Wild West Hackin' Fest - Deadwood 2024

The perpetual race to safeguard and secure our infrastructures have given birth to robust defensive mechanisms, such as antiviruses (AV), Endpoint Detection and Response (EDRs), and Extended detection and response (XDR) just to name a few. Over the years the detection methodologies employed by them have evolved. From the very basic string and hash matching techniques, defensive mechanisms have enhanced their capabilities by employing machine learning, in memory scanning and other sophisticated techniques. From the perspective of a maldev, developing a malware is considerably easier as compared to evading it.
In this talk we will discuss various techniques employed by maldevs to circumvent detection measure implemented by modern day AVs and EDRs. This talk will solely focus on the Windows ecosystem. We will discuss the nitty gritties of the Windows OS, followed by various detection techniques implemented by AVs and EDRs. After understanding the detection methods we will shift our focus on various techniques that can be implemented to bypass aforementioned detection techniques. Some techniques included are Unhooking, BlockDLL, Repatching, API Hashing, ETW and AMSI patching etc.
In order to better understand the concepts discussed, we present real life PoCs. These PoCs will showcase the discussed evasion techniques on a popular red teaming tool (Juicy Potato). Furthermore these PoCs will showcase the exact detection methods and how we were able to bypass them to gain access.

Whether you're experimenting in your homelab or building "Management Pacification Dashboards" for work, logs are crucial.

Join Gravwell founder Corey Thuen as he uses the Gravwell CE (free 15gb/day for personal OR commercial use) to teach basic log correlation, plus a bit of advanced techniques to show the "art of the possible".

Jargon is a shellcode obfuscation method that substitutes dictionary words in place of shellcode bytes and uses each word's position in a dictionary array to resolve the shellcode bytes at runtime. This provides two benefits - your loader doesn't have any shellcode, and the use of dictionary words reduces the entropy of your loader, sidestepping entropy detections built into some AV & EDR. We've found Jargon to be highly effective in evading detection.

Attack Automation Framework. Existing tool but major rewrite.

The open source threat hunting tool RITA has just dropped a new version and it has been completely updated. The backend is 10X faster, it has an ASCII graphical interface based on Charm Bracelet BubbleTea, and the workflow has been optimized so that everything is available through a single screen. In this talk I'll show you how to get RITA up and running and how to use it to find potential command and control channels on your network.

Adam and Eve is a Remote Access Tool, socket (and HTTP) server used to interact with Active Directory Environments across the Internet via a Flask API. It is modular so custom commands, as well as custom scripts can be uploaded and invoked on a client machine in real time.

As a “person of a certain age, with certain experiences”, I can attest that life is fraught with uncertainty. Society is increasingly dependent on undependable technology. (This is, after all, why we all have jobs.) Whether from extreme weather, hostile events, squirrels with poor judgment, or from the random chaos of normal life, disruptions seem increasingly frequent. Incidents are also likely to be more complex, with more chaotic effects. Without electricity for power, communications can be disrupted. Without water, medical care becomes virtually impossible very quickly. The potential effects have gone beyond inconvenient to existential.

Adding fear to uncertainty, China has announced its intention to annex Taiwan by 2027. US cybersecurity leadership has testified that a Chinese hacking group known as Volt Typhoon has been conducting campaigns to pre-position malware in US water infrastructure. The goal of these campaigns is to create a credible threat (disruption of the water supply, with predictable consequences) to the US in support of its annexation of Taiwan.

As civic-minded members of the cybersecurity community, how can we respond to these threats in ways that will avoid encouraging doubt and will inspire confidence in the communities and neighborhoods in which we live? I hope that you will leave this talk better informed, and inspired to do at least one thing in your neighborhood and community that will influence others to do the same

This is a Dropper/Post-Exploitation Tool targeting Windows machine.

The capabilities it possesses are:
1. Indirect Dynamic Syscall
2. SSN + Syscall address sorting via Modified TartarusGate approach
3. Remote Process Injection via APC Early Bird (MITRE ATT&CK TTP: T1055.004)
4. Spawns a sacrificial Process as the target process
5. ACG(Arbitrary Code Guard)/BlockDll mitigation policy on spawned process
6. PPID spoofing (MITRE ATT&CK TTP: T1134.004)
7. Api resolving from TIB (Directly via offset (from TIB) -> TEB -> PEB -> resolve Nt Api) (MITRE ATT&CK TTP: T1106)
8. Cursed Nt API hashing
9. If blessed with Admin privilege:
Disables Event Log via killing all threads of svchost.exe, i.e. killing the whole process (responsible svchost.exe)

Version 2 is upcoming!
Will be released at BlackHat Asia 2024 at 18th of April, 2024, which has Synthetic Frame Thread Stack Spoofing version enabled.

And in the End, I will showcase my tool demo video which would perform a successful Execution of payload and provide Crystal clear Event Log against Sophos XDR enabled Environment.

One area of increasing concern is the use of AI to create deep fakes in order to manipulate the public’s opinion on topics. In this talk, we will learn how AI is used to create deep fakes. We will also discuss current strategies that attendees can use to spot deep fakes and describe existing research and tools used for deep fake detection. After the talk, attendees will have a better understanding of deep fake technology and be armed with some techniques they can use to protect themselves.

Does this describe you?

You have years of technical work experience under your belt. You’ve held many different roles and have worked successfully with other teams and departments. You’re great at what you do.

But you also have a spark in you – the one that lights up when you're mentoring new team members or brainstorming solutions with your peers. You have no problem dealing with difficult people and situations. You love a good challenge that requires multiple teams to solve, and people genuinely like working with you.

And you’ve been thinking lately: Should I make the move over to leadership?

Leadership means more responsibility, potentially less hands-on technical work, and maybe even some office politics. But it also means having a bigger voice, the chance to build a team and mentor others, and more opportunities for your career. Staying in your current role means mastering your craft, having more autonomy, and avoiding some of the headaches of management, but it might also mean hitting a ceiling in terms of influence or earning potential.
So, which path is right for YOU? It all boils down to what gets you fired up, what kind of impact you want to make, and where you'll be happiest.
In this talk, you’ll hear all about the good, the bad, and the ugly about being in cybersecurity leadership. You’ll learn about what it takes to succeed as a leader on technical teams. You’ll also learn about some tried-and-true ways of breaking into management roles. Whether you're itching for a change or just curious about your options, this talk will give you the information you need so you can choose your own path.

Let’s talk about the elephant in the room—or rather, the AI in the network. It's causing more drama than the 2017 Tay bot on Twitter. Sorry, not sorry, I meant “X”. From GenAI hoodwinking finance firms out of $25 million, to the shocking revelation that 77% of companies found their AI sitting in the corner with a dunce cap, marked "breached" in the past year. This conversation isn’t about whether ChatGPT is a security issue; it’s the fact that securing AI holes are big enough to drive a bus through. Sideways. This talk is more than just a chance to poke fun at our collective cybersecurity misfortunes; it’s a call to action. Because if we can’t laugh at our impending digital doom, what can we do? (Hint: Fix it. We can actually fix it.)

Jigsaw is a shellcode obfuscation routine designed to hide your shellcode without requiring the use of encryption routines. Jigsaw works by generating an array (positions[]) the size of your shellcode and populates the array with random numbers, each representing a unique position in the original shellcode array. Jigsaw then creates a new shellcode array, jigsaw[], by iterating through the array of randomized positions. If first entry of the randomized positions array (positions[0]) is 100, then Jigsaw selects the byte at shellcode[100] and inserts it into jigsaw[0]. Jigsaw repeats this process until all shellcode bytes have been populated to the jigsaw[] array. While this tool is new, our testing indicates very few AV/EDR are aware of this technique. As a result, this technique could be an effective part of your shellcode loader arsenal.

KC7 is a free cybersecurity game that simulates end-to-end intrusions against a fictional company, using data modeled on real-world threat actors. Players ranging from students to professionals use Kusto Query Language (KQL) within the Azure Data Explorer (ADX) to analyze complex datasets, including Web, Email, and Endpoint logs, answering CTF-style questions that guide them through an investigative journey. At the core of this educational approach is the development of an investigative mindset, through immersive and fun interactive scenarios that span the entire Cyber Kill Chain. These scenarios enhance players' skills in analyzing cybersecurity data and contextualizing it within adversary strategies and tactics.

For WWHF the game scenario will revolve around:

Celestial Cowboy Couture, founded in 2015 and based in Deadwood, South Dakota, specializes in unique, high-quality Western and space-themed apparel, including holographic belts and star-patterned outerwear. The brand's popularity surged after high-profile fashion magazines featured famous male model John Strand in their campaigns, attracting celebrities and athletes alike. However, this increased visibility has also made the company a target for cybercriminals, threatening its digital assets like customer databases and design software.

After demoing how the game is made and a walkthrough of the gameplay experience I will open up the game for attendees to play so they can investigate the intrusion themselves. The game is fun, but the skills learned are real. The integration of threat intelligence encourages a deeper understanding of the operational context of cyber threats. By organizing threat actor behaviors and techniques according to the MITRE ATT&CK framework, the platform creates a diverse array of realistic intrusion scenarios. This method facilitates practical learning of ATT&CK techniques, moving beyond abstract descriptions by allowing participants to experience what these techniques look like in data.

Wireshark is a great network protocol analyzer and open-source tool used for troubleshooting, analysis, and security testing of networks. It captures and displays data packets traveling across a network in real time. Users can inspect packet details and use this knowledge to assist them in diagnosing network issues and with monitoring traffic.
Using Wireshark, you can filter, and search based on protocols, addresses, or keywords to help in a more targeted analysis of the traffic flowing on a network. It supports research with numerous protocols including TCP, UDP, HTTP and more.
Wireshark is a very user-friendly application which has a good graphical interface which assists in displaying the packet information in an easy-to-read format which includes the source and destination addresses, packet timing, and even payload contents. Wireshark is used for many varied reasons and professions including network administrators, security professionals, and developers alike. It helps these (and others) to better understand network behaviors, troubleshooting connectivity problems and even assist in anomaly detection and/or security threats.
Bottom line is that Wireshark is a great and indispensable tool that will provide deep insight and network behavior for those looking to manage or secure networks.

Halberd is an open source offensive security tool that delivers simple, fast & effective security testing. Leveraging Halberd, security teams can execute attack techniques in cloud via an incredibly simple web interface that can be spun up locally in seconds. Most organizations are hybrid & multi-cloud and setting up / managing tools to test different platforms is hard. Halberd allows users to test across multiple attack surfaces such as Entra ID, M365, Azure and AWS from a single interface. Apart from executing attack techniques, Halberd offers various recon dashboards that allow for advanced information gathering in a target environment and also auditing.
It's developed natively in python and is designed to be incredibly modular, so adding new techniques and even new attack surfaces (GCP is next) is also incredibly easy. Halberd aims to be a powerful attack emulation tool but also a security tool that everyone from a red teamer to a detection engineer can use, so we can all start testing regularly & frequently, and be confident in our defenses.