Wild West Hackin' Fest - Deadwood 2024

Whether you're experimenting in your homelab or building "Management Pacification Dashboards" for work, logs are crucial.

Join Gravwell founder Corey Thuen as he uses the Gravwell CE (free 15gb/day for personal OR commercial use) to teach basic log correlation, plus a bit of advanced techniques to show the "art of the possible".

Jargon is a shellcode obfuscation method that substitutes dictionary words in place of shellcode bytes and uses each word's position in a dictionary array to resolve the shellcode bytes at runtime. This provides two benefits - your loader doesn't have any shellcode, and the use of dictionary words reduces the entropy of your loader, sidestepping entropy detections built into some AV & EDR. We've found Jargon to be highly effective in evading detection.

Attack Automation Framework. Existing tool but major rewrite.

The open source threat hunting tool RITA has just dropped a new version and it has been completely updated. The backend is 10X faster, it has an ASCII graphical interface based on Charm Bracelet BubbleTea, and the workflow has been optimized so that everything is available through a single screen. In this talk I'll show you how to get RITA up and running and how to use it to find potential command and control channels on your network.

Adam and Eve is a Remote Access Tool, socket (and HTTP) server used to interact with Active Directory Environments across the Internet via a Flask API. It is modular so custom commands, as well as custom scripts can be uploaded and invoked on a client machine in real time.

This is a Dropper/Post-Exploitation Tool targeting Windows machine.

The capabilities it possesses are:
1. Indirect Dynamic Syscall
2. SSN + Syscall address sorting via Modified TartarusGate approach
3. Remote Process Injection via APC Early Bird (MITRE ATT&CK TTP: T1055.004)
4. Spawns a sacrificial Process as the target process
5. ACG(Arbitrary Code Guard)/BlockDll mitigation policy on spawned process
6. PPID spoofing (MITRE ATT&CK TTP: T1134.004)
7. Api resolving from TIB (Directly via offset (from TIB) -> TEB -> PEB -> resolve Nt Api) (MITRE ATT&CK TTP: T1106)
8. Cursed Nt API hashing
9. If blessed with Admin privilege:
Disables Event Log via killing all threads of svchost.exe, i.e. killing the whole process (responsible svchost.exe)

Version 2 is upcoming!
Will be released at BlackHat Asia 2024 at 18th of April, 2024, which has Synthetic Frame Thread Stack Spoofing version enabled.

And in the End, I will showcase my tool demo video which would perform a successful Execution of payload and provide Crystal clear Event Log against Sophos XDR enabled Environment.

Jigsaw is a shellcode obfuscation routine designed to hide your shellcode without requiring the use of encryption routines. Jigsaw works by generating an array (positions[]) the size of your shellcode and populates the array with random numbers, each representing a unique position in the original shellcode array. Jigsaw then creates a new shellcode array, jigsaw[], by iterating through the array of randomized positions. If first entry of the randomized positions array (positions[0]) is 100, then Jigsaw selects the byte at shellcode[100] and inserts it into jigsaw[0]. Jigsaw repeats this process until all shellcode bytes have been populated to the jigsaw[] array. While this tool is new, our testing indicates very few AV/EDR are aware of this technique. As a result, this technique could be an effective part of your shellcode loader arsenal.

KC7 is a free cybersecurity game that simulates end-to-end intrusions against a fictional company, using data modeled on real-world threat actors. Players ranging from students to professionals use Kusto Query Language (KQL) within the Azure Data Explorer (ADX) to analyze complex datasets, including Web, Email, and Endpoint logs, answering CTF-style questions that guide them through an investigative journey. At the core of this educational approach is the development of an investigative mindset, through immersive and fun interactive scenarios that span the entire Cyber Kill Chain. These scenarios enhance players' skills in analyzing cybersecurity data and contextualizing it within adversary strategies and tactics.

For WWHF the game scenario will revolve around:

Celestial Cowboy Couture, founded in 2015 and based in Deadwood, South Dakota, specializes in unique, high-quality Western and space-themed apparel, including holographic belts and star-patterned outerwear. The brand's popularity surged after high-profile fashion magazines featured famous male model John Strand in their campaigns, attracting celebrities and athletes alike. However, this increased visibility has also made the company a target for cybercriminals, threatening its digital assets like customer databases and design software.

After demoing how the game is made and a walkthrough of the gameplay experience I will open up the game for attendees to play so they can investigate the intrusion themselves. The game is fun, but the skills learned are real. The integration of threat intelligence encourages a deeper understanding of the operational context of cyber threats. By organizing threat actor behaviors and techniques according to the MITRE ATT&CK framework, the platform creates a diverse array of realistic intrusion scenarios. This method facilitates practical learning of ATT&CK techniques, moving beyond abstract descriptions by allowing participants to experience what these techniques look like in data.

Wireshark is a great network protocol analyzer and open-source tool used for troubleshooting, analysis, and security testing of networks. It captures and displays data packets traveling across a network in real time. Users can inspect packet details and use this knowledge to assist them in diagnosing network issues and with monitoring traffic.
Using Wireshark, you can filter, and search based on protocols, addresses, or keywords to help in a more targeted analysis of the traffic flowing on a network. It supports research with numerous protocols including TCP, UDP, HTTP and more.
Wireshark is a very user-friendly application which has a good graphical interface which assists in displaying the packet information in an easy-to-read format which includes the source and destination addresses, packet timing, and even payload contents. Wireshark is used for many varied reasons and professions including network administrators, security professionals, and developers alike. It helps these (and others) to better understand network behaviors, troubleshooting connectivity problems and even assist in anomaly detection and/or security threats.
Bottom line is that Wireshark is a great and indispensable tool that will provide deep insight and network behavior for those looking to manage or secure networks.

Halberd is an open source offensive security tool that delivers simple, fast & effective security testing. Leveraging Halberd, security teams can execute attack techniques in cloud via an incredibly simple web interface that can be spun up locally in seconds. Most organizations are hybrid & multi-cloud and setting up / managing tools to test different platforms is hard. Halberd allows users to test across multiple attack surfaces such as Entra ID, M365, Azure and AWS from a single interface. Apart from executing attack techniques, Halberd offers various recon dashboards that allow for advanced information gathering in a target environment and also auditing.
It's developed natively in python and is designed to be incredibly modular, so adding new techniques and even new attack surfaces (GCP is next) is also incredibly easy. Halberd aims to be a powerful attack emulation tool but also a security tool that everyone from a red teamer to a detection engineer can use, so we can all start testing regularly & frequently, and be confident in our defenses.