Loading…
BruCON 0x0D has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Thursday, October 7
 

08:30 CEST

Registration
Thursday October 7, 2021 08:30 - 10:00 CEST
00. Lounge University

09:45 CEST

BruCON Opening
Thursday October 7, 2021 09:45 - 10:00 CEST
01. Westvleteren University

10:00 CEST

Hacktivism during a global pandemic
Hacktivism during a global pandemic.

Like a lot of things, “Hacktivism” has grown up over the last 30 years. When we started, we were a bunch of annoying rebellious kids attacking websites. Today we are everywhere, and do everything, from helping write national policy to defending hospitals from cybercriminals during a global pandemic to protecting NGOs in war zones. That’s quite a leap. How on earth did we get here?

Why is this important? What can a bunch of idealistic nerds do in the face of a global dumpster fire?

Let me tell you some stories. Hopefully afterwards some of you will come and join us on the dark side. We have cookies.

Speakers
avatar for Marc Rogers

Marc Rogers

Marc Rogers is VP of Cybersecurity at Okta and a whitehat hacker & hacktivist. He has been hacking since the 80’s and is renowned for hacking things like Apple's TouchID and the Tesla Model S. Prior to Okta, Mr. Rogers served as the Head of Security for Cloudflare and spent a decade... Read More →


Thursday October 7, 2021 10:00 - 11:00 CEST
01. Westvleteren University

10:30 CEST

Clear text credentials on modern systems
Limited Capacity full

DPAPI-NG is a new iteration of the DPAPI interface to protect data in Windows operating systems.
DPAPI is a known encryption routine that is used to store credentials such as those from Internet Explorer, Edge, Chrome, Wi-Fi profiles, RDP Profiles, Credential Manager etc ...
DPAPI-NG is built upon that and is used to store Windows Hello credentials, such as the Windows Picture Login or the Windows PIN code

By reverse engineering these technologies, it was discovered that our precious Windows user passwords are reversable in Clear Text from the hard drive, even if the system is shut down (e.g. from a backup).

The newly developed open source toolkit (DPAPILAB-NG) will be able to demonstrate this thouroughly.

This 2 hour workshop will allow you to get hands-on experience with the Python tools described above.
Participants will need to have their own laptop to participate in this workshop.

Speakers
avatar for Tijl Deneut

Tijl Deneut

Tijl Deneut has over 8 years of experience in the IT security sector and is an Ethical Hacker and an active EC-Council Certified Instructor. Tijl also teaches at the Howest University College and the Ghent University, where he also leads several research projects.  He has had the... Read More →


Thursday October 7, 2021 10:30 - 12:30 CEST
05. La Trappe Novotel

10:30 CEST

Something Blue ... For The Blue Team
Limited Capacity full

In this 2 hour workshop, we will use new tools developed by Didier Stevens to deal with malicious Cobalt Strike beacons.

There used to be a time, that a blue teamer could say: "this sample I just analyzed is a Cobalt Strike beacon: I'm sure this is a pen test".
That is no longer the case: Cobalt Strike has become very popular with common criminals, and even some APT crews. Nowadays, if you encounter a Cobalt Strike sample, your organization is more likely to be under real attack than under simulated attack.

Didier has developed tools to extract the configuration of Cobalt Strike beacons, to detect Cobalt Strike beacons and to analyze/decrypt Cobalt Strike network traffic. And there are more tools to come.

These tools allow you to deal with Cobalt Strike beacons, without having to reverse engineer malicious code.

As usual, this workshop is 100% hands-on. Just a few slides, many exercises.

Speakers
avatar for Didier Stevens

Didier Stevens

Didier Stevens (Microsoft MVP, SANS ISC Handler, ...) is a Senior Analyst working at NVISO (https://www.nviso.be). Didier has developed and published more than 100 tools, several of them popular in the security community.You can find his open source security tools on his IT secur... Read More →


Thursday October 7, 2021 10:30 - 12:30 CEST
04. Orval Novotel

11:00 CEST

Automating Binary Analysis with Ghidra's P-Code
“Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate“ (https://github.com/NationalSecurityAgency/ghidra). It provides a great free and capable alternative to IDA Pro and Binary Ninja for manual static binary analysis. A lesser-known fact is, that Ghidra also provides a great API and an even better SDK for writing Ghidra scripts. The API can be used to quickly script tasks in your reversing work, however, the SDK allows access to everything that is under the hood. This allows you to write scripts that can do anything that is possible with Ghidra. And with that you are not limited anymore to simple scripts, you can write full automated binary analysis tools that use Ghidra in headless mode.

Another lesser-known feature of Ghidra is its intermediate language called P-Code. P-Code lies between the assembly code and the decompiled code that the Ghidra UI shows. It is a register transfer language, it translates every individual processor instruction to a sequence of P-Code operations that describes the processor instruction, including all side effects, such as setting a flag.

In this talk, we are going to focus on the combination of these two features and start building binary analysis tools using Ghidra P-Code. This setup has some significant benefits. Just to mention one, if you are only working with P-Code and never look at the assembly, then your script will be architecture-independent and will support all architecture that is supported by the Ghidra decompiler. Another significant benefit is that Ghidra is free and open source. That allows you to deploy your tool more freely without worrying about licensing issues and gives you the possibility to dig deep in Ghidra’s source code to understand how different classes work.

We will first familiarize ourselves with P-Code. Understand how it works and how it looks like when we are accessing it through the SDK. Then start building simple scripts to see P-Code used in automation. With these, we will work our way up to a more complex scenario.

Independently from what your favorite disassembler is, it is worth looking at Ghidra because it holds some interesting features that can help you in your next binary analysis project.

Speakers
avatar for Gergely Revay

Gergely Revay

"Geri hacks stuff for fun and profit, at Siemens AG in Germany. He spent almost a decade doing penetration tests and security assessments. In recent years his focus was on security research around reverse engineering and binary analysis. He created hacking trainings at https://h... Read More →


Thursday October 7, 2021 11:00 - 12:00 CEST
01. Westvleteren University

12:00 CEST

Lunch
Thursday October 7, 2021 12:00 - 13:30 CEST
00. Lounge University

13:30 CEST

eCos Offensive Security Research Logbook
Since the inception of the eCos RTOS in 1998, almost no dedicated research into its inner workings from an offensive security perspective got published. The only notable exception being the Cable Haunt research by Lyrebird which started to cover binary exploitation, but only scratched the surface. From cable modems to ICS components, millions of devices are currently running on eCos, but it seems that no one ever looked into them.

To fill this void, we launched ecos.wtf in March 2021. The project aims at documenting everything related to eCos platform security research in a single place. We published posts detailing Broadcom's eCos internals (interrupts and exception handling, memory layout, heap management), eCos firmware analysis, exploitation of memory corruption vulnerabilites, and building eCos firmware implants. These posts were the product of dedicated security research into eCos based cable modems deployed by belgian ISPs such as VOO and Orange Belgium.

During this presentation, we will demonstrate how to pull eCos firmwares, analyze them, write exploits, and gain long-term persistence on devices. By doing so, we hope to provide the required methodology, tools, and techniques to security professionals who wants to get involved in the wonderful world of eCos security.

Speakers
avatar for Quentin Kaiser

Quentin Kaiser

Quentin Kaiser is an ex-penetration tester who turned binary analysis nerd. He's currently working as a security researcher at the IoT Inspector Research Lab, where he focuses on binary exploitation of embedded devices and bug finding automation within large firmware.He's the initiator... Read More →


Thursday October 7, 2021 13:30 - 14:30 CEST
01. Westvleteren University

14:00 CEST

Advanced Memory-Based Malware-Analysis: Mastering analysis of the one place malware can not hide!
Limited Capacity filling up

Malware continues to advance in sophistication and prevalence.  Well-engineered malware can obfuscate itself from the user, network, and even the operating system running host-based security applications.  But one place malware cannot easily hide itself is within volatile computer memory (RAM).  

Although an essential part of malware analysis, incident response, digital forensics, software reverse engineering, and exploit development, memory forensics is not trivial to master. In addition, many problems and inefficiencies exist within our current approach of conducting memory analysis: it takes too much time, is very labor intensive, and artifact extraction comes with an overload of raw data that is not practical on real-world compromised computer systems. These inefficiencies ultimately result in greater resource expenditure to conduct the analysis which provides less accurate results. I have solved this problem by engineering a new construct for memory analysis along with a new tool release to provide advanced memory analysis, correlation, and user-interaction to enhance analysis, increase accuracy, and better detect obfuscated malware.

This is a very hands-on workshop that provides an indepth approach at malware analysis via computer memory analysis. A brand new tool and new memory analysis construct is released to demonstrate advanced (yet easier to understand) capabilities for conducting memory analysis.

Advanced memory analysis is not easy – but it is not impossible either. This technical workshop gets the participant very comfortable with the Windows Internals and advanced techniques of conducting feature extraction, malware analysis from computer memory analysis. We will walk through multiple analysis of real-world malware exploitation samples. Advanced malware is capable of obfuscating from the user and the operating system. This workshop reveals how to discover and extract advanced malware and rootkits directly from memory and utilizes a brand new (completely open-source) tool that drastically saves hours and hours of analysis, enhances your capabilities, and encapsulates analysis results in a very interactive user interface and report. This talk is best suited for Software Reverse Engineers, Malware Analysts, Exploitation Developers, Digital Forensics Examiners, and Cyber Incident Responders.

Speakers
avatar for Solomon Sonya

Solomon Sonya

Solomon Sonya (@Carpenter1010) is an Assistant Professor of Computer Science at the United States Air Force Academy. He has a background in software development, malware analysis, covert channels, steganography, distributed computing, computer hacking, information protection paradigms... Read More →


Thursday October 7, 2021 14:00 - 18:00 CEST
05. La Trappe Novotel

14:00 CEST

Practical Mobile App Attacks By Example
Limited Capacity filling up

If you are the kind of person who enjoys workshops with practical information that you can immediately apply when you go back to work, this workshop is for you, all action, no fluff :)

Attendants will be provided with training portal access to practice some attack vectors, including multiple mobile app attack surface attacks, deeplinks and mobile app data exfiltration with XSS. This includes: Lifetime access to a training VM, vulnerable apps to practice, guided exercise PDFs and video recording explaining how to solve the exercises.

This workshop is a comprehensive review of interesting security flaws that we have discovered over the years in many Android and iOS mobile apps: An entirely practical walkthrough that covers anonymized juicy findings from reports that we could not make public, interesting vulnerabilities in open source apps with strong security requirements such as password vaults and privacy browsers, security issues in government-mandated apps with considerable media coverage such as Smart Sheriff, apps that report human right abuse where a security flaw could get somebody killed in the real world, and more.

The workshop offers a thorough review of interesting security anti-patterns and how they could be abused, this is very valuable information for those intending to defend or find vulnerabilities in mobile apps.

This workshop is for those who are intending to broaden their knowledge of mobile security with actionable information derived from real-world penetration testing of mobile apps.

Please come caffeinated, the audience will be challenged to spot vulnerabilities at any moment :)

Get FREE access to the slides, recording and vulnerable apps to practice with:
https://7asecurity.com/free-workshop-mobile-practical

Speakers
avatar for Abraham Aranguren

Abraham Aranguren

After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other even... Read More →


Thursday October 7, 2021 14:00 - 18:00 CEST
03. Chimay Novotel

14:30 CEST

PIC Your Malware!
For red teamers and real threat actors, operational security is a key  skill to achieve the goals of an operation. While evading security products and fooling analysts has been a trivial task for years, it has become more difficult to stay under the radar of the blue team. Exhaustive logging, automated triaging of suspicious processes and scanning for malicious memory artefacts are powerful techniques allowing defenders to easily spot attackers. Therefore, adapting, customizing and implementing new offensive tools is an important task for attackers to be ahead of the defenders.

This talk outlines our approaches to build customized tools and hiding them from analysts and security products on the endpoint. It will be explained how popular PE loading techniques, such as Reflective DLLs or Donut/sRDI can be spotted by artefacts they leave in memory and how position independent code (PIC) can be leveraged to avoid these artefacts. Nevertheless utilizing these techniques allows rapidly building and deploying payloads. It will be demonstrated how we build and protect our payloads with an automated build server supporting multiple file formats and environmental crypting.

Information will be shared on how defenders use exhaustive logging and correlation of windows events to identify malicious processes and how we use concepts such as handle duplication and custom PE loaders to avoid certain Sysmon events.

Speakers
avatar for Ben Heimerdinger

Ben Heimerdinger

We are members of the Code White Red Team and have over five / seven years of experience in offensive security.At Code White we are part of the offensive tooling team where we develop offensive tools allowing the operators to achieve the goals of the engagement while trying to stay... Read More →
avatar for Sebastian Feldmann

Sebastian Feldmann

We are members of the Code White Red Team and have over five / seven years of experience in offensive security.At Code White we are part of the offensive tooling team where we develop offensive tools allowing the operators to achieve the goals of the engagement while trying to stay... Read More →


Thursday October 7, 2021 14:30 - 15:30 CEST
01. Westvleteren University

15:30 CEST

Coffee Break
Thursday October 7, 2021 15:30 - 16:00 CEST
00. Lounge University

16:00 CEST

Visibility beyond perimeters: Detecting C2 at time of execution.
Quickly detecting malicious intruders in the network is a million-billion-dollar business. Unfortunately, after decades of this problem, detecting bad actors still relies on updated versions of technologically old techniques: anti-virus, log files and packet captures.

Network EDR is only effective inside the perimeter of the organization and suffers from scaling problems due to the massive amounts of network traffic generated by modern applications. Endpoint detection is limited by event verbosity, OS version and platform age. Anti-virus loses to obfuscation frameworks every day.

All of these techniques rely on software running on the endpoints, which advanced actors frequently disable to hide their activities from the administrators. Even worse, these endpoint clients are also reliant on signatures and heuristics designed by the vendor, meaning detection frequently lags behind the speed by which actors can change their tactics or obfuscate their tools.

These limitations are compounded across different OS vendors, versions and server/client platforms. And none of them can detect a supply-chain attack, or an attack against a partner whose security isn’t as robust.

In this talk I’ll describe a groundbreaking new method of leveraging network IOCs beyond how they are leveraged by existing XDR platforms. This breakthrough method provides near-real-time alerting, zero endpoint client software, with identical fidelity across all OS versions and vendors. By sitting outside the organizations perimeter, focused on what the attacker sees, and leveraging relationships with internet infrastructure providers, this technique can detect the moment a beacon is sent, malware families and spread rate. This data can observe activity from both your network and your partners, since it isn’t dependent on client software. I’ll demonstrate how this technology can augment existing EDR solutions, addressing an industry-wide gap and giving organizations extra days (or weeks) to prevent a Data Apocalypse.

I'll draw from real-world examples of how this technology was leveraged in CTI League in 2020 to provide hospitals with an 'early alert system', giving them more time to evict bad actors before a ransomware payload was deployed.

Speakers
avatar for Nate Warfield

Nate Warfield

Nate has been a hacker since he first laid hands on a 2400 baud modem. After his first hack of a dial-up BBS at 12, he was hooked and over the following 25 years he sharpened his skills through jobs in network engineering, vulnerability response, endpoint research and side projects... Read More →


Thursday October 7, 2021 16:00 - 17:00 CEST
01. Westvleteren University

17:00 CEST

The risk of CI/CD pipeline poisoning via CodeBuild: On the intricate challenges of setting up a secure CI/CD pipeline
In this session we focus on CI/CD pipelines deployed via AWS managed services, such as CodeBuild, CodeDeploy and CodePipeline. And we demonstrate how small decisions can have a significant impact on the security of the CI/CD pipeline, even to the point where the trustworthiness of the pipeline is broken (a poisoned pipeline).

CodeBuild’s functionality can be abused to allow developers to bypass existing security controls implemented as part of the SDLC environment, such as peer code review, code approval processes, segregation of duties and secrets management. This can introduce a, perhaps, unforeseen vector for exfiltrating application secrets, tampering with the application and, potentially, taking full control of the deployment servers by executing commands using elevated privileges.

Due to the shared responsibility model, this is mostly an AWS customers’ challenge. Moreover, customers will be open to the risk even when following AWS samples, tutorials, and, even managed services that help simplify and automate the setup of CI/CD pipelines in the cloud environment, such as CodeStar.

In this session we want to explain and warn DevSecOps and Cloud communities about this pipeline poisoning risk in particular, so that it can be taken into account for securing CI/CD pipelines in the cloud. And, in general, showcase the new challenges and considerations that cloud solutions bring to those adopting the cloud.

Speakers
avatar for Asier Rivera

Asier Rivera

Asier has been part of the Cyber & Privacy team of PwC Belgium since he joined in September 2017 after finishing his studies. As a member of the technical security and risk management team, Asier is strongly focused on the technical aspects of application security and secure software... Read More →


Thursday October 7, 2021 17:00 - 18:00 CEST
01. Westvleteren University

21:30 CEST

BruCON Party
Thursday October 7, 2021 21:30 - 23:59 CEST
Feestzaal BAUDELOKAPEL
 
Friday, October 8
 

07:30 CEST

Hacker Run (10K)
Friday October 8, 2021 07:30 - 08:30 CEST
Novotel Novotel

08:30 CEST

Registration
Friday October 8, 2021 08:30 - 10:00 CEST
00. Lounge University

10:00 CEST

How to make Belgium one of the least cyber vulnerable countries in Europe by 2025?
On the 20th of May the Belgian Prime Minister presented the new cyber strategy to the national security council, which approved it. Its objective is to make Belgium one of the least cybervulnerable countries in Europe.

You want to know what we are preparing for the next four years?
What are the main lines of this new strategy?
How, together with all the actors concerned, do we plan to protect companies, operators of essential services, citizens, administrations and critical infrastructures?

Phédra Clouner will present the Belgian strategic approach . She’ll explain also how European initiatives has and will have influence on our approach.


Speakers
avatar for Phédra Clouner

Phédra Clouner

After having obtained a Master’s degree in Ancient History and Master’s degree in Information & Communication Technology at the ULB, Phédra Clouner started her carrier at the Belgian Ministry of Finance as IT Project Manager. Specializing in document management, enterprise content... Read More →


Friday October 8, 2021 10:00 - 11:00 CEST
01. Westvleteren University

10:30 CEST

Clear text credentials on modern systems
Limited Capacity filling up

DPAPI-NG is a new iteration of the DPAPI interface to protect data in Windows operating systems.
DPAPI is a known encryption routine that is used to store credentials such as those from Internet Explorer, Edge, Chrome, Wi-Fi profiles, RDP Profiles, Credential Manager etc ...
DPAPI-NG is built upon that and is used to store Windows Hello credentials, such as the Windows Picture Login or the Windows PIN code

By reverse engineering these technologies, it was discovered that our precious Windows user passwords are reversable in Clear Text from the hard drive, even if the system is shut down (e.g. from a backup).

The newly developed open source toolkit (DPAPILAB-NG) will be able to demonstrate this thouroughly.

This 2 hour workshop will allow you to get hands-on experience with the Python tools described above.
Participants will need to have their own laptop to participate in this workshop.

Speakers
avatar for Tijl Deneut

Tijl Deneut

Tijl Deneut has over 8 years of experience in the IT security sector and is an Ethical Hacker and an active EC-Council Certified Instructor. Tijl also teaches at the Howest University College and the Ghent University, where he also leads several research projects.  He has had the... Read More →


Friday October 8, 2021 10:30 - 12:30 CEST
05. La Trappe Novotel

10:30 CEST

Something Blue ... For The Blue Team
Limited Capacity full

In this 2 hour workshop, we will use new tools developed by Didier Stevens to deal with malicious Cobalt Strike beacons.

There used to be a time, that a blue teamer could say: "this sample I just analyzed is a Cobalt Strike beacon: I'm sure this is a pen test".
That is no longer the case: Cobalt Strike has become very popular with common criminals, and even some APT crews. Nowadays, if you encounter a Cobalt Strike sample, your organization is more likely to be under real attack than under simulated attack.

Didier has developed tools to extract the configuration of Cobalt Strike beacons, to detect Cobalt Strike beacons and to analyze/decrypt Cobalt Strike network traffic. And there are more tools to come.

These tools allow you to deal with Cobalt Strike beacons, without having to reverse engineer malicious code.

As usual, this workshop is 100% hands-on. Just a few slides, many exercises.

Speakers
avatar for Didier Stevens

Didier Stevens

Didier Stevens (Microsoft MVP, SANS ISC Handler, ...) is a Senior Analyst working at NVISO (https://www.nviso.be). Didier has developed and published more than 100 tools, several of them popular in the security community.You can find his open source security tools on his IT secur... Read More →


Friday October 8, 2021 10:30 - 12:30 CEST
04. Orval Novotel

11:00 CEST

Exorcising the Ghost in the Machine: A Critical Assessment of Supply Chain Intrusion Vectors
Supply chain attacks appear to be among the most concerning threat vectors for many organizations - yet most descriptions of such threats appear to either ignore or be ignorant of the steps required to actualize an implant for offensive purposes. First, this talk will work to disambiguate two distinct attack types often lumped together: software/hardware supply chain attacks via modification, and trusted third-party/vendor/contractor compromise to facilitate access to supported organizations. This distinction is very important, and looking at these two event types as event equivalents is deeply confusing.

After setting the groundwork for discussion, physical or software supply chain attack (e.g., modification of device hardware, firmware, "adding a rice-sized chip" to a motherboard, or altering source code) functionality and execution will be analyzed in detail: how these attacks work in practice, and what actions and accesses are required to make these attacks useful. Based on this exploration, defenders will gain insight into the true scope and meaning of such attacks, specifically: how such attacks are overhyped; why such attacks are extremely difficult to execute; and how multiple defensive measures exist to detect or mitigate against such attacks. From this analysis, defenders and information security stakeholders will learn how to precisely orient the risk of supply chain compromise events, and exorcise the persistent threat of a “ghost in the machine”.

Speakers
avatar for Joe Slowik

Joe Slowik

Joe Slowik has over 10 years experience across multiple roles in both offensive and defensive cyber operations. Currently leading threat intelligence and detection development efforts at Gigamon, Joe continues to apply an adversary-focused approach to network security issues.


Friday October 8, 2021 11:00 - 12:00 CEST
01. Westvleteren University

12:00 CEST

Lunch
Friday October 8, 2021 12:00 - 13:30 CEST
00. Lounge University

13:30 CEST

Chasing the White Whale of Malware: Foundations for Understanding Operational Technology Binaries
Finding malware is not difficult. Multiple platforms offer security analysts access to malicious files of all colours and flavours. However, as the amount of data grows we may be missing unique types of malware hidden in plain sight. White whale samples that have only been observed a couple times and were developed to generate damage to the physical world by targeting operational technologies.  

Although we have only observed operational technology (OT) malware – e.g. TRITON or Industroyer– a couple times in the wild, it is possible that there are currently similar samples being developed and tested. We do not want to see this type of malware ever deployed in the real world as it is designed to target the physical integrity of infrastructure, people, and industrial processes.

However, identifying OT malware is not simple. Common methods used to detect malicious behaviours (e.g. sandboxes) are currently not able to understand and analyse OT binaries. For example, legitimate scripts developed by original equipment manufacturers (OEMs) or by operators to fulfil precise process objectives often cannot be read by automated malware analysis solutions, or are flagged as malicious when unable to run. Therefore, finding and filtering OT software samples worth analysing is already a challenge.

In this talk we will describe the unique challenges we have faced while filtering binaries from OT products and vendors. We will then walk through simple methods that do not require advanced reverse engineering skills – e.g. static strings, strings in memory, analysis of functions, or import hashing –to set up a partial benchmark for sorting OT binaries. For that, we will use several Modbus samples to illustrate our success and failures filtering these samples during the initial analysis steps. We hope our stories encourage entry and intermediate level analysts to take their first steps towards recognizing and identifying interesting OT samples.

Speakers
avatar for Daniel Kapellmann Zafra

Daniel Kapellmann Zafra

Technical Analysis Manager for Mandiant where he oversees the strategic coverage of cyber physical threat intelligence and coordinates the development of tools and solutions to collect and analyze data. He is a frequent speaker on industrial control systems (ICS) / operational technology... Read More →


Friday October 8, 2021 13:30 - 14:30 CEST
01. Westvleteren University

14:00 CEST

Advanced Memory-Based Malware-Analysis: Mastering analysis of the one place malware can not hide!
Limited Capacity filling up

Malware continues to advance in sophistication and prevalence.  Well-engineered malware can obfuscate itself from the user, network, and even the operating system running host-based security applications.  But one place malware cannot easily hide itself is within volatile computer memory (RAM).  

Although an essential part of malware analysis, incident response, digital forensics, software reverse engineering, and exploit development, memory forensics is not trivial to master. In addition, many problems and inefficiencies exist within our current approach of conducting memory analysis: it takes too much time, is very labor intensive, and artifact extraction comes with an overload of raw data that is not practical on real-world compromised computer systems. These inefficiencies ultimately result in greater resource expenditure to conduct the analysis which provides less accurate results. I have solved this problem by engineering a new construct for memory analysis along with a new tool release to provide advanced memory analysis, correlation, and user-interaction to enhance analysis, increase accuracy, and better detect obfuscated malware.

This is a very hands-on workshop that provides an indepth approach at malware analysis via computer memory analysis. A brand new tool and new memory analysis construct is released to demonstrate advanced (yet easier to understand) capabilities for conducting memory analysis.

Advanced memory analysis is not easy – but it is not impossible either. This technical workshop gets the participant very comfortable with the Windows Internals and advanced techniques of conducting feature extraction, malware analysis from computer memory analysis. We will walk through multiple analysis of real-world malware exploitation samples. Advanced malware is capable of obfuscating from the user and the operating system. This workshop reveals how to discover and extract advanced malware and rootkits directly from memory and utilizes a brand new (completely open-source) tool that drastically saves hours and hours of analysis, enhances your capabilities, and encapsulates analysis results in a very interactive user interface and report. This talk is best suited for Software Reverse Engineers, Malware Analysts, Exploitation Developers, Digital Forensics Examiners, and Cyber Incident Responders.

Speakers
avatar for Solomon Sonya

Solomon Sonya

Solomon Sonya (@Carpenter1010) is an Assistant Professor of Computer Science at the United States Air Force Academy. He has a background in software development, malware analysis, covert channels, steganography, distributed computing, computer hacking, information protection paradigms... Read More →


Friday October 8, 2021 14:00 - 18:00 CEST
05. La Trappe Novotel

14:00 CEST

Practical Mobile App Attacks By Example
Limited Capacity filling up

If you are the kind of person who enjoys workshops with practical information that you can immediately apply when you go back to work, this workshop is for you, all action, no fluff :)

Attendants will be provided with training portal access to practice some attack vectors, including multiple mobile app attack surface attacks, deeplinks and mobile app data exfiltration with XSS. This includes: Lifetime access to a training VM, vulnerable apps to practice, guided exercise PDFs and video recording explaining how to solve the exercises.

This workshop is a comprehensive review of interesting security flaws that we have discovered over the years in many Android and iOS mobile apps: An entirely practical walkthrough that covers anonymized juicy findings from reports that we could not make public, interesting vulnerabilities in open source apps with strong security requirements such as password vaults and privacy browsers, security issues in government-mandated apps with considerable media coverage such as Smart Sheriff, apps that report human right abuse where a security flaw could get somebody killed in the real world, and more.

The workshop offers a thorough review of interesting security anti-patterns and how they could be abused, this is very valuable information for those intending to defend or find vulnerabilities in mobile apps.

This workshop is for those who are intending to broaden their knowledge of mobile security with actionable information derived from real-world penetration testing of mobile apps.

Please come caffeinated, the audience will be challenged to spot vulnerabilities at any moment :)

Get FREE access to the slides, recording and vulnerable apps to practice with:
https://7asecurity.com/free-workshop-mobile-practical


Please note:
Access to the material requires the subscription to a mailing list and the signature of a NDA.

Speakers
avatar for Abraham Aranguren

Abraham Aranguren

After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other even... Read More →


Friday October 8, 2021 14:00 - 18:00 CEST
03. Chimay Novotel

14:30 CEST

Android malware targeting Belgian Financial apps
Mobile malware has been around since the first versions of Android and iOS, ranging from premium-text scams to ransomwares to banking trojans. Until recently, banking trojans stayed clear of Belgian financial apps, but with the rise of TeaBot, this has finally changed. In this presentation I will give you a crash course on Android malware, explain how banking trojans work and what we can do to stop them.

Speakers
avatar for Jeroen Beckers

Jeroen Beckers

Jeroen is Mobile Solution Lead of the NVISO Software Security & Assessments team, where he is responsible for all mobile engagements. He is also the lead author for SANS Course SEC575: Mobile Device Security and Ethical Hacking and is co-author of the OWASP MSTG and the OWASP MASVS... Read More →


Friday October 8, 2021 14:30 - 15:30 CEST
01. Westvleteren University

15:30 CEST

Coffee Break
Friday October 8, 2021 15:30 - 16:00 CEST
00. Lounge University

16:00 CEST

Defeating EDRs using Dynamic Invocation in C#
How can red team operators emulate covert operations and operate at the same level as a real threat group? EDR solutions can make the life of a red team operator significantly harder. Dynamic invocation  (also known as  D/Invoke) – a  sub-branch of the popular “Sharpsploit” project, can help with evading those pesky EDR’s and execute your payloads successfully. In this presentation, we will go over D/Invokes capabilities and how to leverage them in your red team operations.

Speakers
avatar for Jean-Francois Maes

Jean-Francois Maes

Jean-François Maes is a senior consultant at TrustedSec specialized in red teaming and infra pentests.On top of his consulting work, Jean-François is also a SANS instructor, teaching the SEC699: Purple Team Tactics - Adversary Emulation for Breach Prevention & Detection course.He... Read More →


Friday October 8, 2021 16:00 - 17:00 CEST
01. Westvleteren University

17:00 CEST

BruCON Closing
Friday October 8, 2021 17:00 - 17:30 CEST
01. Westvleteren University
 
Filter sessions
Apply filters to sessions.