and engineers can review, evaluate, and improve detection logic together. In this 90-minute workshop, we’ll explore how Rulezet enables a community-based approach to rule management — from initial authoring to peer review, version control, and false-positive tracking. We’ll examine how the Rulezet core engine parses and validates rule formats, ensuring consistency and interoperability across detection tools. Participants will also learn how to extend Rulezet with new rule types, interact with its API, and contribute to the Rulezet.org community — a shared repository of trusted detection rules. Through live demos and discussion, we’ll address practical aspects such as: - How to reduce false positives through shared rule reviews and metadata enrichment. - How to establish trust and transparency via verifiable rule origins and author reputation. - How to evaluate parsing quality and conversion accuracy across formats (e.g., Sigma, YARA, Suricata). - How to integrate community-reviewed rules into your SOC pipelines securely and efficiently. Whether you are a detection engineer, SOC analyst, or open-source contributor, this workshop will show how Rulezet can help you build confidence in detection logic, enhance collaboration, and shape the future of trusted detection rule sharing. PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/9D8WSE/ Vianden & Wiltz Cruciani David Théo Geffé PUBLISH MJDURG@@pretalx.com -MJDURG Tech Duel: The Escape Battle en en 20251022T101500 20251022T114500 013000

Tech Duel: The Escape Battle

Each team consists of max. 5 persons. During the first 10 minutes they will receive a briefing on the mission. The countdown timer starts the mission (60 minutes) PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/MJDURG/ Echternach & Diekirch Stijn Tomme Dominiek Madou PUBLISH MJDURG@@pretalx.com -MJDURG Tech Duel: The Escape Battle en en 20251022T141500 20251022T154500 013000

Tech Duel: The Escape Battle

Each team consists of max. 5 persons. During the first 10 minutes they will receive a briefing on the mission. The countdown timer starts the mission (60 minutes) PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/MJDURG/ Echternach & Diekirch Stijn Tomme Dominiek Madou PUBLISH MJDURG@@pretalx.com -MJDURG Tech Duel: The Escape Battle en en 20251022T163000 20251022T180000 013000

Tech Duel: The Escape Battle

Each team consists of max. 5 persons. During the first 10 minutes they will receive a briefing on the mission. The countdown timer starts the mission (60 minutes) PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/MJDURG/ Echternach & Diekirch Stijn Tomme Dominiek Madou PUBLISH LAM9EX@@pretalx.com -LAM9EX yoga for geeks en en 20251022T070000 20251022T083000 013000

yoga for geeks

Based on ashtanga yoga, this is a good physical exercise. Beginner friendly, no previous knowledge of yoga needed. Some yoga mats are provided, if possible, bring your own. Don't forget your towel! There will be no spritual chanting, energy flows or chakra opening. Just well executed exercises aimed towards IT engineers. PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/LAM9EX/ Fitness room Georges Kesseler PUBLISH 7KCT7N@@pretalx.com -7KCT7N Nightmare on NTLM street: Legacy’s Revenge en en 20251023T080000 20251023T083000 003000

Nightmare on NTLM street: Legacy’s Revenge

Microsoft introduced NT Lan Manager in 1993 as a replacement for LANMAN, born in 1987. Just seven years later, they announced Kerberos as the default replacement for NTLM and instructed companies to stop using it. No one did. Now, in June 2024, Microsoft has announced the deprecation of the entire NTLM authentication protocol family, and even removed older versions from newer OS versions. Why is this legacy protocol still so widely used, 24 years after it stopped being the default replacement? The answer is a combination of factors, some of which this talk will explore: - corporate communication and decision-making - application development lagging behind security standards - flaws in the replacement protocol - underfunded, understaffed, and overwhelmed IT teams Having completed this project in the IT environment of a mid-sized enterprise, this presentation will also discuss resources and lessons learned that could help get the job done elsewhere. It will also illustrate to those outside the field why IT and security are critical business functions, not cost centers. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/7KCT7N/ Europe Marina Bochenkova PUBLISH ZXFEEV@@pretalx.com -ZXFEEV Compromising Threat Actor Communications en en 20251023T083000 20251023T090000 003000

Compromising Threat Actor Communications

In this talk, I will dive deep into a case study where a threat actor's critical OPSEC mistake—testing his own keylogging and infostealing malware on his production hacking machine—opened an unprecedented window into a live cybercrime operation. I will detail how intercepting Telegram-based C2 communications allowed me to obtain over 100 screenshots and logs that reveal not only the mechanics of the malware but also the underlying infrastructure and tactics of the threat actor. The presentation will cover the entire lifecycle of the malware’s communication strategy, from the initial setup using Telegram BotFather and the subsequent embedding of bot tokens in malware, to the automated analysis leveraging VirusTotal and custom YARA rules to hunt down samples communicating with Telegram’s API. I will explain how, through this process, I was able to extract and analyse bot tokens to forward stolen communications, map the associated backend infrastructure and link various elements of the operation to broader phishing and malware campaigns ran by the actor. The session will highlight both the technical aspects of exploiting trusted communication platforms like Telegram and the implications for threat intelligence, offering insights into how such vulnerabilities can be turned against adversaries to disrupt their operations and enhance proactive defence measures. This detailed exploration not only exposes the inner workings of a low-tier cybercriminal operation but also provides actionable lessons on the importance of robust operational security in defending against malware campaigns. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/ZXFEEV/ Europe Ben (@polygonben) PUBLISH UZ87X9@@pretalx.com -UZ87X9 Instrumenting software builds to detect stealth backdoors and other curiosities en en 20251023T090000 20251023T093000 003000

Instrumenting software builds to detect stealth backdoors and other curiosities

. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/UZ87X9/ Europe Hilko Bengen PUBLISH R8FMHK@@pretalx.com -R8FMHK Attacking The Developer Environment Through Drive-by Localhost Attacks en en 20251023T093000 20251023T100000 003000

Attacking The Developer Environment Through Drive-by Localhost Attacks

The talk will go into detail about the underlying issues with this vulnerability type. How it is possible for Javascript loaded from a website can access localhost. What limitations there are and how this feature can be used to attack unsuspecting users, especially software developers. Including a way to gain Remote Code Execution on Quarkus ( a popular Java Web framework ) Developers machines and older versions of Spring and a way to exfiltrate AI Training models from users of the popular machine learning software MLFlow, all found by me and there are likely many more similar issues out there. Also what browser makers are doing about this class of vulnerability and how it will soon be no more, but for now is still a major, but relatively unknown attack vector. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/R8FMHK/ Europe Joseph Beeton PUBLISH C9ZDAR@@pretalx.com -C9ZDAR One day at the Internet Storm Center en en 20251023T101500 20251023T104500 003000

One day at the Internet Storm Center

The idea of this talk is to make people aware of the data we offer and how you can benefit from it in your day to day hunting tasks. How the ISC works, what are the tools we provide. And, if you're interested, how you can apply to become a Handler! I'll also demonstrate live (if Demo God is with me) some cool honeypot features we have. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/C9ZDAR/ Europe Xavier Mertens PUBLISH H8JV8A@@pretalx.com -H8JV8A Field guide to physical attacks against full-disk encryption en en 20251023T104500 20251023T111500 003000

Field guide to physical attacks against full-disk encryption

This talk is a 2025 field guide into practical techniques to bypass BitLocker, drawn from our own hands-on experience during real-world red team engagements, using publicly documented attack techniques. We will focus on what actually works in the field, setting aside the techniques that are too hardware-specific, outdated and patched, or only achievable under lab conditions. Along the way, we will break down how BitLocker works under the hood, covering key components like the TPM, boot process, and key management, and give context for the following attacks: - TPM sniffing - Direct Memory Access (DMA) - Bitpixie We will also take a reality check on more exotic vectors like cold boot attacks and Intel DCI. We will walk through where these techniques worked for us in practice, where they failed, and what challenges we encountered along the way. Red teamers will learn quick, effective methods for gaining initial access and privilege escalation on end-user devices. This will be supported by insights into tooling, setup requirements, reliability, ease of execution, and post-exploitation considerations. Blue teamers will come away with a realistic view of the current risks and threat landscape, along with an overview of available mitigations, including those introduced by Microsoft and hardware vendors in recent years. A live demo will illustrate the practical impact of one of the featured attacks and reinforce the importance of context-aware defenses. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/H8JV8A/ Europe Edouard D'hoedt Hayk Gevorgyan PUBLISH CHMH78@@pretalx.com -CHMH78 My other ClassLoader is your ClassLoader: Creating evil twin instances of a class en en 20251023T111500 20251023T114500 003000

My other ClassLoader is your ClassLoader: Creating evil twin instances of a class

Presentation Outline - Java Class Loaders and their types: In this introductory part I am going to provide the audience with a clear, high-level understanding of Java class loaders, explaining their fundamental role in the context of a JVM. We will explore the diverse types of class loaders and touch on the parent-child relationship and delegation model that forms the basis of how they work. Additionally, given that Java reflection is an integral component of class loaders, I will conclude this section by providing an overview of this concept. This will include explaining its fundamental principles and demonstrating its basic applications in practical scenarios. - Android ClassLoader implementations: Here I am going to dive deeper into the specific implementations unique to the Android OS. The presentation will center on the most critical ClassLoaders in this context, including the PathClassLoader, DexClassLoader and InMemoryDexClassLoader and touch concepts like the Android's hidden API. - Parcelables and Serializable objects, in the context of inter-process communication: In this segment, I will explore the concepts of Parcelable and Serializable objects in Java, focusing on their implementation methodologies and key distinctions. My discussion will extend to their applications in inter-process communication, with a particular focus on security considerations tied to their usage. To illustrate this, I will highlight the CVE-2020-8913 example, providing a real-world context to the concepts discussed. - "Borrowing" other application's code: In this part, I plan to guide the audience through the methods available for importing code from other Android applications into an Android Studio project. We will look at how to effectively integrate external code, emphasizing the practical steps and considerations involved in this process. - Utilizing the /data/app Folder: While importing code from other apps at compilation time is feasible, this approach can often be complex and fraught with challenges, such as resolving package class conflicts. However, Android stores application resources and code in world-readable directories during the installation process, significantly simplifying the "borrowing" process, described above. One effective method involves using createPackageContext, which, when provided with a package name, returns a context identical to that of the named app at launch, including its resources and class loader. Based on this, I will demonstrate how to instantiate Java objects from another application's private domain, showcasing a more streamlined approach to leveraging external code resources. - Creating parcelable evil twins: As previously mentioned, a common oversight among Android developers is the public readability of their application's class loader, coupled with an implicit trust in parcelable or serializable objects from untrusted sources. In this segment, I will walk through real-world case studies where such blind trust has led to significant security vulnerabilities. - Closing remarks: As I conclude this briefing, I will highlight the need to avoid receiving and un-marshaling parcelable or serializable objects outside of an app's private sphere. While sometimes this practice may be unavoidable, especially with system-related objects, I will leave the audience with essential insights on how to effectively safeguard Android apps against such types of attacks. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/CHMH78/ Europe Dimitrios Valsamaras PUBLISH CMHBFT@@pretalx.com -CMHBFT Building a pipeline to analyse iOS devices at scale en en 20251023T114500 20251023T121500 003000

Building a pipeline to analyse iOS devices at scale

# Building a pipeline to analyse iOS devices at scale ## Overview and Abstract This talk will show how the DG DIGIT is bulding a pipeline to analyse devices at scale relying on 2 key pieces: 1. The sysdiagnose analysis framework developed jointly with CERT-EU. 2. A toolset to collect artifacts over the air via a self-developped App (in collaboration with an independent security researcher) or Computer app on a PC. The self-developped app is now available on all EC-owned devices. Globabally this is a part of a larger "mobile cybersecurity programme" which is a deliverable of the European Commission Cybersecurity Strategy. The presenters will share with the audience hands-on experiences and share what works and what does not work with this approach. Incident responders will leave the talk with a deeper understanding of Sysdiagnose and a novel tool in their IR arsenal. A detailed explanation of what we will present is outlined below. ## Intended audience Incident handlers and forensic investigators. ## Introduction For a long time, the incident response analysis of iOS devices has been... essentially challenging. While an analyst is usually interested in understanding what the system was doing (system logs), typical acquisition tools usually imply collecting users' data. Thus, they are very privacy invasive and due to the amount of information often do not provide what the incident responder was looking for. Furthermore, the common way to get access to the full device is by exploiting Operating System (OS) vulnerability either by manual jailbreaking techniques or by using specialised (expensive) tools reserved for law enforcement. Both have the downside of breaking the integrity of the device. Therefore, the trust in the final state of it as well as the potential impact on certain OS artefacts. ### Enter Sysdiagnose... This talk will focus on repurposing an Apple feature ("sysdiagnose") which was originally intended for diagnostic and debugging purposed for developers as well as for repair shops. The Sysdiagnose process on Apple devices collects data on how the system behaves and is typically what an analyst wants to look at. This approach was validated in 2021 by Amnesty Internal as a way to discover Pegasus on Apple devices. ### Scaling up... Being able to analyse the sysdiagnose files was a first step, but like for law enforcement acquisitions, it lacks the automation of handling more than a handful of devices. In this talk, we will also cover how we build our toolset to be able to cope with an significant amount of devices. To us, large scale analysis is key to identify APT compromission of phones. ## Collecting Sysdiagnose artefacts Sysdiagnose is triggered by a user action and creates archives containing system information in various formats, such as: * plist configuration files * logs and output of commands * sqlite databases with application histories * etc. The result can be extended by pushing extra profiles to the device that turn on extra debugging and enhance the content of the archive. ### Collecting Sysdiagnose archives on iOS While the process is well described on Apple's website, we will quickly show how to start the acquisition process on an iPhone and how to copy over the dumps via a few different techniques ranging from AirDrop to typical forensic tools. ### Collecting Sysdiagnose archives on other Apple devices While the research motivating this talk stems from the need to analyse iOS devices, in practice the features which we are looking at will be available throughout all of Apple OSes: * Mac OS (MacBook Air, MacBook Pro, Mac Pro, iMac...) * Watch OS (Apple Watch) * iPad OS (for tablets) * TV OS (Apple TV) * ... ### Collecting at scale We will demonstrate how we have reach the next level by freeing ourselves from the usual toolset to build an automated pipeline. The very first topic we tackled was to enable all potential actors with the required tooling to collect artefacts. Starting by: - Empowering end users whose mobile devices are registered in our Enteprise Mobility Management (EMM) no matter where they are located, by making available a mobile App into our EMM Application Store to guide them into generating the sysdiagnose file and sharing it with us for analysis; - (work in progress) And empowering IT Helpdesk with a computer application that will help them to support end users to collect extended diagnostic information (beyond Sysdiagnose) from their mobile devices and share it securely with us. ## Extracting information from Sysdiagnose archives and building a timeline In this part we will present an Open Source analytical framework to extract all timestamped information from the Sysdiagnose archive in order to build a timeline in your favorite timeline analysis tool. The framework was enriched over the last year with many new parsers and extended analysis modules. We today mostly rely on two ways to do a timeline analysis: - via Splunk which allow to query all timeline at once; - via Timesketch thanks due to a dedicated analysers. We complement the absence of certain information in the timeline with dedicated analysers that focused on specific tasks. The framework went under a complete refactoring since January 2024 and now includes - 38 parsers (to parse specific logs contained in the sysdiagnose archive); - 10 analysers (to conduct specific analysis) We are also planning to offer a Jupyter Notebook to directly interact with the framework and equipped the analyst with a place to quickly build and test queries. ## Future Work We will talk about needed further research and launch a call for collaboration. All the tools demonstrated are or will be released under the European Public License (EUPL). ## Note This work can be presented as a presentation or as a workshop empowering audience to play with the tool directly. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/CMHBFT/ Europe David Durvaux Christophe Vandeplas PUBLISH K9YUQB@@pretalx.com -K9YUQB ICRC's Trust and Safety: Armed Conflict en en 20251023T134500 20251023T135000 000500

ICRC's Trust and Safety: Armed Conflict

The International Committee of the Red Cross (ICRC) in collaboration with Leveraged Play and the Copia Institute present the "Trust & Safety: Armed Conflict" interactive game, which immerses players in the role of a Conflict & Crisis Team within a fictional social media company. It challenges users with complex, real-world-inspired scenarios that technology companies face when their platforms are used during armed conflicts. Players must make difficult decisions that impact local communities affected by the conflict, humanitarian actors that come to their aid, as well as the company’s public image and operational integrity. The game ultimately aims to raise awareness on the various challenges that tech companies and broader ecosystem can encounter in times of conflict. It highlights the need to protect vulnerable populations, and to safeguard a space for neutral and independent humanitarian action, while underscoring the role of responsible digital governance. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/K9YUQB/ Europe Vitaly Savenkov PUBLISH NMTJJE@@pretalx.com -NMTJJE OpenTIDE - When TI made actionable drives your Threat Detection en en 20251023T135000 20251023T135500 000500

OpenTIDE - When TI made actionable drives your Threat Detection

If - you would like to manage your threat detection better than using a flat list of rules and some links to ATT&CK techniques to be able to report using an ATT&CK navigator layer. - you would like to be sure that the top threat vectors relevant for your organisation are covered by detection and have the documentation maintained automatically. - you would like to embrace Detection-as-Code and **from a single place of truth** automatically deploy on your different platforms (including multi-tenants) have a look at [OpenTIDE](https://github.com/OpenTideHQ) and watch the lighting talks PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/NMTJJE/ Europe Remi Seguy PUBLISH XUTHTZ@@pretalx.com -XUTHTZ These Hackers Fucking Suck en en 20251023T135500 20251023T140000 000500

These Hackers Fucking Suck

In our day job, we're constantly responding to real-world attacks and observing the impact they have on businesses and individuals. But in our free time, we take the fight to the adversaries by hunting down their infrastructure, gathering intelligence, and alerting victims. This talk will show how we turned the tables on a few online criminals and used their mistakes against them. We'll share how we found these errors, the intelligence we gained, and how you can start hunting down sloppy cybercriminals yourself. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/XUTHTZ/ Europe Ben (@polygonben) PUBLISH 7KJPK7@@pretalx.com -7KJPK7 Tools to streamline creation of technical presentations en en 20251023T140000 20251023T140500 000500

Tools to streamline creation of technical presentations

In five minutes, I’ll show how these small utilities can automate the way we build and update technical slides. I'll start by sharing tips to get an effective presentation setup going. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/7KJPK7/ Europe Kirils Solovjovs PUBLISH QHN7WB@@pretalx.com -QHN7WB Decrypting IIS Backdoor Traffic en en 20251023T140500 20251023T141000 000500

Decrypting IIS Backdoor Traffic

Encrypted C2 traffic can hide attacker activity in plain sight. This talk shows a practical method to decrypt the HTTPS communication of an IIS backdoor, revealing how the malware operates and how defenders can analyze it. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/QHN7WB/ Europe Didier Stevens PUBLISH PRUKPV@@pretalx.com -PRUKPV 5 years collecting CyberSecurity tools en en 20251023T141000 20251023T141500 000500

5 years collecting CyberSecurity tools

Active cybersecurity communities face a common challenge: valuable tools shared during CTFs, conferences, conversations, and research get lost in endless chat logs. After five years of running a French-speaking cybersecurity community, our Discord held hundreds of tool recommendations that were nearly impossible to retrieve. I built tools.dysnome.eu to solve this. In this lightning talk, I'll show how I transformed our chaotic chat history into a structured database of 730+ tools, enriched with GitHub API metadata, enabling quick discovery through categories and tags. Find the right tool for your investigation or threat hunting needs in seconds, not hours of scrolling. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/PRUKPV/ Europe Jonathan Scoupreman PUBLISH CKHV3K@@pretalx.com -CKHV3K Revisiting Widevine L3: DRM as a playground for Hackers en en 20251023T141500 20251023T144500 003000

Revisiting Widevine L3: DRM as a playground for Hackers

I always wondered how exactly pirates are able to get their hands on the latest shows from major streaming providers. This curiosity led me on a deep dive into the complex world of Digital Rights Management (DRM). For this presentation, I will focus on Widevine, Google's widely deployed DRM system, specifically its software-only version, Widevine Level 3 (L3), which is more accessible for analysis and has a history of public compromises. From a tweet by security researcher David Buchanan in 2019, I learned that Widevine L3's white-box AES implementation was susceptible to Differential Fault Analysis (DFA). This presented a unique opportunity to not only explore a real-world DRM system but also to gain practical experience in applying this powerful cryptographic attack. And while we are at it, perhaps we can gain some insights by reversing their legacy version that remain applicable to current implementations. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/CKHV3K/ Europe Felipe Custodio Romero PUBLISH FYMBWY@@pretalx.com -FYMBWY The Human Factor: Psychological Safety in Cybersecurity Frontlines en en 20251023T144500 20251023T151500 003000

The Human Factor: Psychological Safety in Cybersecurity Frontlines

This presentation will emphasize that cybersecurity is not solely about technology, but fundamentally relies on people. It will highlight the critical importance of psychological safety within cybersecurity incident response teams, advocating for a culture that values risk-taking, idea sharing, and learning from failures. The presentation will also discuss the challenges of cultivating psychological safety in high-pressure cybersecurity environments and offer strategies for prioritizing people over technology, integrating psychological safety into onboarding processes, and fostering trust and transparency. By recognizing the human factor in cybersecurity, organizations can unlock the full potential of their teams and establish a robust defense against evolving cyber threats. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/FYMBWY/ Europe Cris Brafman Kittner PUBLISH DNNDLV@@pretalx.com -DNNDLV Livewire : remote command execution through unmarshalling en en 20251023T151500 20251023T154500 003000

Livewire : remote command execution through unmarshalling

## Brief outline - Introduction to Livewire - Livewire unmarshalling process - Synthesizers - Checksum - Building an unmarshelling chain from hydrators - PHP magic methods - First step : getting a phpinfo - Second step: getting remote command execution - Third step : make the server flaw stop to stay sneaky - Exploitation by using laravel-crypto-killer - Presentation of the freshly added exploit mode - Showing the exploitation process on an actual project : Invoice Ninja - Conclusion and thoughts ## Detailed outline ### Introduction Livewire has gained significant popularity among Laravel developers due to its simplicity and integration with Laravel's ecosystem. Additionally, strong community support and compatibility with Laravel features make Livewire an attractive choice for developers seeking to build modern, responsive web applications efficiently. The application BuiltWith lists **676K instances of Laravel** currently live websites ([BuiltWith-Laravel](https://trends.builtwith.com/framework/Laravel)), and among them **106K instances of Livewire** (15%) ([BuiltWith-Livewire](https://trends.builtwith.com/framework/Laravel-Livewire)). This makes Laravel one of the most used PHP frameworks in the world, and Livewire one of its most used plugins. This presentation will show how to get a remote command execution by abusing the unmarshalling process of any Livewire instance, as long as we are in possession of the **APP_KEY** of the application. #### Livewire unmarshalling process In a Livewire-based environment, a component is a class managing both the data and the rendering logic, enabling real-time updates through properties and methods that interact with the view. In order to manage each component state, Livewire uses an unmarshalling mechanism described as hydration and dehydration. The data structure follows a principle where the last child nodes are instantiated first, enabling the instantiation of each parent node. This approach allows for multiple objects to be instantiated and nested within one another. ``` +-- Grandchild 3 | +-- Grandchild 2 | +-- Child 2 | | +-- Grandchild 1 | | +-- Child 1 | Parent ``` When a user interacts with a view, a POST request is sent to the server to update the component state. The request looks like this: ``` POST /livewire/update HTTP/1.1 Host: livewire.local [...] { "_token":"jMEN2kTQRrwSA5CgH5y8WWqbCpdb4Lx4iBznnlFD", "components":[ { "snapshot":"{\"data\":{\"count\":null},\"memo\":{\"id\":\"Y6a883cdUFy82whZ10JW\",\"name\":\"counter\",\"path\":\"counter\",\"method\":\"GET\",\"children\":[],\"scripts\":[],\"assets\":[],\"errors\":[],\"locale\":\"en\"},\"checksum\":\"f56c273c0e4a3eaa5d7fdea9e7142c42d0e1128a8aee35e9546baffaa41870ac\"}", "updates":{}, "calls":[ { "path":"", "method":"increment", "params":[] } ] } ] } ``` In this request, two fields are particularly important. First, the `components->snapshot` field contains all the serialized information needed to restore the component's state on the server side, including the properties and their values. Second, the `components->calls` field defines the list of methods that need to be called on the component, along with any associated parameters. Inside the `components->snapshot->data` field, properties are defined via synthesizers. Synthesizers are identified through a special "**s**" field inside the data structure. They are a powerful feature that extends Livewire’s capability to handle more complex property types that cannot be serialized natively, such as Eloquent models, Laravel collections, Carbon date instances, or custom user-defined types. ### Livewire synthesizers Synthesizers provide a mechanism to define how these custom types should be JSON-serialized (dehydrated) and JSON-deserialized (hydrated) when sent between the client and server. This ensures that the state of these properties is correctly maintained across requests. Here are some examples of default synthesizers: * **str**: A Stringable object is hydrated and dehydrated as its string representation. * **arr**: A simple PHP array is hydrated and dehydrated without transformation. * **std**: A standard stdClass object is hydrated and dehydrated by treating its properties as an associative array. * **clctn**: A Laravel collection is hydrated and dehydrated by converting it to and from arrays, **can be called on any object loaded in PHP**. * Etc. #### CollectionSynth In the context of Livewire, many hydrators will allow a user to call constructors on arbitrary object. For example, the `CollectionSynth` class is used to manage how collection-like objects are handled during the component dehydration and hydration processes. Its role is to ensure that PHP collections (such as Laravel’s `Collection` instances) are properly reconstructed. ```php 1 <?php 2 3 namespace Livewire\Mechanisms\HandleComponents\Synthesizers; 4 5 class CollectionSynth extends ArraySynth { 6 public static $key = 'clctn'; 7 [...] 8 function hydrate($value, $meta, $hydrateChild) { 9 foreach ($value as $key => $child) { 10 $value[$key] = $hydrateChild($key, $child); 11 } 12 return new $meta['class']($value); 13 } 14 } ``` The `$key` (line 6) is set to the '**clctn**' value described earlier as the synthesizer identifier. When the `hydrate` method is called (line 8), it receives a `$value`, which represents the serialized collection data sent by the user, a `$meta` array containing metadata also controlled by the user, and a `$hydrateChild` callback used to individually process each embedded element of the collection. Once all elements are processed, a new instance of the original collection class is created using the reconstructed array by using `new $meta['class']($value)` **which is controlled by the user**, allowing an arbitrary object instantiation. #### Checksum A protection has been put in place, in order to make sure that users do not temper with the synthesizers and managed objects. Before sending `update` requests, Livewire generates a checksum (or hash) based on the data sent to the frontend. This checksum is created using the secure hashing algorithm SHA-256 and the Laravel `APP_KEY`. It includes the data used to validate their integrity. The checksum is verified on each request sent by the user, so if the data is modified, the checksum won't be correct. But what if the `APP_KEY` was leaked? We already published research dedicated to this subject: [Deep dive in Laravel encryption](https://www.synacktiv.com/sites/default/files/2024-12/deep_dive_in_laravel_encryption.pdf), and our conclusion was that many `APP_KEY`s are already leaked from GitHub, or are default ones. Therefore, this chain of exploitation is in the continuity of our previous work. ### Building an unmarshelling chain from hydrators Thanks to hydration mechanisms, we identified a unmarshelling chain allowing users to get remote command execution on any Livewire application, providing the `APP_KEY` is in our possession. The three main steps leading to this RCE will be detailed. #### First step : getting a phpinfo - Detailed chain - Analysis of the `GuzzleHttp\Psr7\FnStream` class sources - Analysis of the `League\Flysystem\UrlGeneration\ShardedPrefixPublicUrlGenerator` class sources - Payload building on Livewire #### Second step: getting a remote command execution - Detailed chain - Analysis of the `Laravel\SerializableClosure\Serializers\Serializable` class sources - Analysis of the `Illuminate\Bus\Queueable` Trait sources - Analysis of the `Illuminate\Broadcasting\BroadcastEvent` class sources - Payload building on Livewire leading to RCE - Problem : the flow generates an error 500 even if the RCE is reached #### Third step: make the server flow stop to stay sneaky - Rebuilding the previously used gadget chain to continue the application flow after the `unserialize` - Analysys of the `Laravel\Prompts\Terminal` class allowing to reach an `exit` call ### Exploitation by using laravel-crypto-killer A module was developed to automate all the process inside [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer), a new `exploit` mode is available, fully automating the exploit payload generation detailed in this presentation. Common Laravel based projects using Livewire are affected, such as [invoiceninja](https://github.com/invoiceninja/invoiceninja), which has a **default `APP_KEY`**, making it vulnerable to this exploit by default. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/DNNDLV/ Europe Rémi Matasse Pierre MARTIN PUBLISH TLVK3W@@pretalx.com -TLVK3W 2038 is gonna be epoch! en en 20251023T154500 20251023T161500 003000

2038 is gonna be epoch!

In the early days of the computing age, RAM was expensive and programmers represented timestamps using a two digit year. As the year 2000 approached, retired developers were brought back into the workforce to fix legacy systems so that they would not crash on 01 January 2000. Remediation efforts were aided by the fact that there was a widespread fear of apocalyptic scenarios manifesting to coincide with the change of millenia and this cultural hype, combined with the novelty of dawning public awareness of the existence of the global internet (which we take for granted today), served to amplify the public and governmental attention on the so-called Y2K bug as the trigger date approached. As we all know, the world did not end on 01 January 2000. So hyped was the Y2K bug, and so high the expectation of disaster, that when “nothing” happened the entire thing came off as a dud in the public sphere. Those of us working in IT know all too well how our work is invisible when things are working properly, and how our work is usually only noticed when things go wrong. There were incidents related to the Y2K bug, and there is a body of academic literature on this topic, however that is tertiary to this talk. Consider at a high level the types of systems which would logically fail when confronted with an error of the calendar date in some calculation: shipment, hospitality, travel, billing, logistics, etc. Now consider the types of systems which would logically be impacted if they confronted an error with the system clock representation of ticks: basically this can screw with any naively implemented state machine. 19 January 2038 at 03:14:07 UTC implementations relying on 32-bit signed integer representations of Unix epoch time will overflow, resulting in a system time of 20:45:52 UTC on 13 December 1901. (Unix epoch time is a concept more ubiquitous than Unix itself, this bug impacts a wide array of platforms.) For most impacted systems, the result will be some chaotic breakdown of running state machine logic in which the flow of time logically reverses itself. Y2K38, the Year 2038 Problem, or simply the Epochalypse is approaching fast Recall the 2008 financial crisis? That was 16 years ago, and you can see how well we did at making our financial sector safe in the intervening years. Now consider that 2038 is only 13 years from now. We have been furiously digitizing our whole societies for the past 25 years. There are today orders of magnitude more systems needing to be checked and fixed than there were in the years leading up to Y2K. In order to address the Y2K38 bug we are going to have to pull a lot of fielded equipment out of the ground, test it in a lab, and put remediations in place, all across the globe, and during the next 13 years. Let that sink in for a bit. The Y2K38 bug presents a real challenge for any system reliant on 32-bit timestamps. In this session we will move beyond conjecture and demonstrate some of the Y2K38 bug’s real-world consequences in real devices. Our research documents how various systems and devices react as they approach and cross the 2038 threshold. We are documenting classes of failure modes triggered by these programming flaws, with the security researcher mindset. Using controlled experiments across multiple environments (including IoT devices, ICS/OT, and embedded systems) we document unexpected vulnerabilities and behaviors. These findings reveal some critical risks that our society cannot afford to ignore, especially given that for a resourceful attacker, 2038 can be any old day they like. This presentation is intended for developers, security professionals, and incident responders seeking to understand more about this issue. We will present technical realities in plain, hopefully so that any high school kid could understand it, therefore policymakers are encouraged to join, because this issue will impact us all soon! # Outline * Introduction (5 minutes) * How it began for both of us. * Overview of Y2K38 and its relevance. * Context and Methodology (5 minutes) * The technical basis of Y2K38 (epoch time and 32-bit limitation). * How this session addresses the gap between speculation and evidence. * The idea of exhaustive search and classification. * Case Studies: Real-World Findings (15 minutes) * Case study 1 .. N Failure modes observed and mitigation experiments. * Unexpected software behaviors. * Challenges for critical infrastructure. * Mitigation Strategies (5 minutes) * Steps to identify and address Y2K38 risks. * Long-term approaches for future-proofing systems. * Implications & Q&A (remaining time if any) * Interactive discussion on challenges and solutions. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/TLVK3W/ Europe Pedro Umbelino Trey Darley PUBLISH EB7SPU@@pretalx.com -EB7SPU Wyse Management Subversion : Taking over Dell's Wyse Management Suite en en 20251023T163000 20251023T170000 003000

Wyse Management Subversion : Taking over Dell's Wyse Management Suite

This talk will walk through our process of examining Dell's Wyse Management Suite in search of weaknesses or vulnerabilities that would initially allow us to decrypt secrets found in policies pushed out to thin clients. WMS can be seen as a sort of Configuration Manager or even Device Management solution, where thin clients can register and retrieve configuration files and applications to be deployed. This makes it an ideal target for an attacker, as compromising the server would allow to take control of any clients in the fleet. During this research, multiple vulnerabilities were discovered. The first ones allow an attacker to impersonate legitimate devices within the system in order to recover policies and decrypt secrets found within. Additional efforts uncovered vulnerabilities that can be exploited to fully compromise the WMS server or any remote repository configured by the system. This can in turn lead to the compromise of any of the devices in the fleet. The device impersonation issues can also be exploited within Dell's own cloud environment, where it is possible to leak information across tenants to access and compromise sensitive data and assets. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/EB7SPU/ Europe Alain Mowat PUBLISH 7NJXCF@@pretalx.com -7NJXCF What's New in Suricata 8: Enhanced Detection and Performance en en 20251023T170000 20251023T173000 003000

What's New in Suricata 8: Enhanced Detection and Performance

The presentation will highlight some of the more than 100 new keywords available, such as those for entropy matching, domain transform, dataset with JSON context, ENIP matching, full DNS field matching, and enhanced support for SMTP, EMAIL, and FTP. Finally, we will touch on the improvements to performance and security, including the default availability of vendoring and sandboxing Lua, and the implementation of HTTP parsing in Rust. This talk will be relevant for security analysts and network administrators seeking to leverage the latest advances in Suricata for advanced threat detection and network security monitoring. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/7NJXCF/ Europe Eric Leblond Peter Manev PUBLISH UAJRA9@@pretalx.com -UAJRA9 How to better identify (weaponized) file formats with ftguess en en 20251023T173000 20251023T180000 003000

How to better identify (weaponized) file formats with ftguess

Most of the malware analysis and detection platforms like VirusTotal, MalwareBazaar or AssemblyLine rely on tools such as file/libmagic, TrID and Magika to identify the format of a file, in order to decide which tools and algorithms should be used to process the file. This approach works great in most cases, but once in a while we can observe wrong results. When a file format is wrongly identified, automated analysis tools may not see the true nature of the file and fail to extract relevant information. In the worst case, a malicious file might bypass detection and reach its target without being blocked. This happens mostly in two situations: - When the file is a polyglot, which means it combines the structures of two or more different file formats in one; - or when the file is malformed in a way to fool file/libmagic/TrID, while still being acceptable for its target application. Several real-life cases will be demonstrated during the presentation. In fact the main issue with file format identification tools including file/libmagic, TrID and Magika is that they rely solely on the content of the file to be analysed. Whereas, current operating systems such as Windows and GNU/Linux check the file extension to decide which application should open a file. Unlike other tools, ftguess takes into account both the file content and its extension to better identify the intended file format. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/UAJRA9/ Europe Philippe Lagadec PUBLISH BWBCZV@@pretalx.com -BWBCZV Hacking for hoodies: MISP edition en en 20251023T180000 20251023T183000 003000

Hacking for hoodies: MISP edition

In this talk, I go over my approach to code review, and some of the security findings in MISP and associated tools. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/BWBCZV/ Europe Jeroen Pinoy PUBLISH CTVFW8@@pretalx.com -CTVFW8 So you're interested in social engineering? The very first steps en en 20251023T101500 20251023T121500 020000

So you're interested in social engineering? The very first steps

We will provide a general introduction to social engineering and guide the audience in the very first steps to actually start training this skill in a safe and responsible manner that will allow you to get a taste of social engineering by slightly altering your behaviour and still staying legal. We will cover the following topics: - Introduction to social engineering - Using OSINT to collect initial information - Creating pretext - Fundamental principles of human behavior and decision-making - Leveraging social normativity in persuasive interactions - Building rapport and trust - Exploiting trust - Practical exercises in everyday life PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/CTVFW8/ Schengen 1 & 2 Kirils Solovjovs PUBLISH RHLSNB@@pretalx.com -RHLSNB iOS analysis using the Sysdiagnose analysis framework workshop - advanced session en en 20251023T141500 20251023T161500 020000

iOS analysis using the Sysdiagnose analysis framework workshop - advanced session

We will get our hands dirty and dive deeper into advanced Splunk queries digging into data and better understanding what is in the Sysdiagnose archive. We will also develop a parser and/or analyser for the sysdiagnose analysis framework Prerequisites for attending the workshop are: - Having downloaded the [workshop material]() beforehand, prepared the Splunk docker, and have a python development environment ready. - Solid experience with Splunk Query Language - Solid experience with `grep`, `sed`, `awk` and `jq` (or their alternatives) - Experience with development in python - Familiarity with the [sysdiagnose analysis framework](https://github.com/EC-DIGIT-CSIRC/sysdiagnose) PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2025/talk/RHLSNB/ Schengen 1 & 2 David Durvaux Christophe Vandeplas PUBLISH N3XMWE@@pretalx.com -N3XMWE Lockpicking Workshop en en 20251023T163000 20251023T180000 013000

Lockpicking Workshop

Former world lockpicking champion, multiple times winner of Dutch lockpicking championships and author of a lockpicking book, Walter Belgers, gives a hands-on workshop about lockpicking. PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/N3XMWE/ Schengen 1 & 2 Walter Belgers PUBLISH BMLVNX@@pretalx.com -BMLVNX Digital Forensics 1.0.1 - From Zero to Hero en en 20251023T101500 20251023T114500 013000

Digital Forensics 1.0.1 - From Zero to Hero

This training will start with a little demo. Different tools produce different output. Than we will: 1. Read a stream of Bit 2. Apply addressing to it 3. Learn to interpret values like integer, signed integer or ASCII 4. Be able to convert a little endian value into a big endian 5. Apply a data structure on the data 6. Recover data manually At the end of the training the attendee will be able to read a MBR/BootSector and read the partition table manually. PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/BMLVNX/ Hollenfels Michael Hamm PUBLISH AMCS8W@@pretalx.com -AMCS8W Payload Obfuscation for Red Teams en en 20251023T163000 20251023T183000 020000

Payload Obfuscation for Red Teams

In this workshop we will leverage the RISC-V architecture and the LLVM ecosystem to build a simple obfuscation pipeline. The VM interpreter code is small and once it is loaded, you do not need to allocate additional executable pages to execute arbitrary payloads. Covered topics: - Introduction to VM-based obfuscation - Basics of the RISC-V architecture - Compiling payloads for the RISC-V architecture - Obfuscating the VM interpreter for evasion - VM Hardening to complicate reversing the payloads (as time allows) - Building a basic C2 framework (as time allows) The bulk of the work will be done in a GitHub Codespace (Linux), which makes it easy for participants to get started. However, the final payloads need to be executed in a Windows VM (which you have to prepare beforehand). **Note**: Participants need C programming and Linux command line experience to follow along with the workshop. Reverse engineering experience is highly recommended. The concepts covered in the second half of the workshop are quite advanced PUBLIC CONFIRMED Training (long) https://pretalx.com/hack-lu-2025/talk/AMCS8W/ Hollenfels Duncan Ogilvie PUBLISH QS8PZK@@pretalx.com -QS8PZK Vulnerability Lookup and GCVE: A Decentralized Approach to Vulnerability Publishing and Management en en 20251023T101500 20251023T121500 020000

Vulnerability Lookup and GCVE: A Decentralized Approach to Vulnerability Publishing and Management

This hands-on workshop introduces the open-source Vulnerability Lookup project and the Global Common Vulnerabilities and Exposures (GCVE) initiative, two complementary efforts designed to modernize and decentralize the way vulnerabilities are published, shared, and consumed. Participants will discover how Vulnerability Lookup acts as a collaborative platform for collecting, enriching, and analyzing vulnerability data, supporting every stage of the vulnerability management lifecycle, from discovery and prioritization to tracking remediation and assessing exposure. The session will also introduce GCVE, a next-generation, decentralized framework for vulnerability identification that empowers organizations to act as GCVE Numbering Authorities (GNAs) with greater autonomy and flexibility. - How to publish and synchronize vulnerabilities using the GCVE and vulnerability-lookup ReST API. - How decentralized allocation empowers vendors, researchers, and CSIRTs to disclose vulnerabilities more efficiently. - How to leverage Vulnerability Lookup to support vulnerability triage, enrichment (EPSS, CVSS, Multi KEV), and exposure tracking. - How Vulnerability Lookup integrates with GCVE to provide real-time insights, cross-references, and analytics. - Best practices for integrating GCVE and Vulnerability Lookup into your existing vulnerability management workflows. By the end of the workshop, attendees will understand how these open-source initiatives can strengthen their own vulnerability management processes and contribute to a more resilient, transparent, and collaborative security community. PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2025/talk/QS8PZK/ Vianden & Wiltz Alexandre Dulaunoy Cédric Bonhomme PUBLISH DE9ZSA@@pretalx.com -DE9ZSA Hands-On Hardware Hacking: Extracting Keys and Owning Encrypted Laptops en en 20251023T141500 20251023T161500 020000

Hands-On Hardware Hacking: Extracting Keys and Owning Encrypted Laptops

Ever wonder what happens when someone steals a laptop that’s “secure because it’s encrypted”? In this workshop, you’ll find out...by doing it yourself! You will be handed a powered-off, BitLocker-encrypted laptop and guided through the full attack chain. First, you will capture TPM traffic using provided hardware. Then, you will extract the encryption key, decrypt the drive, and finally gain full system access, without ever knowing the user's password! No theory. No staged environments. You will work directly with real hardware and proven red team tooling. We will walk you through every step: hardware reconnaissance, signal capture, key recovery, drive decryption, and post-exploitation. You’ll even finish with a local admin shell. Everything you need is provided: gear, guides, tools, and targets. Just bring a laptop and a healthy dose of curiosity. You’ll walk away having broken into a locked encrypted laptop without a password... and knowing exactly how and why that’s possible. **Heads-up:** *To make the most of our limited number of hardware kits, attendance will be limited, and participants will collaborate in small groups (4–5 people) during the hands-on portion. This ensures everyone gets time on the tools without sacrificing depth.* PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2025/talk/DE9ZSA/ Vianden & Wiltz Edouard D'hoedt Hayk Gevorgyan PUBLISH SHRCZE@@pretalx.com -SHRCZE Practical intro to deeplearning: chihuahuas vs muffins en en 20251023T163000 20251023T180000 013000

Practical intro to deeplearning: chihuahuas vs muffins

Agenda: • Short introduction to deep learning • Setting up the environment • Hands-on session: we’ll experiment with image classification • Hands-on session: we build a web app with Gradio We’ll also be discussing applications to cybersecurity you can prototype, deep learning and training methods, cool the hype and discuss realistic LLM capacities. PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/SHRCZE/ Vianden & Wiltz Pauline Bourmeau (Cookie) William Robinet PUBLISH MJDURG@@pretalx.com -MJDURG Tech Duel: The Escape Battle en en 20251023T101500 20251023T114500 013000

Tech Duel: The Escape Battle

Each team consists of max. 5 persons. During the first 10 minutes they will receive a briefing on the mission. The countdown timer starts the mission (60 minutes) PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/MJDURG/ Echternach & Diekirch Stijn Tomme Dominiek Madou PUBLISH MJDURG@@pretalx.com -MJDURG Tech Duel: The Escape Battle en en 20251023T141500 20251023T154500 013000

Tech Duel: The Escape Battle

Each team consists of max. 5 persons. During the first 10 minutes they will receive a briefing on the mission. The countdown timer starts the mission (60 minutes) PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/MJDURG/ Echternach & Diekirch Stijn Tomme Dominiek Madou PUBLISH MJDURG@@pretalx.com -MJDURG Tech Duel: The Escape Battle en en 20251023T163000 20251023T180000 013000

Tech Duel: The Escape Battle

Each team consists of max. 5 persons. During the first 10 minutes they will receive a briefing on the mission. The countdown timer starts the mission (60 minutes) PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/MJDURG/ Echternach & Diekirch Stijn Tomme Dominiek Madou PUBLISH LAM9EX@@pretalx.com -LAM9EX yoga for geeks en en 20251023T070000 20251023T083000 013000

yoga for geeks

Based on ashtanga yoga, this is a good physical exercise. Beginner friendly, no previous knowledge of yoga needed. Some yoga mats are provided, if possible, bring your own. Don't forget your towel! There will be no spritual chanting, energy flows or chakra opening. Just well executed exercises aimed towards IT engineers. PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/LAM9EX/ Fitness room Georges Kesseler PUBLISH KL8AF8@@pretalx.com -KL8AF8 Breaking Android IPC: A Deep Dive into AIDL Fuzzing en en 20251024T080000 20251024T083000 003000

Breaking Android IPC: A Deep Dive into AIDL Fuzzing

In this talk, we’ll dive deep into Android’s Inter-Process Communication (IPC) mechanisms, focusing on the security challenges and vulnerabilities that come with them. We’ll start by exploring how IPC functions within the Android architecture, emphasizing its vital role in enabling communication between various components, such as services and activities. We’ll take a closer look at the Android Interface Definition Language (AIDL), which is frequently used to manage more complex IPC scenarios in Android apps. We’ll examine the security model that supports Android’s IPC mechanism and analyze common attack surfaces. By doing so, we’ll highlight the various risks associated with poorly secured IPC channels and the potential consequences of exploitation. The highlight of our talk will focus on AIDL fuzzing, a powerful and surprisingly simple technique for discovering vulnerabilities in Android’s IPC systems. We’ll introduce the fundamentals of fuzzing and walk you through fuzzing AIDL interfaces to uncover hidden vulnerabilities. Along the way, we’ll cover the tools and scripts built for AIDL fuzzing. For a more hands-on experience, we’ll present our setup and execute an AIDL fuzzing session on a sample vulnerability we identified on an Android interface live. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/KL8AF8/ Europe Rajanish Pathak Hardik Kamlesh Mehta PUBLISH XDHVWE@@pretalx.com -XDHVWE Palo Alto GlobalProtect : Remote Full Compromise Exploit Chain en en 20251024T083000 20251024T090000 003000

Palo Alto GlobalProtect : Remote Full Compromise Exploit Chain

Elements highlighted during the session : 1. Certificate Verification Bypass: The VPN client can be tricked into bypassing certificate verification, allowing attackers to impersonate the VPN portal and deliver malicious payloads. 2. Arbitrary Root CA Insertion: Attackers can insert a malicious root CA into the system, enabling them to issue fraudulent certificates and potentially install malware. 3. Embedded Browser Exploits: The use of an embedded browser for authentication can be exploited to deliver malicious content, such as [HTA](https://en.wikipedia.org/wiki/HTML_Application) files, leading to remote code execution. 4. Privilege Escalation: Abusing the Impersonation Mechanism or the Weak System Update to get system privileges. We will go through all the steps, try to understand GlobalProtect thoroughly, and pave the way towards a full chain exploit. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/XDHVWE/ Europe Maxime Escourbiac PUBLISH LPVDSH@@pretalx.com -LPVDSH Audit and retrospective of an automotive application: Carplay en en 20251024T090000 20251024T093000 003000

Audit and retrospective of an automotive application: Carplay

Vehicle security is essential due to their longevity and the potential impacts on the physical integrity of their users. The In-Vehicle Infotainment (IVI) System is an interesting target for an attacker looking for initial access through remote interfaces such as Bluetooth or Wi-Fi. The Carplay application uses Wi-Fi, to allow a user to access iPhone’s services from the IVI (navigation, phone calls, third-party applications such as Spotify...) Developed by Apple, the application’s source code is not publicly available, and few security analyses have been conducted on it. In this presentation, we share the methodology used during a security audit of the Carplay application. Our work focused on identifying vulnerabilities that could lead to the compromise of the multimedia equipment, by an attacker already connected to the car's Wi-Fi hotspot. During this analysis, we present how we identified the function responsible for parsing external data sent to the car, how we fuzzed it and discovered a bug already known by Apple (CVE 2023-23494). PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/LPVDSH/ Europe Etienne CHARRON Khadim PUBLISH CGRNFY@@pretalx.com -CGRNFY From YAML to Root: CI/CD Pipeline Attacks and Countermeasures en en 20251024T093000 20251024T100000 003000

From YAML to Root: CI/CD Pipeline Attacks and Countermeasures

<h2>Talk Description and Structure</h2> <p>The talk is divided into two main parts: an offensive demonstration and a defensive strategy session.</p> <h3>Part 1 – Offensive: From Contributor to Full Compromise</h3> <p>We will begin with a realistic demonstration of attack scenarios showing how a basic contributor-level account can be used to hijack a CI/CD pipeline, escape the provided use cases and fully compromise the infrastructure through Terraform integration. To reflect real-world conditions, common pipeline protections will be enabled—and bypassed. Key topics include:</p> <ul> <li> <strong>Remote Code Execution via pipeline files:</strong> <p>We’ll explore how attackers can achieve RCE through configuration file manipulation or config file poisoning, Terraform constructs (e.g., <code>external</code> data sources, malicious custom providers or modules, abuse of provisioners), and other legitimate pipeline features.</p> </li> <li> <strong>Bypassing restrictions:</strong> <p>Techniques to bypass provider restrictions, function or module blacklists, and CI/CD step filters will be demonstrated, showing how misconfigurations or insufficient validation open the door to exploitation.</p> </li> <li> <strong>Post-exploitation steps:</strong> <p>Once initial execution is achieved, we’ll show how attackers can perform lateral movement in the underlying infrastructure, such as:</p> <ul> <li>Extracting sensitive secrets (cloud credentials, environment variables, connection strings).</li> <li>Establishing persistence within the CI/CD pipeline (e.g., malicious jobs, trigger abuse, backdoor artifacts).</li> </ul> </li> </ul> <h3>Part 2 – Defensive: How to Secure Your Pipelines in This New Model</h3> <p>With the offensive risks clearly laid out, we’ll move on to the defensive strategies. This section is divided into two phases:</p> <ul> <li> <strong>Reinforcement and Protection:</strong> <p>This proactive phase aims to secure the pipeline by design. We’ll cover:</p> <ul> <li>Secure handling of secrets and credentials.</li> <li>Hardening of CI/CD agents and build runners.</li> <li>Implementation of integrity checks (e.g., checksum validation, signed commits, restricted runners).</li> <li>Tightening access control and repository hygiene.</li> </ul> </li> <li> <strong>Detection and Monitoring:</strong> <p>Even well-protected pipelines require active monitoring to catch suspicious activity. We’ll discuss:</p> <ul> <li>CI/CD log analysis techniques.</li> <li>Indicators of compromise in pipeline behavior.</li> <li>Anomaly detection approaches tailored to build systems.</li> </ul> </li> </ul> PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/CGRNFY/ Europe Hugo PUBLISH SGWZ8Y@@pretalx.com -SGWZ8Y Persōna Theory: Infiltration & Deception of Emerging Threat Groups en en 20251024T101500 20251024T104500 003000

Persōna Theory: Infiltration & Deception of Emerging Threat Groups

Persona Theory goes beyond the sock puppet and examines the essence, the persona, and what it takes to make a believable persona and how to build relationships online where no one trusts each other by design. We begin by examining the philosophical foundation of Persona Theory, the idea that everyone wears masks, especially online, and connecting it to the fundamentals of threat intelligence gathering. Persona Theory outlines the stages of infiltration: identifying targets, probing their weaknesses, gathering intelligence, verifying authenticity, and conducting deep analysis. These stages are demonstrated through practical examples, particularly focused on illicit forums like RAMP, Telegram and other private channels, where recruitment and initial contact occur. Next, we explore persona sculpting, from stylometry (writing style and language usage) to time zone alignment and geopolitical masking. Techniques include leveraging adjacent Slavic and regional languages, transliteration, and carefully crafted writing habits to convincingly inhabit an identity. Then we look at case studies that bring the theory to life, walking the audience through actual infiltration scenarios. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/SGWZ8Y/ Europe Tammy Harper PUBLISH EXYE9H@@pretalx.com -EXYE9H Russian-speaking underground - changes in the risks, attack surface and modus operandi en en 20251024T104500 20251024T111500 003000

Russian-speaking underground - changes in the risks, attack surface and modus operandi

We dive into one of the most sophisticated and impactful ecosystems within the global cybercrime landscape. Our research looks at tools and techniques, specialized forums, popular services, plus a deeply ingrained culture of secrecy and collaboration. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/EXYE9H/ Europe Vladimir Kropotov PUBLISH 7MHDPF@@pretalx.com -7MHDPF Lethal Language Models: From Bit Flip to RCE in Ollama en en 20251024T111500 20251024T114500 003000

Lethal Language Models: From Bit Flip to RCE in Ollama

With the rise of AI, a new target category was introduced at Pwn2Own Berlin 2025 covering software that powers AI and machine learning applications. One of the targets was Ollama, a widely used tool for running LLMs like Llama and DeepSeek-R1 on your local machine. This talk tells the story of my attempt to exploit Ollama for Pwn2Own, how I failed, and how I still eventually succeeded. If you ever wondered about LLM implementations and their attack surface, this talk is for you! We will discover how models are serialized to files and how the handling of the GGUF file format can lead to several types of vulnerabilities. We will then turn one of these bugs with an interesting bit-flipping primitive into a full exploit that executes arbitrary code on a vulnerable Ollama instance. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/7MHDPF/ Europe Paul Gerste PUBLISH XDPLNP@@pretalx.com -XDPLNP Exploiting Legit APIs for Covert C2: A New Perspective on Cloud-based Malware Operations en en 20251024T114500 20251024T121500 003000

Exploiting Legit APIs for Covert C2: A New Perspective on Cloud-based Malware Operations

As defenders improve security mechanisms, adversaries are increasingly turning to overlooked cloud APIs to maintain covert command-and-control (C2) channels. This talk introduces original research into the misuse of lesser-monitored services like GitHub Gists, Telegram Bot API, Discord Webhooks, and Google Apps Script—highlighting how these platforms can be repurposed for stealthy malware communications. In contrast to widely studied vectors like Google Drive or Dropbox, our work focuses on emerging, underexplored APIs that evade most enterprise detection strategies. This talk will cover: Techniques to establish resilient C2 channels using free cloud APIs. Methods of encryption and obfuscation to bypass EDR and ML-based detection. Real-world PoCs showcasing API misuse for malware communications. Defensive recommendations for detecting and disrupting API-based C2 activity. Conventional C2 detection relies on pattern matching or anomaly spotting in network traffic. However, API-driven communications often blend with legitimate usage patterns, allowing attackers to remain undetected. This presentation aims to equip defenders with the knowledge and tools to recognize and respond to this evolving threat landscape. Intended audience: Red Teamers, Penetration Testers, and Malware Researchers Threat Hunters and SOC Analysts Security Engineers and Incident Responders PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/XDPLNP/ Europe cocomelonc PUBLISH TZKXVG@@pretalx.com -TZKXVG Fake Likes, Real Risks: Mapping Fake Social Activity Shops in Europe en en 20251024T134000 20251024T134500 000500

Fake Likes, Real Risks: Mapping Fake Social Activity Shops in Europe

We explore the hidden world of fake social activity shops - the websites that sell likes, followers, and other engagement metrics. These services are widely available online and often operate in legal grey zones, despite efforts by social media platforms to curb inauthentic engagement. We analyzed 881 such webshops targeting the EU market and conducted interviews with 15 social media marketing experts. Our findings reveal major gaps between what these shops promise and what they deliver, along with recurring business patterns. We also highlight how these services can be exploited for disinformation, cyberfraud, and financial crime. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/TZKXVG/ Europe Sviatlana Höhn Anastasia “Asya” Sergeeva PUBLISH EE3B3L@@pretalx.com -EE3B3L Bugs in the Human Code - Help Timo en en 20251024T134500 20251024T135000 000500

Bugs in the Human Code - Help Timo

When DNA breaks, the consequences can be life-altering. This hacker friendly talk explores how genetic mutations act like bugs in the human code and how rare diseases are like critical vulnerabilities. Through my son Timo’s story, we explore what happens when the body’s code breaks, and why we’ve had to become builders ourselves, racing to create a gene therapy that doesn’t yet exist. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/EE3B3L/ Europe Paul Hirtz PUBLISH SXNG9K@@pretalx.com -SXNG9K Reverse Engineering, for real en en 20251024T135000 20251024T135500 000500

Reverse Engineering, for real

Presented is a silly code obfuscation technique that demonstrates how expectations can be broken with x64 debug register abuse and a bit of magic. We also get (partial) anti-debugging and (partial) anti-VM measures as a bonus on top. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/SXNG9K/ Europe Henri Ahola PUBLISH K3JGNF@@pretalx.com -K3JGNF 4-Byte Hell: When Unicode Enters the Stage en en 20251024T135500 20251024T140000 000500

4-Byte Hell: When Unicode Enters the Stage

I'll briefly talk about how passwords get encoded and how to perform byte-wise password cracking with Hashcat. From there, we'll explore characters beyond ASCII and how they increase password complexity at the byte level. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/K3JGNF/ Europe Jonas Hess PUBLISH PWGECR@@pretalx.com -PWGECR Pwn2Own: Hacking IoT devices en en 20251024T140000 20251024T140500 000500

Pwn2Own: Hacking IoT devices

Includes specialised precise soldering equipment to extract data from bga153 format chips, U-boot hacking, format strings, etc. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/PWGECR/ Europe Adam Hustava PUBLISH KAPH77@@pretalx.com -KAPH77 Threat Actor Tripping on the Finish Line en en 20251024T140500 20251024T141000 000500

Threat Actor Tripping on the Finish Line

Highly effective and stealthy persistence technique with a unfortunate/fortunate twist. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/KAPH77/ Europe Rasmus PUBLISH 8NMQUJ@@pretalx.com -8NMQUJ Revisiting RAND’s Lost Monte Carlo Simulations: Sharla Perrine, Paul Baran, and the True Business Case for the Internet en en 20251024T141000 20251024T141500 000500

Revisiting RAND’s Lost Monte Carlo Simulations: Sharla Perrine, Paul Baran, and the True Business Case for the Internet

In the early 1960s, RAND researchers Paul Baran and Sharla Perrine (later Boehm) quietly ran a set of Monte Carlo experiments that changed history. Using punched cards and octal assembly, Sharla’s simulations proved that a distributed packet-switched network could survive attack or failure—work that Vint Cerf later used to persuade DARPA to fund what became the ARPANET. Yet her name faded into the footnotes. After her death in 2023, she was described as the “grandmother of the Internet” only in the fine print of a real-estate listing—not yet on her Wikipedia page. This lightning talk reintroduces Sharla Perrine and Paul Baran not just as pioneers, but as data-driven systems thinkers. It also proposes a new research effort: re-running their Monte Carlo simulations under modern assumptions and using contemporary toolchains—to revisit network survivability, traffic models, and failure modes, including time-synchronization shear effects in packet-switched networks. By comparing 1960s-era modeling assumptions with the centralized “cloud” architectures of today, we may uncover how far the Internet has drifted from its resilient origins—and perhaps even find bugs in the original Monte Carlo code. Audience Takeaway: The Internet’s founding math was sound, but our faith in its resilience may rest on outmoded—or even false—assumptions. PUBLIC CONFIRMED Lightning talk https://pretalx.com/hack-lu-2025/talk/8NMQUJ/ Europe Trey Darley PUBLISH QV9GZF@@pretalx.com -QV9GZF Automotive Security Analyzer for Exploitability Risks: An Automated and Attack Graph-Based Evaluation of On-Board Networks en en 20251024T141500 20251024T144500 003000

Automotive Security Analyzer for Exploitability Risks: An Automated and Attack Graph-Based Evaluation of On-Board Networks

### The Problem Computers control steering and brakes usually nowadays, and "smart" features increase a vehicle's attack surface and occasionally introduce vulnerabilities. Even a combination of seemingly minor vulnerabilities can undermine a vehicle's cybersecurity. Securing automotive Information Technology (IT) is expensive and challenging, even for leading tech companies. Compared to corporate IT, this challenge arises from a) the safety-criticality, b) homologation obligations, and c) the IT diversity within each vehicle. - a) Safety criticality: ECUs (Electronic Control Units) cannot stay indoors with air-conditioning but must work safely and reliably outdoors in the scorching sun and on freezing winter nights, from deserts to the Arctic. Such extreme conditions demand special software requirements, which can interfere with security patching. - b) Homologation obligations: Securing ECUs with swift patches can be hindered by governmental homologation obligations, as patches must not interfere with certifications, e.g., for exhaust purification or crash safety. - c) IT diversity: ECUs are challenging to secure due to their diversity, as they usually do not communicate homogeneously via TCP/IP (Transmission Control Protocol / Internet Protocol) but rather via a combination of CAN (Controller Area Network), MOST (Media Oriented Systems Transport), LIN (Local Interconnect Network), BroadR-Reach, and FlexRay. ECUs usually do not incorporate x86 CPUs but rather a combination of TriCore, Super-H, PowerPC, ARM, V850, and even less-widely known chips, as this obtains maximum dependability, energy efficiency, and sustainability. ### How does this help? Who will benefit? AutoSAlfER's automatic evaluation boosts people's productivity for a more sustainable automotive cyber security: - Architects can automatically evaluate their designs, recheck changes for surprising attack combinations, and shape network topologies toward more security. - Penetration testers ("red teams") get a head-start on the riskiest and most significant targets and network connections. - Risk managers can extend their calculations onto a sound model for more precisely and reliably calculated risk reserves. - Incident handlers ("blue teams") can enrich their situation report regarding what targets and assets could be compromised next and how acutely they are at stake. - All stakeholders get orientation on anticipated neuralgic points and their impact on adequately prioritizing cybersecurity investments. - Ultimately, we all gain more security and, thus, safety in and around autonomous, connected, electrified, and shared vehicles. ### Why are you a good person to tell us this? I initiated, planned, designed, implemented, documented, tested, and evaluated the Automotive Security Analyzer for Exploitability Risks (AutoSAlfER). #### Agenda 1) Motivation and Survey 2) Data and Models a. System Model, Attacker Profile, and Exploit Model b. Attack Surface Exploitability Quantification c. Implementation / Tech Stack 3) Practical Demo 4) Algorithms for Attack Graphs a. Single-Path Attack Graph Algorithm (PI + PII) b. Implementation and Evaluation of PI + PII 5) Algorithms for Total Risk a. Probabilistic Model b. Multi-Path Attack Graph Algorithm (P3Salfer) c. Bayes Network Unsuitability Finding d. Design and Implementation of an Alternative Algorithm with Bayesian Networks (P3Bayes) e. Implementation and Evaluation of the Multi-Path Attack Graph Algorithm (P3Salfer) 6) Future Work 7) Further Material a) Patents, Papers, and Posters b) Open-Source Software c) Book PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/QV9GZF/ Europe Martin Salfer PUBLISH AEHE9V@@pretalx.com -AEHE9V DCOM Turns 30: Revisiting a Legacy Interface in the Modern Threatscape en en 20251024T144500 20251024T151500 003000

DCOM Turns 30: Revisiting a Legacy Interface in the Modern Threatscape

After introducing Windows Component Object Model, we will see how it fits into almost every step of the cyber kill chain. Security profesionnals from any background (academic, offensive and defensive security experts, network administrators..) should find practical use cases and tooling, as well as a deep understanding of how these various attacks work under the hood. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/AEHE9V/ Europe Julien Bedel PUBLISH TP8Y9Y@@pretalx.com -TP8Y9Y Beyond post-quantum stereotypes en en 20251024T151500 20251024T154500 003000

Beyond post-quantum stereotypes

As an offensive security company, Synacktiv needs to constantly follow the evolutions in security to stay on top of the game and perform high quality audits. Recently, we got interested in post-quantum cryptography, bound to become the next standard in data protection. While we were familiar with "traditional" cryptography, we had never studied the "post-quantum" side of the field, and were a bit intimidated at first. Through our learning, we realized two things: first, it is not as inaccessible as it seems and second, although there have been many advances in the academic field, the industry is far behind in this area as quantum computers are already threatening information security. We will cover basic security principles in cryptography, why they are threatened by quantum computing, how post-quantum cryptography tackle these threats, and how to incorporate post-quantum security to your products. The talk will unfold in five parts: - What does "being secure" mean in the context of cryptography? A quick refresher on the basic principles and definitions. - How do quantum computers affect the security of current cryptographic algorithms? An overview of how quantum computing undermines classical cryptography. - What are these "post-quantum" cryptographic algorithms? Key features that make these algorithms resistant to quantum attacks. - How to migrate to post-quantum algorithms? A look at the challenges of transitioning to post-quantum cryptography, including hybridization and trust concerns with new algorithms. - What are the associated challenges with transitioning ? A case study of TLS at Cloudflare. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/TP8Y9Y/ Europe Antoine Gicquel Benjamin SEPE PUBLISH 73RXZR@@pretalx.com -73RXZR CLI ambush en en 20251024T154500 20251024T161500 003000

CLI ambush

We'll see how to craft ASN.1 messages and how it helps highlight issues in some CLI apps (OpenSSL as an example). I'll then show how this problem extends to other cryptographic toolkits and how one can exploit such issues in order to trap unsuspecting administrators. We'll walk through the different attack vectors I found. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/73RXZR/ Europe William Robinet PUBLISH WJDWMF@@pretalx.com -WJDWMF THAT PICTURE IS A LIE: SMUGGLING BINARIES WITH STYLE en en 20251024T163000 20251024T170000 003000

THAT PICTURE IS A LIE: SMUGGLING BINARIES WITH STYLE

"THAT PICTURE IS A LIE: SMUGGLING BINARIES WITH STYLE" provides a comprehensive overview of a sophisticated payload delivery process that repurposes everyday image files into covert carriers of executable binaries. Attendees will be guided through the multi-stage transformation process—starting with the compression of binaries into 7z/zip archives, followed by XOR encryption, and culminating in the embedding within PNG and GIF files using HTML smuggling techniques. This session is crafted for experienced cybersecurity professionals, particularly those involved in red team operations and offensive security. Through live demonstrations and real-world case studies, I will illustrate how these methods can be deployed to evade detection, offering insights into both the offensive potential and the defensive challenges posed by such innovative tactics. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/WJDWMF/ Europe Harpreet Singh PUBLISH PZVPLU@@pretalx.com -PZVPLU Breaking the Signal: Red Teaming Mobile Networks in 2025 en en 20251024T170000 20251024T173000 003000

Breaking the Signal: Red Teaming Mobile Networks in 2025

We begin with a review of the current state of mobile network security. Radio interfaces remain vulnerable to interception and manipulation, with techniques like rogue base stations exploiting weaknesses in protocols such as the Radio Resource Control (RRC). Signaling protocols, including SS7 and Diameter, harbor long-standing flaws that allow attackers to intercept calls, track locations, or disrupt services. Meanwhile, the packet core is increasingly IP-based and faces threats from misconfigurations, GTP protocol exploitation, and IP spoofing. While security measures like encryption, mutual authentication, and integrity protection have improved, the integration of legacy systems and the complexity of modern architectures continue to expose exploitable gaps. Mobile networks advance towards 6G and beyond with complex integrated technologies bringing new security challenges. Red teamers aiming to assess and fortify these networks must understand the difficulties of potential attack vectors. In this session I will try to cover necessary vectors and case studies (Practically) such as: Vulnerability Review and Security Posture - 5G/LTE protocol weaknesses, from misconfigurations to design flaws - Emerging threat vectors in signaling systems such as SS7, Diameter, and GTP - Common pitfalls in carrier packet networks leading to data exposure or service disruption Attack Vectors for Red Teamers - Techniques for intercepting and manipulating radio signals (Deploying rogue base stations to perform man-in-the-middle (MitM) attacks or jamming signals to disrupt connectivity). - Advanced enumeration tactics on signaling interconnects - Signaling Attacks: Exploiting SS7, Diameter, or GTP vulnerabilities to intercept communications, impersonate network elements, or launch denial-of-service (DoS) attacks. - Lateral movement and persistence strategies in multi-layered carrier networks (Targeting the IP infrastructure with techniques like routing manipulation, exploiting virtualized network functions, or breaching public-facing interfaces). MITRE Fight Framework - Key attacker TTPs identified in MITRE Fight that map to mobile threat landscapes. - Aligning red team exercises with these TTPs for better operational realism - Recommended detection and mitigation strategies to bolster blue team defenses PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/PZVPLU/ Europe Ali Abdollahi PUBLISH AKYVKP@@pretalx.com -AKYVKP French stealer ecosystem: the resurgence skid gangs in cybercrime space en en 20251024T173000 20251024T180000 003000

French stealer ecosystem: the resurgence skid gangs in cybercrime space

This presentation will explore the ecosystem of French-speaking infostealers, focusing on the groups that sell and distribute them and the connections between key actors. We’ll start with an overview of recent developments, identifying recurring pseudonyms and linking various groups. Next, we’ll dive into the technical side, analyzing how stealers operate, examining their code, and exploring how open-source tools like Bytestealer seems to be customized by threat actors to create advanced malware. We’ll then profile the administrators behind theses campaigns, analyzing their interactions and operational security (OpSec) missteps that expose them to identification. We will wrap up with a case study on the Epsilon group, revealing the connection between one of its administrators and a possible drug trafficking network, showing how these cybercriminals often diversify into other illegal activities. Key Takeaways: - French Stealer Ecosystem Overview: Understand the structure and connections of various French-speaking stealer groups. - Technical Insights on Stealers: Learn how these stealers operate and how open-source tools are use to enhance their capabilities. - Profiling Threat Actors: Discover how analyzing cybercriminal interactions and OpSec errors can lead to identification and disruption. - Epsilon Group Case Study: See how one group’s activities extend into illicit fields like drug trafficking, underscoring the broader impact of these operations. PUBLIC CONFIRMED Talk https://pretalx.com/hack-lu-2025/talk/AKYVKP/ Europe 0xSeeker PUBLISH X83SQU@@pretalx.com -X83SQU Practical Maldoc Analysis Workshop en en 20251024T101500 20251024T114500 013000

Practical Maldoc Analysis Workshop

Attendees will have to bring a laptop with Python. They must be prepared to handle real malware, thus a virtual machine to perform the analysis in is recommended. Windows, Linux and macOS are suitable. Didier will perform the workshop inside a Windows VM. PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/X83SQU/ Schengen 1 & 2 Didier Stevens PUBLISH TJGLQE@@pretalx.com -TJGLQE Hacking Kubernetes en en 20251024T141500 20251024T161500 020000

Hacking Kubernetes

In this training, you will learn how to secure your Kubernetes clusters. You will dive into core security concepts including admission control and best practices for Kubernetes clusters. The training provides hands-on practice in a lab environment enforcing policies, managing access controls, and securing containerized workloads. You will learn to recognize misconfigurations and take effective countermeasures. You will also learn what the most important aspects of Kubernetes security are and where you can start. PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2025/talk/TJGLQE/ Schengen 1 & 2 Benjamin Koltermann PUBLISH TQFERQ@@pretalx.com -TQFERQ MISP API sorcery workshop en en 20251024T101500 20251024T114500 013000

MISP API sorcery workshop

The workshop aims to walk participants through the various different API techniques that can be used in MISP both to create and to extract information from the system. Participants will learn to create and enhance information in MISP as well as follow a deep dive into techniques for extracting accurately filtered sub-sets of the information. We will also take a small detour on how to develop your own integration to cover whatever format MISP doesn't handle by default - either by building a new export modules or, if time permits it, by relying on the workflow system of MISP. PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/TQFERQ/ Hollenfels Sami Mokaddem Andras Iklody PUBLISH FEUP9R@@pretalx.com -FEUP9R Malware Development for Ethical Hackers (Windows, Linux, Android) en en 20251024T141500 20251024T161500 020000

Malware Development for Ethical Hackers (Windows, Linux, Android)

Malware Development and Persistence Tricks for Ethical Hackers MALWARE INJECTION TECHNIQUES: 1. Traditional Injection Approaches: Code and DLL (2 practical examples, LAB + 1 homework) 2. Exploring Hijacking Techniques (1 practrical example, LAB + 1 homework) 3. Understanding Asynchronous Procedure Call (APC) Injections (1 practical example, LAB + 1 homework) 4. Mastering API Hooking Techniques (1 practical example, LAB) PERSISTENCE MECHANISMS: 5. Classic Path: Registry Run Keys ( 1 practical example, LAB) 6. Persistence via Winlogon Process ( 1 practical example, LAB) 7. Exploiting Windows Services for Persistence ( 1 practical example, LAB + 1 homework) 8. Exploring Non-Trivial Loopholes ( 2 practical examples, LAB + 1 homework) MALWARE FOR PRIVILEGE ESCALATION: 9. Manipulating Access Tokens like APT (1 practical example, LAB + 1 homework) 10. Password stealing (1 practical example, LAB + 1 homework) 11. Malware for bypass User Access Control (1 practical example LAB + 1 homework) ANTI-VM AND AV BYPASSING 12. Anti-Virtual Machine Strategies (4 practical example, LAB + 1 homework) 13. Practical use of hash algorithms in malware ( 1 practical example, LAB + 1 homework) 14. Evasion Static Detection ( 1 practical example, LAB + 1 homework) 15. Evasion Dynamic Detection (1 practical example, LAB + 1 homework) 16. Advanced Evasion Techniques (1 practical example, LAB + 1 homework) 17. Cryptography for bypassing security solutions ( 4 practical examples, LAB + 2 homework) Linux and Android Malware 18. Linux Kernel Hacking (1 practical example, LAB) 19. Linux process injection (1 practical example, LAB) 20. Introduction to Android Malware (3 practical examples, LAB) 21. Leveraging legit APIs for Android Malware (2 practical examples, LAB) RESEARCH AND PRACTICE: 22. Simple ciphers for malware development (3 practical examples, LAB + 1 homework) 23. The Power of Base64 Algorithm (2 practical examples, LAB + 1 homework) 24. Elliptic Curve Cryptography (ECC) and Malware ( 1 practical example, LAB + 1 homework) PUBLIC CONFIRMED Training https://pretalx.com/hack-lu-2025/talk/FEUP9R/ Hollenfels cocomelonc PUBLISH ZKNFYV@@pretalx.com -ZKNFYV Hack your brain en en 20251024T141500 20251024T154500 013000

Hack your brain

The outline: - Super duper intro to focus and flow - Understand your system - Hack your system with computer programming - Take advantage of your multi-core processing - Personal use of AI - Build systems to help others - Practice brain-f*** - Colors and music - make some noise - even if you don't know how to sing. I’ll teach you what I’ve learned along the way and how I’ve hacked my brain after some adventures and misadventures in the curious world of brain injury recovery. Requirements: Bring your brain. PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/ZKNFYV/ Vianden & Wiltz Pauline Bourmeau (Cookie) PUBLISH MJDURG@@pretalx.com -MJDURG Tech Duel: The Escape Battle en en 20251024T101500 20251024T114500 013000

Tech Duel: The Escape Battle

Each team consists of max. 5 persons. During the first 10 minutes they will receive a briefing on the mission. The countdown timer starts the mission (60 minutes) PUBLIC CONFIRMED Workshop https://pretalx.com/hack-lu-2025/talk/MJDURG/ Echternach & Diekirch Stijn Tomme Dominiek Madou