With antivirus (AV) and Enterprise Detection and Response (EDR) tooling becoming more mature by the minute, the red team is being forced to stay ahead of the curve. Gone are the times of execute-assembly and dropping unmodified payloads on disk - if you want your engagements to last longer than a week you will have to step up your payload creation and malware development game. Starting out in this field can be daunting however, and finding the right resources is not always easy.
This workshop is aimed at beginners in the space and will guide you through your first steps as a malware developer. It is aimed primarily at offensive practitioners, but defensive practitioners are also very welcome to attend and broaden their skillset.
During the workshop we will go over some theory, after which we will set you up with a lab environment. There will be various exercises that you can complete depending on your current skillset and level of comfort with the subject. However, the aim of the workshop is to learn, and explicitly not to complete all the exercises. You are free to choose your preferred programming language for malware development, but support during the workshop is provided primarily for the C# and Nim programming languages.
During the workshop, we will discuss the key topics required to get started with building your own malware. This includes (but is not limited to):
Cas van Cooten is an offensive security enthusiast and Red Team Operator at ABN AMRO Bank in The Netherlands. He started out as a "fluffy" information security strategy consultant, but exchanged his suit for a hoodie when he realized he was more of a hacker than a strategist. He likes evading defenses by developing offensive security tooling and malware, specifically in the Nim programming language. He developed tools such as 'Nimplant', 'NimPackt', and 'BugBountyScanner', is a HackTheBox machine author, and likes shitposting on his Twitter timeline.
Guillaume Lopes (@Guillaume_Lopes) will share many techniques, tips and tricks to deliver to pentesters, bug bounty researchers, app makers or just curious about a 100% hands-on Android workshop. The goals are:
Guillaume Lopes is a pentester with 10 years of experience in different fields (Active Directory, Windows, Linux, Web applications, Wifi, Android). Currently working as a CTO and Senior Penetration Tester at RandoriSec. He also likes to play CTF (Hackthebox, Insomni’hack, Nuit du Hack, BSides Lisbon, etc.) and gives a hand to the Tipi’hack team.
Davy Douhine (@ddouhine) will share many techniques, tips and tricks to deliver to pentesters, bug bounty researchers, app makers or just curious a 100% hands-on iOS workshop. The goals are:
A Corellium virtual device will be provided to the attendees with the pre-installed tools to cover the labs. There is no prerequisites for the attendees, only a web browser.
Founder of RandoriSec (https://randorisec.fr/) a security focused IT firm, Davy has worked in the IT Security field for almost fifteen years. He has mainly worked for financial, banks and defense key accounts doing pentests and trainings to help them to improve their security. He enjoys climbing rocks in Fontainebleau or in the Bourgogne vineyards and practice Brazilian jiu-jitsu.
DPAPI is a known encryption routine that is used to store credentials such as those from Edge, Chrome, Wi-Fi profiles, RDP Profiles, Credential Manager, EFS, OpenVPN etc ... DPAPI-NG is a new iteration of the DPAPI interface to protect data in Windows operating systems and is used to store Windows Hello credentials, such as the Windows Picture Login or the Windows PIN code
By reverse engineering these technologies, it was discovered that our precious Windows user passwords are reversable in Clear Text from the hard drive, even if the system is shut down (e.g. from a backup).
The newly developed open source toolkit (DPAPILAB-NG) is be able to demonstrate this thoroughly.
This workshop will allow you to get hands-on experience with the Python tools described above. Participants will need to have their own laptop to participate in this workshop.
Requirements : Attendees should bring laptop with 2GB free disk space and Python3
Tijl Deneut has over 5 years of experience in the IT security sector and is, amongst others, a Certified Ethical Hacker and an active EC-Council Certified Instructor. Tijl also teaches security classes at both the Howest University College and Ghent University, where he also leads several security research projects. He has had the privilege to present at a number of security and other conferences, including Info Security (Brussels), BruCON (Ghent) and the Chaos Communication Congress (Leipzig). And was also the trainer for classes directed towards, amongst others, the Belgian Computer Crime Unit.