How did computer hacking and the hacking scene look like when the internet was still tiny, 30+ years ago?

This comprehensive workshop is designed to provide participants with a deep understanding of API security, its challenges, and best practices to mitigate risks. Spanning six engaging sessions, the program begins with an introduction to API security and real-world breaches, highlighting the critical importance of securing APIs.

Participants will explore reconnaissance techniques, including using tools like Shodan and Google Dorking, to identify API endpoints. The workshop delves into common API vulnerabilities, such as SQL Injection and XSS, complemented by practical hands-on scanning with Burp Suite.

Additionally, the sessions cover OSINT (Open Source Intelligence) techniques with tools like Maltego, theHarvester, and Wayback, empowering attendees to gather intelligence on API targets. The program culminates with guided vulnerability exploitation exercises and a collaborative group activity to identify and exploit API flaws.

Concluding with a wrap-up session and an open Q&A, this workshop equips participants with the knowledge and skills to secure APIs effectively while fostering a hands-on learning environment

In this talk, we’ll dissect common anti-forensics strategies—like USN Journal deletion, shellbag clearing, timestamp manipulation, and disabling access time updates—and reveal how they are often executed ineffectively or misunderstood.

We’ll explore practical examples, such as:

• Deleting the USN Journal (fsutil usn deletejournal /d C:) and why it’s rarely a perfect solution.
• Clearing shellbags to wipe file explorer history but failing to account for deeper registry artifacts.
• Time stomping (Get-Item "C:\path\to\file.txt").CreationTime = "2022-01-01 00:00:00) and how forensic tools detect inconsistencies.
• Disabling last access time updates (fsutil behavior set disablelastaccess 1) and its limited effectiveness against comprehensive timeline analysis.
• Wiping MFT free space (sdelete -z C:) while ignoring the traces left behind in unstructured data.

From registry edits like masking user account activity to configuring Windows EFS, we’ll examine why these techniques often fail against modern investigative workflows and how defenders use these “footprints of erasure” to uncover malicious intent.

Attendees will gain a comprehensive understanding of what works and what doesn’t and how to identify these techniques during incident response. Whether you’re an IR consultant, security analyst, or blue teamer, this talk offers actionable knowledge to outsmart adversarial anti-forensics tactics.

We use Python code to show how ‘clean’ evidence cleaning can be done, e.g., if only individual MFT entries are deleted or even if entries in the SRUM database are deleted or manipulated. This means it is not immediately obvious that the data has been manipulated, unlike when everything is deleted.

We often talk of doing forensic on a filesystem, or in memory, but what about investigating how a browser interacts with a website? Lookyloo is a web interface that helps you to do exactly that. It also comes with a whole bunch of connectors to 3rd party services and makes it very easy to pivot on indicators to find phishing campaigns.

It's one of those mornings. You just crushed your early workout, feeling all kinds of invincible, you're halfway through your first sip of coffee, mentally planning your day, when your SOC team drops a bombshell: Suspicious activity has been detected on a critical system. Suddenly, it's not the caffeine waking you up, it's sheer panic!!

But let’s be real—cyber drama is inevitable. What separates the pros from the panicked is how we respond. In the Linux world, post-compromise activity isn’t just a mess; it’s a story waiting to be told. From tracking suspicious IPs and unexpected file creations to analyzing logs and identifying rogue services, our job is to piece together exactly what happened and how.

Because let's face it, while trends come and go, resilience never goes out of style. Join me in this session as we turn the chaos into clarity and decode the drama, and maybe even add a little sparkle to incident response.

This presentation focuses on container security, particularly addressing the tactics, techniques, and procedures (TTPs) used by cybercrime groups like TeamTNT to exploit container vulnerabilities. The presentation starts with container security fundamentals and common misconfigurations, followed by an examination of TeamTNT's malware, C2 infrastructure, and evolution. Attendees will learn best practices for hardening container environments and the significance of runtime security and continuous monitoring. The talk is intended for security practitioners, DevOps engineers, and IT professionals seeking to improve their understanding of real-world container security threats and mitigation strategies. Actionable recommendations for enhancing container security posture will be provided.

It is not unusual for CERT/CSIRT/SOC teams to use collection and live forensics tools in their incident response workflow. Programs such as Velociraptor, KAPE or DFIR-ORC can legitimately access low-level filesystem data and memory for the purposes of extracting forensic artifacts.

In this talk, we will show how these tools can be abused for credential access and why they might be overlooked by security teams. We will also discuss detection opportunities and what events to monitor in order to effectively counter these techniques.

"You do not find infoleaks, you create them" -Halvar Flake
In this hands-on 2 hour workshop we will learn how a memory corruption bug can be turned into both an RCE as well as an Infoleak bug to bypass ASLR. Students will work with a memory corruption vulnerability in a popular web server and turn it into an infoleak bug.

Sigma is an open and generic format to share log detection signatures. In this hands-on workshop we learn how to write good Sigma rules by developing some for existing threats. It will cover simple rules for detection of single events as well as correlation rules for detection of event relationships.

“Smart City” has been a trendy buzzphrase used by politicians, city planners, and tech companies for over a decade now — but their shiny promises gloss over dangerous realities.

Downtime and damages in municipalities due to cyberattacks regularly make the news, but we focus primarily on securing and recovering IT systems. Smart Cities by nature use a combination of IT and OT systems but have no established or holistic approach for managing overlapping risks to both. The consequences to security from varied stakeholders involved in Smart City planning and implementation go unexamined. Human hazards, vulnerable devices, and data management issues build on these to create diverse and creative attack paths for all sorts of threat actors.

Smart Cities present a ubiquitous and unique combination of risks which must be comprehensively assessed in order to improve procedural and operational security, reliability, and resilience. By reframing our understanding of what Smart Cities are, we can use and integrate pre-existing actionable strategies to prepare and defend against threats ranging from pandemics to nation-state attacks. As politically motivated cyberattacks expand in reach and collateral radius, we need to prepare our cities for when they become the next battlefield.

In this workshop you will learn how to obfuscate your payloads with a custom VM. This will help to evade signature detections and make reverse engineering more difficult. The format will be a hands-on workshop and participants will walk away with new tooling they can try out in the field right away!

In a 90 minute workshop 2 teams will compete.

This session dives into a sophisticated recruitment scam run by the notorious Lazarus Group on LinkedIn and other job-related platforms. As revealed by Bitdefender Labs, we will uncover how the threat actors use complex methods to deliver malware into what looks like a coding assessment for a job offer. Using advanced social engineering, this scam campaign shows why it's important to stay alert and aware when using any digital service.

During this talk, we will follow the whole infection process, starting with the Javascript Loader & Infostealer, moving to Python scripts that ramp up the damage, and ending with a final payload that doubles down on data theft and connects to the Command and Control (C2) server via The Onion Router (Tor). Attendees will gain a comprehensive understanding of the tactics used by cybercriminals, the potential risks to your organization's security, and strategies to protect against similar attacks.

IntelMQ is a great tool for automating structured IT security data feeds for CERTs: need to process all of shadowserver for a country? IntelMQ can easily do it. Need to alert on all vulnerable devices that shodan knows about? Sure!

But what about unstructured text? Many reports (CTI reports) contain lots of relevant information (IoCs, TTPs, etc.), but often in prose or only in semi-structured formats (hidden in a table, etc.).
For information extraction, LLMs and other AI models (BERT, etc.) proved their merit already.

The presents will show how they extended intelmq to support
these AI models and how the combination lends itself (semi-) automating a CTI analyst.

IntelMQ to MISP output included ;-)

The operating systems of many proprietary consumer- and enterprise-grade
networking devices do not allow for easy customization. Even when SSH access is
available, it often supports only a limited set of tightly controlled commands,
offering no way to install new binaries — or to understand what the existing
ones actually do.

The Internet is full of guides on “jailbreaking” proprietary routers — an
unfortunate necessity for users who want deeper control over the hardware
they've paid for.

In contrast, open-source router OSes like OpenWrt provide full SSH access. This
seemingly simple feature sends a clear message: “This device is truly yours, and
you're welcome to inspect or improve it — even find security bugs, if you're so
inclined.”

But what happens when a proprietary OS is built on top of an open one like
OpenWrt?

In this talk, we’ll take you on a journey through reverse engineering OS
binaries based on OpenWrt, used by a major vendor [REDACTED]. We were surprised
to discover that they had patched the Lua compiler for the sole purpose of
hindering static analysis.

We'll demonstrate several techniques for “owning” a line of devices from this
vendor — from rediscovering a "patched" backdoor in the restricted SSH service,
to identifying an authenticated OS command injection vulnerability buried deep
in a custom Lua module.

These findings could enable full remote takeover of the devices — so it’s no
wonder the vendor didn’t allow SSH access in the first place...

In this workshop, participants will learn everything they need to know to install Kunai and start monitoring their Linux environment to spot attackers or simply for fun.

In the first part, we will cover all the essential information about Kunai. This will include a quick walkthrough of the Kunai documentation, explaining what participants can expect from this tool. Simultaneously, we will conduct exercises to help participants become familiar with the tool, its command line, and configuration file.

In the second part, we will run exercises showcasing more advanced Kunai usage. This will include building custom detection rules to detect specific anomalies or malware, learning how to load Indicators of Compromise (IoCs) into the detection engine, and how to integrate Kunai with your favorite MISP instance. If time allows, we will also cover additional advanced topics.

Breaking into supermarket systems, ticketing platforms, and more. I’ll share some of my latest hacking stories, showing how I found the vulnerabilities, reported them, and collaborated with the companies. We’ll dive into tools, the challenges of disclosure, the importance of being “ethical”, lessons learned and how these experiences help improve security and build trust between hackers and organizations.

In a 90 minute workshop 2 teams will compete.

Local Administrator Password Solution (LAPS) automates local admin password rotation and secure storage in Active Directory (AD) or Microsoft Entra ID. It ensures that each system has a unique and strong password.

In OverLAPS: Overriding LAPS Logic, we will revisit and extend our previous research (Malicious use of "Local Administrator Password Solution", Hack.lu 2017) by exposing client-side attacks in Windows LAPS ("LAPSv2"). After a brief overview of LAPS's evolution, from clear-text fields in AD with Microsoft LAPS ("LAPSv1") to encrypted AD attributes or Entra ID storage with Windows LAPS, we will explore the client-side logic of Windows LAPS. Unlike prior work that exfiltrates passwords only after directory compromise, we will focus on abusing LAPS to maintain presence on compromised endpoints, both on-prem and Entra-joined devices.

We will leverage PDB symbols and light static analysis to understand how LAPS works internally, then use Frida for dynamic hooking to capture, manipulate, and rotate admin passwords on demand. We will also reproduce Frida proof-of-concepts using Microsoft Detours for in-process hooks.

Attendees will gain practical insights into new attack vectors against Windows LAPS, enabling them to assess, reproduce, and defend against client-side attacks in their own environments.

DNS gives a unique vantage point for phishing detection. In my presentation I will show how we use it at CERT.PL to search for phishing domains in .pl Top Level Domain, but also more universally as our contribution to the DNS4EU project – an entirely European DNS resolver. I will discuss using various parts of DNS ecosystem as observation points. Then show how we applied standard heuristics and machine learning/AI methods to get some good detection results.

Last year, the Russia-aligned group RomCom used a zero-click exploit combining vulnerabilities in Mozilla and Microsoft products. This exploit allowed them to compromise computers without user interaction. The attack involved a fake website that led to the execution of RomCom's backdoor.

The first part of the exploit targeted Firefox and Tor Browser, using a bug to run code. The second part involved a Windows vulnerability that allowed RomCom to gain higher privileges and deploy their backdoor. Microsoft and Mozilla quickly patched the issues.

RomCom's use of these vulnerabilities shows their advanced capabilities. This presentation covers RomCom's tactics, the attack chain, and the technical details of the exploits, along with the fixes from Mozilla and Microsoft.

CSIRT.SK’s cybersecurity approach emphasizes proactive vulnerability management through Achilles, system which performs non-invasive scanning of public administration systems to detect security flaws while minimizing disruption. This model enables real-time risk assessment without impacting system availability, in line with NIS2. To enhance threat-driven assessments, CSIRT.SK integrates cyber threat intelligence, mapping active threat campaigns to known exploits. This fusion of CTI and vulnerability scanning enables targeted security enhancements and faster mitigation of emerging threats.
Further key NIS2 innovation at CSIRT.SK and its constituency, is structured vulnerability disclosure, where public organizations must publish clear guidelines for reporting security issues. This shifts responsibility from researchers to system operators, ensuring efficient triage and response while fostering trust with security researchers.
The presentation showcases Slovakia’s model of scanning, contrasting it with alternative approaches, and provides actionable insights for CSIRT teams on scalable vulnerability assessment, ethical hacking engagement, and intelligence-driven security operations.

Get your day started with a nice intensive yoga session.

Building an actionable organization-specific threat landscape for an organization is a challenging task. An useful format has to be chosen, information has to be collected and finally meaningful action should be derived from the created product. This talk describes a pragmatic approach to build such a threat landscape that can be used by various stakeholders and is built from openly available information as well as own observations of the operational security teams. Furthermore, possible follow-up actions are discussed as well as disadvantages and shortcomings of the approach.

Why blockchain matters to Threat Intelligence? The presentation will try to reply to this question. The presentation will start by a quick presentation of the Ethereum decentralized blockchain and the smart contracts logic. Then, examples of malware abusing Web 3 will be described. The malware described during the presentation are linked to crimeware organizations as well as APT organizations. We will see why the attackers use Web 3, the advantage for them and the issues for the blue teams. Finally, we will cover the threat hunting opportunities and the tools that can be used to hunt for malware but also how to use block explorers such as etherscan.io or Arkham intelligence to track multiple blockchains and visualize transactions and addresses.

This workshop is intended for novices who want to improve their practical knowledge and experience with OpenSSH.

Ransomware remains one of the most prevalent and destructive forms of malware today. Understanding its inner workings is crucial for defenders and incident responders alike. This workshop will offer a deep dive into reverse engineering ransomware, focusing on practical methods for unpacking and analyzing malicious code.

The Reverse Engineering Ransomware: A Hands-on Workshop is designed to provide attendees with practical experience in analyzing a simulated ransomware sample. The workshop will begin with an introduction to ransomware and an overview of tools such as Ghidra, OllyDbg, x64dbg, Process Monitor, and Wireshark. Attendees will then engage in static analysis using Ghidra to examine the ransomware binary, followed by dynamic analysis in a safe virtual machine environment, where they will observe the malware’s behavior using debugging tools and monitoring software. The session will also cover extracting Indicators of Compromise (IOCs) and documenting the findings in a report.

Throughout the workshop, attendees will be guided step-by-step, with time for questions, hands-on practice, and discussion. The workshop concludes with a Q&A session and provides additional resources and a whitepaper for continued learning.

Note: A simulated ransomware sample will be provided at the start of the workshop. Attendees are encouraged to bring a laptop with at least 16GB of RAM and a pre-configured VM environment to fully participate in the hands-on analysis.

The “Telecard” Israeli Payphones entered service in 1990, and at the height of their career there were 27,000 installed throughout the country. While most of them have already been removed from the streets, some remain in service in selected locations. Designed and manufactured at the late 80’s, they were nothing short of state-of-the-art embedded computer systems, capable of self-diagnosis and reporting. In this talk, we will explore one (or more) of those, from breaking into the chassis and all the way to code execution. Multiple challenges and multiple solutions make this a fascinating peek into an ahead-of-its-time device.

In a 90 minute workshop 2 teams will compete.

This hands-on workshop provides an in-depth exploration of advanced techniques for maximizing network threat detection using Suricata. This session delves into critical areas such as effective utilization of metadata keywords, including MITRE and regular metadata, to enrich detection context. The workshop will also cover leveraging the Suricata Language Server (SLS) for rule development and optimization, including interpreting performance hints and implementing Continuous Integration (CI) for rulesets using SLS in batch mode.

Organizations increasingly adopt policies that encourage employees to report emails they perceive as potentially malicious. These user-submitted reports are typically reviewed by the Security Operations Center (SOC), which conducts in-depth analyses to determine appropriate response measures. This approach enhances organizational defenses by integrating human vigilance with expert investigation, thereby complementing existing automated threat detection systems.

This study presents a comprehensive examination of phishing emails reported by users across five organizations over a span of several months. These messages are particularly stealthy since they were able to bypass all the automated checks in place, yet were identified by the employees, and confirmed as malicious by security experts. We extract and characterize the evasion techniques employed in these phishing campaigns and evaluate their level of sophistication. Our findings reveal that while these attacks are generally low in volume, they are highly targeted and carefully orchestrated, demonstrating significant forethought and strategic intent. Notably, these campaigns utilize advanced evasion tactics at the message level—including the use of corrupted QR codes — and cloaking relying on bot detection and browser fingerprinting techniques.

The objective of this work is to deepen our understanding of the phishing landscape while taking into consideration the threats that slip through the cracks of advanced security filters.

What if your trusted security solutions could be silently disarmed without warning? What if a long-forgotten vulnerability in a legitimate driver became the perfect weapon for attackers to bypass defenses and strike undetected?

In 2025, Check Point Research uncovered a sophisticated campaign leveraging over 2,500 unique variants of a vulnerable legacy driver to disable EDR and AV solutions. By abusing a loophole in Windows driver signing, the attackers successfully deployed a powerful EDR/AV killer module that bypassed Microsoft’s Vulnerable Driver Blocklist and evaded detection mechanisms, including those introduced by the LOLDrivers project.

To ensure stealth, the attackers carefully manipulated the driver’s PE structure, generating distinct hashes while preserving its valid signature — a move that allowed thousands of modified variants to remain undetected. Operating from a public cloud’s China region, the attackers targeted victims primarily in China and parts of Asia, with devastating precision.

Check Point Research’s findings prompted Microsoft to update its Vulnerable Driver Blocklist, neutralizing the exploited driver variants. This paper presents the campaign’s technical details, explores the evasion techniques in depth, and provides practical insights for defenders to mitigate emerging driver exploitation threats. Are your defenses prepared for attackers turning trusted code into a silent threat?

This session dissects a real-world case study where an actor weaponized automation flaws in Meta’s LLM-based compliance system to hijack high-value accounts via orchestrated botnet abuse, prompt injection, and linguistic manipulation. The attacker exploited vulnerabilities in the very safeguards designed to protect users, triggering account suspension and negotiating “restoration” through AI-manipulated support flows.

This case is not an isolated incident—it is a signal of broader systemic risks that emerge when generative models and automation pipelines are integrated without robust adversarial testing. Beyond the technical compromise, the attack leveraged prompt engineering as social engineering, revealing the cognitive blind spots of model-aligned trust systems.

In response, I introduce foundational forensic linguistic techniques and NLP-based detection methods for identifying AI-generated text in compromised communications. By combining stylometry, perplexity analysis, and syntax anomaly detection in Python, we illuminate detection opportunities hidden in prompts and narrative structure. With few more tips from cloud security area to protect the LLM deployments.
The talk closes with a reflection on the ethical tensions in detecting synthetic media.

This talk will blend live demonstration, code walkthroughs, and operational insights from an investigation that didn’t just uncover an exploit—but a philosophy of misuse.

Suricata is a high performance, open source network analysis and threat detection software used by most private and public organizations, and embedded by major vendors to protect their assets. Suricata provides network protocol, flow, alert, anomaly logs, file extraction and PCAP capture at very high speeds.

This hands-on training will focus on a few new and ground breaking detection additions of the new Suricata 8 release, like transactional rules, data/datajson sets, new protocols and keywords available such as entropy matching.

Discover how we hacked YARA and built rules to effectively detect open source software sources and binaries as if it were malware, using rules that you can generate on demand for fun and profit, and integrate software composition analysis with malware hunting!

In a 90 minute workshop 2 teams will compete.

Working with netflow data has a big advantage, as it reduces the data size remarkably. This comes at the cost of loosing package payload information. What if we try to combine the best of both worlds and have a tool that does that approach?
The workshop explains this approach and gives the students real life hands-on examples. The workshop introduces a new type of network forensics with netflow and pcap.

Are you, or your organisation, concerned about potential compromise on your iPhone, iPad, or Apple Watch? This workshop equips you with the knowledge and tools to identify red flags on your iOS device. We delve into the world of sysdiagnose and explore methods to verify potential breaches.

This is the starter workshop, we invite you to also join the second deeper dive session with deeper analysis.

This talk delves into strategies and practices for large-scale security monitoring of Linux systems within enterprise environments. We will explore unique challenges posed by Linux-based infrastructures — from their highly diverse configurations to their widespread deployment across cloud and hybrid landscapes.

We will discuss how we have addressed the need for scalability in our tooling and why integrating our solutions into a SIEM or SOAR platform is critical for effective incident response. Additionally, we will explain why traditional EDR solutions fell short of meeting our requirements and how we instead built a customized, open-source-driven setup leveraging Auditd/Laurel and Velociraptor.

The presentation will begin with an overview of our threat-based logging and response strategy, followed by a deep technical dive into the customizations and enhancements we made to the aforementioned tools — many of which have been shared with the community. Special attention will be given to the asset identification features we added to Velociraptor, enabling us to efficiently operate and respond at scale within complex enterprise environments.

Digic8 Oracle

Decrypting camera updates without knowing neither the key, nor algorithms (at first)

Since years, Canon cameras firmware has been enhanced by hackers, via the [CHDK] project for Powershot models and [MagicLantern] for DSLR/mirrorless ones, applied to DIY drone photography for example [DRONES].
Starting 2011, the Magic Lantern team is able to execute code by enabling an hidden Canon payload loaded from the SD card : autoexec.bin. Enabling this feature requires forging valid signatures for camera updates, and required the team to fully understand cryptography of these .FIR files. But since the EOS R camera launch in 2018, FIR cryptography changed and no one publicly explored this new FIR version.

We will introduce the technical context as well as FIR file format version 4 (before 2018), then, we will use :
1 - the fact some recent Canon cameras (R, RP, R6) allow dumping their firmware via an embedded basic interpreter and
2 - Unicorn emulation to decrypt easily camera update files of the same hardware (Digic) generation, because a unique key is used.

As a first step, emulation will allows access to FIR content (camera firmware updated code), without the need to understand neither the underlying cryptographic algorithms, nor keys : dumped code will be used "as oracle" by emulation. Then we will describe how is working decryption key generation for Digic 8, and finally the scheme of asymnetric signatures and how to verify them for both Digic 8 and Digic 10 cameras.

Two python tools will be released: d8_oracle.py to decrypt Digic 8 updates via emulation of dumped firmware, and d810_verif.py to verify FIR digital signatures, based on secp256r1 curve.
d8_oracle.py requires you first to dump yourself a firmware via CBasic or to obtain such camera dump via Magic Lantern community for example.

No decryption key neither firmware dump will be released with this talk.

Laurent Clévy already reversed Canon picture authentication scheme (Original Data Decision in Canon terms) years ago, as well as a python tool to recompute signatures [ODD]. He also rediscovered FIR cryptography before 2018 and described it at BeeRump 2022 [BeeRump].

EOS, Digic and Powershot are Canon trademarks.

References:
* CHDK
* MagicLantern
* DRONES
* ODD
* BeeRump

We all know that the S in IoT stands for Security. Despite years of bad press and high-profile breaches, Internet of Things devices continue to hit the market with glaring security flaws. Why do hardware teams fall short? Why don’t consumers seem to care? And what can be done to improve the situation?

If you are done hearing about focus on one side and productivity on the other, you are not an alien. This workshop is about breaking misconceptions, focus and work (especially in cybersecurity demanding tasks). You'll learn the ropes to reprogram your brain (using the language of your choice).

I've been using Qubes OS in my professional life since 2017 (version 3.2).
With this workshop, I want to share my experience working daily with it, then initiate an exchange around the various topics involved, including security benefits and technical difficulties.

This workshop aims to overcome the drawbacks of the current approach of teaching application security by blindly attacking applications to analyze vulnerabilities.
This results in engineers being unable to figure out the proper fix for the vulnerabilities and hence allowing attackers to exploit the same.
The labs will help security enthusiasts, developers and students to identify the root cause of the vulnerability in the code, patch it, re-deploy the application, and finally verify the fix.
As an attendee, you will learn to find vulnerabilities with both an attacker and a defenders point of view which would help in a swift SDLC of fixing and moving forward instead of traditional pentesting procedures of fixing
the issues at the end of the cycle. The demonstration will be done using a vulnerable e-cart application with microservice architecture which is deployed using docker where the vulnerable code is attacked and replaced with secure code snippets, compiled, deployed and pentested again to demonstrate how fixing a vulnerability at the root saves engineers time and efforts.

In a 90 minute workshop 2 teams will compete.

This talk dives deep into the murky waters of Bluetooth and BLE security. Think those harmless wireless signals are just minding their own business? Think again! David presents a real-world case study that challenges conventional thinking about privacy. He’ll share the unexpected hurdles he encountered while detecting parking municipal agents and his efforts to outsmart them while saving money. This session promises to leave you with a new perspective on the vulnerabilities of everyday wireless technologies.

This session explores the forensic remnants left behind by ransomware on an infected machine. Through a simulated malware infection in a controlled environment, we’ll demonstrate how to uncover the traces attackers leave in system artifacts. Using powerful open-source tools like Autopsy, RegRipper, and Velociraptor, we’ll walk through post-infection analysis, providing attendees with the techniques and insights to detect, correlate, and communicate ransomware behaviors.
This session would be ideal for DFIR professionals, SOC analysts, and anyone looking to better understand the digital aftershocks of malware.

Suricata is a widely-used high performance, open source network analysis and threat detection software.This talk will provide an overview of the key new features introduced in Suricata 8, the latest release of the open-source network threat detection engine. We will cover the addition of several new protocols, including LDAP, DNS over HTTPS, SIP, SDP, POP3, and websocket, expanding Suricata's monitoring capabilities. We will also discuss the new "transactional rules" functionality, which allows single signatures to match traffic in both directions.

This talk describes the European Commission approach to cloud adoption from 2013-2025 along with stories of the good, the bad and the ugly and how EC has iterated upon its risk appetite and security debt appetite over time.

Kaitai Struct is a tool for dealing with binary formats. Binary formats are everywhere: archive files, executables, filesystems, multimedia files, network protocols, etc. If your application needs to read data in a specific binary format, you need a parser that unpacks the bytes into meaningful data structures that you can work with. There are libraries doing that for popular formats, but what if there is no suitable library in your programming language for the format you need?

Get your day started with a nice intensive yoga session.

We know the world runs on legacy. We know it’s not supposed to. But when vendors or LinkedInfluencers command us to phase out old systems and protocols, it sometimes seems like their expectation-versus-reality connection is faulty.

This talk will walk you through the ~adventure~ of disabling a recently-deprecated Microsoft authentication protocol with numerous security problems: NTLM.

For decision-makers, this is an opportunity to better understand the struggles of on-the-ground IT and security teams trying to bring outdated systems in line with industry standards. For IT and information security peers, this presentation will share valuable resources and “lessons learned” for successfully phasing out NTLM (and similar thorns-in-sides) within their own organizations.

This talk exposes how a simple OPSEC mistake—a threat actor testing malware on his own production system—can unravel an entire cybercrime operation. By intercepting Telegram-based C2 communications, we’ll uncover the inner workings of infostealers, reveal infrastructure details, and discuss how these real-world insights can reshape threat intelligence and defensive strategies.

There is a widespread belief that services that are only bound to localhost are not accessible from the outside world. Developers for convenience sake will run services they are developing configured in a less secure way compared to how they would (hopefully!) do in higher environments.
By compromising websites developers use, just injecting JS into adverts served on those sites or just a phishing attack that gets the developer to open a web browser on a compromised page, it is possible to reach out via non pre-flighted http requests to those services bound to localhost, by exploiting common misconfigurations in Spring, or known vulnerabilities found by myself and others. I’ll demonstrate during the talk, it is possible to generate a RCE on the developer’s machine or other services on their private network.
As developers have write access to codebases, AWS keys, server creds etc., access to the developer’s machine gives an attacker a great deal of scope to pivot to other resources on the network, modify or just steal the codebase.

If you've worked with Microsoft security tools in the last few years, you've probably come across references to Kusto Query Language (KQL) - the backbone of querying and analysis in their tools like Defender and Sentinel. While attending this talk won't make somebody an expert, the hope is that it might save them some time and prevent headaches during their next investigation. This talk will cover high level info such as:
-Important aspects of the Defender and Sentinel data schemas
-Query structure and examples
-Methods of data analysis in KQL
-Use cases aka how to make your coworkers go "Wait, how did you get that data?"

This talk is focused specifically on KQL, but the use cases and generic concepts can be transferred to most other security tool that provides you the ability to query raw data. After all it doesn't matter if it's SQL, AQL, SPL, FQL, SparQL, or some query language no one has ever heard of, what matters is that we get the data we need.

Born in 2001, the Internet Storm Center (or ISC) is a volunteer-driven threat-monitoring and early-warning program that evolved out of Incidents.org and the DShield consensus intrusion-log project. Leveraging a distributed network of sensors that now contributes tens of millions of firewall and IDS records each day, the ISC correlates this data to track “storms” of malicious activity, publishes a real-time Infocon threat level, and releases daily “Handler Diary” blog posts and a short Stormcast podcast to brief defenders on the latest vulnerabilities, exploits, and malware campaigns. About 40 volunteer handlers spread across several countries analyze submissions, craft tools, and coordinate community response, making the ISC one of the longest-running open sources of actionable situational awareness for incident responders and network operators worldwide. During this presentation, I'll show you the data that we collect and make available to api, mainly through our API. I will also introduce our worldwide honeypot network (and how easily you can join it to share more data).

In a 90 minute workshop 2 teams will compete.

How safe is your “encrypted” laptop when someone walks off with it?

Full-disk encryption (in particular BitLocker) is now standard on Windows 11 machines, silently protecting everything from corporate endpoints to personal devices. But in the real world, does it truly hold up against physical access attacks?

This session is for defenders, red teamers, and anyone who’s ever been handed a laptop and told, “Don’t worry, it’s encrypted.”

The class loader is a fundamental component of the Java Virtual Machine, responsible for dynamically loading classes into an application's memory during runtime. The functionality of class loaders is outlined by the abstract ClassLoader class, with the PathClassLoader and DexClassLoader being some common implementations in the Android OS.

In the context of data transfer and object management, dynamic class loading becomes particularly relevant when dealing with Serializable and Parcelable objects, as the ClassLoader implementation plays a crucial role in reconstructing them. However, while the Android security model enforces isolation among running processes, nothing prevents an application from creating and maliciously using objects of another app. In fact, the practice of storing application resources and their code in world-readable directories, eases this process, since it allows any app to "borrow" the context of another and create class loader instances that can be used to construct Java objects with potentially unsafe content.

Android developers often overlook this contingency, placing undue trust to Java objects received from untrusted sources. In a typical scenario, an application handles such objects, without proper caution regarding their encapsulated data. Depending on the use of this data, such an oversight can lead to unpredicted behavior and under some circumstances, it can have serious security implications.

In this study, we demonstrate techniques and explore how third-party applications, without requiring any permission, can leverage the outlined behavior to craft and dispatch parcelable Java objects with malicious content, to other applications. We further illustrate, using practical examples, the severe security implications that this may have, underscoring the necessity for more vigilant and comprehensive security practices in Android application development.

By it's own definition, Dell's Wyse Management Suite is "a secure hybrid cloud management solution for Dell thin clients". While attempting to determine how secrets are encrypted in the policies pushed to thin clients, we stumbled down a rabbit hole which led to the discovery of multiple vulnerabilities.

These vulnerabilities allow not only to decrypt the secrets from policies issued to arbitrary devices, but also to fully compromise the Wyse Management Suite server, which in turn allows to take over all the devices in the thin client fleet.

While these issues are already important in the case of on-premise deployments, the risk is even higher in Dell's own cloud environment, where tenant isolation is not sufficient to prevent exploitation from one tenant to another.

In the ever-evolving landscape of cybersecurity, automation has become a crucial tool in any security researcher's arsenal. While there's no shortage of open-source and commercial information security tools, the ability to write your own or modify existing ones remains an invaluable skill. This workshop aims to bring attendees up to date on various automation techniques for accomplishing cybersecurity tasks.

The workshop covers the techniques to cover a broad spectrum of security areas, such as vulnerability discovery & exploitation, network monitoring & security, and modifying existing tools. Targeted at security professionals—including penetration testers, bug hunters, red teamers, threat researchers, SOC analysts, and network/DevOps professionals—the workshop demonstrates and teaches how security tasks can be automated easily.

This hands-on workshop complements the talk “Field Guide to Physical Attacks Against Full-Disk Encryption” by guiding participants through a full-chain compromise of a BitLocker-protected Windows system. This isn’t just about sniffing keys, it’s about turning physical access into full control.

Participants will:
- Learn to use a logic analyzer to intercept TPM traffic to extract encryption keys,
- Use those keys to unlock the disk and access system data,
- And escalate privileges to achieve full interactive access on the target machine.

Attendees will walk away having executed every stage of the attack chain, from signal capture to full compromise, on real hardware!

This presentation will provide an in-depth look at a legacy version of Widevine L3, Google's software-based Digital Rights Management (DRM) system. Despite its widespread use in streaming services, often for low-definition content where its software-only nature is deemed sufficient protection, Widevine L3 has faced numerous public compromises. We will demonstrate how partial emulation can be practically applied to perform Differential Fault Analysis (DFA), breaking the system's root of trust. The talk will conclude with a detailed walkthrough of deobfuscating the Widevine L3 codebase to enable the generation of custom keyboxes.

In a 90 minute workshop 2 teams will compete.

This is the second part, or deep dive, of the Sysdiagnose Analysis Framework Workshop.

We will continue on the topics discussed in the first workshop, but here the focus is on diving DEEP in lots of the data that is present in the sysdiagnose archive.
Please ONLY attend this workshop if you either attended previous year's session or attended the beginners session, or already used the sysdiagnose analysis framework before.

Cybersecurity isn't just about technology; it’s fundamentally about people. Cybersecurity's human element is undeniable. It is not merely about firewalls and code; it's a human game. Recognizing the link between psychology and psychological safety in cybersecurity frontlines, particularly within incident response, is crucial. Enough with the blame game! We need a culture where taking risks, sharing ideas, and learning from failures are actually rewarded and recognized for their contribution to an organizations’ overall success.

Cultivating psychological safety can be challenging, especially in high-stakes environments like cybersecurity incident response. Building this environment isn't easy. It is not always fun. It means putting people before tech, and committing to strategies to prioritize people over technology and effectively, integrate psychological safety into onboarding, fostering a culture of trust and transparency from day one. By prioritizing psychological safety, organizations can unlock the full potential of their cybersecurity teams and significantly bolster their defenses against cyber threats. Recognizing the vital role of the human factor, we unlock the true potential of our CSIRTs and build a stronger defense against new and emerging threats. Staying ahead of the curve in the constantly changing cyber warfare landscape requires an adaptive and resilient defense.

Livewire is a full-stack framework for Laravel that streamlines the creation of
dynamic and interactive web interfaces by allowing developers to build
real-time features using PHP and Blade templates. In this talk, we will show
how to exploit the unmarshalling mechanism used by Livewire to instantiate
arbitrary objects in order to achieve remote command execution on
any Livewire instance as long as you are in possession of the APP_KEY of the
application. Additionally, we will present a new feature added to our publicly
available tool laravel-crypto-killer, which fully automates the generation of
the payload described during the presentation.

Building a pipeline to analyse iOS devices at scale

Overview and Abstract

This talk will show how the DG DIGIT is bulding a pipeline to analyse devices at scale relying on 2 key pieces:
1. The sysdiagnose analysis framework developed jointly with CERT-EU.
2. A toolset to collect artifacts over the air via a self-developped App (in collaboration with an independent security researcher) or Computer app on a PC. The self-developped app is now available on all EC-owned devices.

Globabally this is a part of a larger "mobile cybersecurity programme" which is a deliverable of the European Commission Cybersecurity Strategy.

The presenters will share with the audience hands-on experiences and share what works and what does not work with this approach.

Incident responders will leave the talk with a deeper understanding of Sysdiagnose and a novel tool in their IR arsenal.

In this workshop you will learn how to obfuscate your payloads with a custom VM. This will help to evade signature detections and make reverse engineering more difficult. The format will be a hands-on workshop and participants will walk away with new tooling they can try out in the field right away!

Once upon a time, an algorithm's goal was to make a distinction between a chiwawa and a cookie... true story. Human, curiosity is a great thing, and this workshop is built around it.

Here total beginners in AI learn the fundamentals of deep learning, set up their environment, and apply it to image classification. By the end of the workshop, they are able to build a simple web application using Gradio that classifies images.

It is well known that humans are the weakest link in information security.
Social engineering has emerged as a means to influence and manipulate individuals to achieve desired outcomes. In this presentation, we delve into the realm of social engineering, exploring the art of behavior alteration, manipulation and persuasive communication.

In a 90 minute workshop 2 teams will compete.

The Zeek network monitor offers a range of mechanisms to interact with it while up and running. Examples include its ability to asynchronously ingest intel data, exchange Zeek events with custom-built services, call out to web APIs via Javascript, load and save runtime state, and produce operational telemetry. These features provide powerful means to integrate Zeek into an organization's cybersecurity infrastructure, taking it far beyond a mere
producer of network logs.

In this talk I will walk through these features, outline their relative pros and cons, and give examples of real-world applications they enable, including machine learning models, threat intel platforms like MISP, and "round-tripping" of network inventory data. This talk is ideal for users who have gained initial experience with running Zeek, and are looking to get more out of their deployment. Even if you've never used Zeek before, you'll gain a better understanding of what it can provide for your network detection & response infrastructure.

AI and LLMs are everywhere, but how are they actually implemented? In this session, we will take a detailed look at Ollama, a popular tool to run LLMs locally. In the context of Pwn2Own, we will learn about Ollama's architecture and the GGUF file format for storing large language models. We will then explore a few memory corruption bugs in the handling of these files and dive deep into the exploitation of one of them. The presentation ends with a live exploit demo, notes on disclosure, and lessons learned.

In this talk, we’ll deep dive inro fuzzing Android’s IPC mechanisms, focusing on the AIDL fuzzing in particular. We’ll dive into techniques for fuzzing AIDL interfaces to uncover vulnerabilities, discuss tools and frameworks, and highlight security issues we identified using this method.

This session provides an in-depth analysis of multiple critical vulnerabilities discovered by Michelin CERT in the Palo Alto Networks GlobalProtect VPN client, referenced as CVE-2024-5921, CVE-2024-3390, CVE-2024-3391, CVE-2024-3392 and CVE-2025-0118.

The research highlights how attackers on the same network can exploit weaknesses in certificate verification, root CA management, embedded browser authentication, and client-server communications to achieve remote code execution and privilege escalation on Windows workstations.

In this presentation, we share the methodology used during a security audit of the Carplay application. This application exposes services to external car interfaces through Bluetooth and Wi-Fi. Our work focused on identifying vulnerabilities that could lead to compromise the multimedia equipment, by an attacker already connected to the car's Wi-Fi hotspot.

During this analysis, we present how we identified the function responsible for parsing external data sent to the car, how we fuzzed it and discovered a bug already known by Apple (CVE 2023-23494).

As CI/CD pipelines become integral to modern software development through systems like Azure DevOps or GitHub Actions, and tools such as Terraform and Ansible, their compromise can have devastating effects, from infrastructure breaches to mass malware distribution.

Originally, CI/CD pipelines were managed and accessed only by a limited group of administrators or integration engineers. However, with the widespread adoption of Infrastructure as Code, it has become increasingly common for companies to open controlled access to their pipelines—sometimes even to external clients. This shift supports use cases such as self-service sandbox environments, client-controlled infrastructure provisioning, or dynamic testbed deployments in multi-tenant platforms. While these scenarios offer flexibility and scalability, they also introduce new risks and potential attack vectors, making it critical to rethink pipeline security under this broader exposure model.

In this talk, we will demonstrate how an attacker can exploit seemingly limited permissions—such as those of a standard contributor account—to fully compromise a CI/CD pipeline and the underlying infrastructure. By chaining misconfigurations, abusing legitimate features, and bypassing common restrictions, we’ll show how limited access can quickly escalate into full control.
In the second phase of the talk, we’ll look at the defensive side: how a company can effectively secure its pipelines in a context where access is no longer limited to internal teams.

This talk explores various techniques, tactics, and psychological models used to infiltrate emerging threat actor groups. We will examine the process of target identification and discuss when it is appropriate to attempt infiltration. Additionally, we take a closer look at the concept of probing the enemy and the idea of weaponizing new relationship energy (NRE), which can be effective at destabilize individuals and placing them outside of their comfort zones. An important aspect of Persona Theory is not only what we write but also how we present it. Stylometric analysis can be particularly useful in this area. We will compare transliteration and translation (both human and machine) to understand how to pass as a native speaker.

Maybe you already attended a maldoc analysis workshop from Didier at the Hack.lu conference. Didier has delivered workshops on PDF, Office and RTF document analysis. These workshops were bottom-up: we first learn about the fundamentals, and gradually we make our way through ever more complex exercises.

This workshop is the other way around: we go top-down (and we cover PDF, Office and RTF in the same workshop). We don’t start with the fundamentals (they will come later during the exercises when necessary), but we start directly with exercise files that we first have to identify, and then decide how to proceed with the analysis.

We immediately start with real maldoc samples, and you learn how to triage the file and start the analysis. You will learn what tools to use depending on the type of maldoc, and what analysis strategy to follow. You will also be guided with custom decision trees designed for this workshop, that you can use later on in your professional practice.

And we will also cover some automation to perform batch analysis.

In a 90 minute workshop 2 teams will compete.

Criminal business processes are significantly reshaped in recent years due to appearance and accessibility of new technologies and significant changes in the geo-political landscape. The presentation will focus on the changes of behaviour of russian-speaking criminal groups, significant developments and changes on the cyber underground. Those changes are affecting the lists of priority targets, geographical location of the targets of attacks, criminal business processes, modus operandi and priorities of criminal groups.
The presentation will also include case studies on the criminal business processes related to money mule services, attacks, leveraging e-commerce platforms, reshipment services, offers of commit violent actions in the particular regions of EU, appearance of the business models in EU, which was previously leveraged in the Russian-speaking countries.

As modern security defenses evolve, attackers continue to leverage legitimate cloud services for command-and-control (C2) communication, effectively bypassing traditional network detection systems. This talk presents original research into the abuse of lesser-known free cloud APIs such as GitHub Gists, Telegram Bot API, Discord Webhooks, and Google Apps Script for stealthy malware communication. Unlike well-documented abuses of Google Drive or Dropbox, our study explores new, unmonitored attack surfaces that can be exploited by adversaries while remaining under the radar of enterprise security monitoring tools.

Key topics of my talk:
Techniques for establishing C2 channels using free cloud services.
Encryption and obfuscation strategies to evade EDR/ML-based detection.
Case studies demonstrating real-world proof-of-concepts (PoC) of API abuse.
Recommendations for mitigating risks and detecting malicious API-based C2 activity.

Traditional C2 detection methods focus on recognizing known malware signatures or anomalous network traffic. However, API-based C2 channels blend seamlessly into normal cloud service usage, making them exceptionally difficult to detect. This talk will provide defenders with insight into how attackers exploit these mechanisms and offer practical countermeasures to strengthen security postures against emerging threats.

Target Audience:

Red Teamers, Ethical Hackers, and Penetration Testers
SOC Analysts and Threat Hunters
Incident Responders and Security Engineers

Our lives depend on automotive cybersecurity, protecting us inside and near vehicles. If vehicles go rogue, they can operate against the driver’s will and potentially drive off a cliff or into a crowd. The “Automotive Security Analyzer for Exploitability Risks” (AutoSAlfER) evaluates the exploitability risks of automotive on-board networks by attack graphs. AutoSAlfER’s Multi-Path Attack Graph algorithm is 40 to 200 times smaller in RAM and 200 to 5 000 times faster than a comparable implementation using Bayesian networks, and the Single-Path Attack Graph algorithm constructs the most reasonable attack path per asset with a computational, asymptotic complexity of only O(n * log(n)), instead of O(n²). AutoSAlfER runs on a self-written graph database, heuristics, pruning, and homogenized Gaussian distributions and boosts people’s productivity for a more sustainable and secure automotive on-board network. Ultimately, we enjoy more safety and security in and around autonomous, connected, electrified, and shared vehicles.

Kubernetes security is critical to protect containerized applications and infrastructure from vulnerabilities and threats in complex, distributed environments. Because Kubernetes automates and orchestrates workloads, its large attack surface, multi-tenancy and integration with CI/CD pipelines requires strong security measures to prevent attacks and ensure compliance. Effective security practices help to minimize risks such as privilege escalation, data leakage and supply chain attacks in dynamic cloud-native environments.

This training will provide you with comprehensive practical knowledge on securing your Kubernetes environments. You will learn tools and techniques to increase the security of your Kubernetes environments and minimize risks such as privilege escalation, data leakage and supply chain attacks. You will be able to put what you have learned into practice in a lab environment.

Whether you are a Red Team or Blue Team specialist, learning the techniques
and tricks of malware development gives you the most complete picture of
advanced attacks. Also, due to the fact that most (classic) malwares are written
under Windows, as a rule, this gives you tangible knowledge of developing under Windows.
The course will teach you how to develop malware, including classic tricks and tricks of modern ransomware found in the wild. Everything is supported by real examples.
The course is intended for Red Team specialists to learn in more detail the tricks of malware development (also persistence and AV bypass) and will also be useful to Blue Team specialists when conducting investigations and analyzing malware.

The course is divided into four logical sections:
- Malware development tricks and techniques (classic injection tricks, DLL injection tricks, shellcode running)
- AV evasion tricks (Anti-VM, Anti-Sandbox, Anti-disassembling)
- Persistence techniques
- Cryptographic functions in malware development (exclusive)
- Malware Development for Android and Linux (bonus)

Most of the example in this course require a deep understanding of the Python, Kotlin
and C/C++ programming languages.

Knowledge of assembly language basics is not required but will be an advantage

Part of Windows operating system for over 20 years, DCOM (Distributed Component Object Model) has received a lot of attention from the security research community.

Ranging from lateral movement and privilege escalation to persistence techniques, DCOM is an extremely versatile attack vector. Yet, its inner workings remains unknown to many security experts.

To close this knowledge gap, we will take a deep dive into DCOM latest research works — including this year's many new contributions— through practical use cases and tooling. A comprehensive testing framework will eventually be presented, enabling security researchers to build upon these previous works more effectively.

At last, we will discuss practical defensive strategies, along with key insights to help security analysts effectively detect and respond to DCOM-based abuse.

"Post-quantum", what a scary word... While this field may seem a bit austere at first glance, we will show that it is in fact easier than one may imagine, and that getting a feel for it is within everyone's reach. This talk serves as a soft introduction to the topic aimed at non-cryptographers cybersecurity enthusiasts, emphasizing on the many parallels with traditional cryptography.

In this talk, I'll present how I discovered a vulnerability common to various TLS/SSL cryptographic toolkits while considering giving a lightning talk at hack.lu last year ...

In this session, I will explore innovative techniques that transform the way executable binaries are delivered. By leveraging HTML smuggling and image polyglot methodologies, the presentation reveals how payloads can be compressed, XOR-encrypted, and artfully embedded within benign image files. This approach not only bypasses conventional security mechanisms such as IDS/IPS, XDR, and DLP systems but also challenges traditional notions of digital content integrity. The talk offers a deep dive into advanced red team tactics designed to operate beneath the radar of modern cybersecurity defenses.

This talk delves into the evolving security landscape of mobile networks in 2025, using the MITRE Fight framework as a guiding lens for red teamers. It reviews current vulnerabilities from radio interfaces to signaling and packet networks and outlines actionable attack vectors that adversaries exploit. Participants will gain a clear understanding of how to simulate advanced threat scenarios and deploy effective red teaming techniques against modern mobile infrastructures. By mapping these vulnerabilities to the MITRE Fight framework, the presentation provides red teamers with a structured methodology for emulating real-world adversaries. Key techniques, tools, and simulation strategies will be discussed, equipping security professionals with actionable insights for both offensive testing and defensive improvement. This session is tailored for those seeking to advance their mobile network red teaming skills in an increasingly complex threat environment.

For years, cybersecurity reports have centered around well-known stealers like Vidar and Raccoon. there’s an often overlooked and underestimated threat that exists : low-profile cybercriminals
. These are typically young actors, flying under the radar and posing a unique and evolving risk.

In this talk, we will dive into the French stealer ecosystem, offering insights into the lesser-known groups operating within it. After an overview of the ecosystem—mapping out the groups and their interconnections—we will provide a technical deep-dive into the simplicity and effectiveness of their stealers. We’ll also reveal how we identified similar stealers lurking in open-source repositories.

The final part of the presentation will expose the poor operational security practices of these actors, culminating in a compelling case study of the group 'Epsilon.' Starting from a simple forum complaint, we’ll demonstrate how we uncovered a surprising link between one of the group’s administrators and a potential drug trafficking operation.