BruCON 0x10

Debunking this and other persistent privacy myths is highly overdue. In this keynote, we'll explore privacy engineering and discover how it can strengthen security. Threat modeling will be the star player here, as it not only drives and improves the secure development process, but also serves as the perfect vehicle to integrate and align privacy into security practices.

In this 2 hour workshop, Didier will guide you through XOR Cryptanalysis exercises using several open source tools (several of these tools are created and maintained by Didier).

After an introduction to the XOR operator and its use in cryptography, we will work through several exercises that will familiarize you with tools like:

• CyberChef
• translate.py
• XOR 010 Editor script
• XORSearch
• xor-kpa.py 

And we will end with exercises using custom ransomware decryption tools that Didier developed for a particular ransomware strain with flawed crypto. 

Zeek is an open-source network security monitor (NSM) and analytics platform that has been around for quite some time (since the mid-90s). It is used at large university campuses and research labs, but in the past few years, more and more security professionals in the industry have turned their attention to this fantastic tool.

But Zeek is so much more than just a NIDS generating alerts (notices) and log files! Zeek's scripting language allows security analysts to perform arbitrary analysis tasks such as extracting files from sessions, detecting brute-force attacks, or, most importantly, interfacing with external sources, such as Python! The Zeek Python bindings allow us, the analysts, to use powerful Python libraries such as Numpy, Pandas, and Tensorflow and apply machine learning-based detection on network traffic.

During this two-hour workshop, we will learn about the following topics:

• Super fast introduction to Zeek (architecture, events, logs, signatures, etc.)
• Using machine learning and data science tools on Zeek logs (as an example, we will use Fourier Analysis to detect C2 beaconing)
• Super fast crash course in Zeek scripting (just enough to understand how to create new logs)
• Connecting Zeek and Python via the Zeek Broker Communication Framework
• Using machine learning tools in Python on the data we receive from Zeek for detection (as an example, we will use convolutional neural network and random forest models to compare them, and then use them to find unknown malware in live network traffic) 

Requirements for the workshop:

1. A laptop with at least 16 GB of RAM and more than 50 GB of free disk space (VT-x support must be enabled on the host system).
2. Application to run Virtual Images (type-2 hypervisor): VMWare Workstation Pro (recommended), VMWare Workstation Player, VMWare Fusion, or VirtualBox.
3. Only 64-bit Intel-compatible (Intel or AMD) processors are supported. 

/!\ WARNING /!\: ARM-based (Apple Silicon, some Microsoft Surface) devices cannot perform the necessary virtualization and therefore cannot be used for the workshop. 

Mistyped domains often take some convincing to be effective in phishing attacks. After finding the perfect typo, the real work starts setting up the perfect lure. Instead of this, an often-forgotten attack vector exists where potential victims already make these typo's when sending email and or configuring systems, letting go of plenty useful information while at it.

In this talk we will explore this attack vector, ultimately setting ourselves up for a Mail-in-the-middle (MaiTM) attack to steal confidential information, login using password resets, embed tracking pixels and even deliver malware. Configuring this can still take some work and requires quick timing, so to help with that we have developed a toolkit that we will demonstrate during this talk. Finally, considering the impact of these attacks we will dive into some detection and prevention strategies for this attack while also releasing some new proof of concept tooling to aid organizations in defending against it.

Since we were children we wanted to go to the arcade and play for hours and hours for free. How about we do it now? In this talk I’m gonna show you some vulnerabilities that I discovered in the cashless system of one of the biggest companies in the world, with over 2,300 installations across 70 countries, from arcades in Brazil, amusement parks in the United Arab Emirates to a famous roller coaster in Las Vegas. We will talk about API security, access control and NFC among other things.

Code obfuscation is fast becoming a normal part of modern Windows malware. Pioneered by Emotet and popularized by the Conti ransomware leaks, we now see even simple credential stealers using cracked versions of commercial grade code virtualization! The solution… if you can’t reverse it, just run it!

In this workshop we will cover different tracing techniques that can be used to bypass and extract information from protected code. The workshop is divided into modules covering tracing with x64dbg, dynamic binary instrumentation with PIN, and API tracing with DTrace. A challenge binary is provided with each module for students to practice and the final challenge is a real world malware sample that has been virtualized.

This workshop is aimed at reverse engineers and malware analysts who have experience analyzing malware and are comfortable with debugging in userland. If you don’t have experience with malware but you do have a few hours behind the debugger you should have no problem completing the workshop.

Requirements:

1. Students must bring a laptop/workstation capable of running a Windows Virtual Machine (VM)
2. A preinstalled Windows 10 (64bit) 20H1(or later) VM with at least 50G of free space.
   You will be provided with detailed tools installation and setup instructions prior to the workshop

In the dynamic realm of system security, the ability to diagnose and debug at the kernel level is invaluable. "Uncovering Hidden Threats: Intro to Kernel Debugging with WinDbg" is a workshop designed for IT professionals, system administrators, and security researchers who are eager to gain foundational skills in kernel debugging. This session will immerse participants in practical, hands-on scenarios using WinDbg for kernel debugging.

Throughout this workshop, attendees will engage directly with real-world debugging exercises, designed to provide a deep dive into the inner workings of the Windows kernel. Participants will be provided with preconfigured virtual machine (steps on how to set up debugging environment from scratch are provided on request), interpret common kernel-mode data structures, and detect common stealth and persistence techniques encountered in the Windows rootkits. The focus will be heavily on 'learning by doing,' ensuring that every attendee not only understands the theoretical underpinnings but also acquires direct experience in applying these techniques.

By the end of the workshop, participants will have the skills to uncover and mitigate hidden threats in their own systems, armed with a robust set of debugging competencies that can be applied immediately in their professional roles.

Digital forensic procedures often come with significant overhead, from navigating the complexities of different operating systems to lengthy processes for image collection in the cloud. Additionally, the myriad of available tools can require expertise to select and utilize effectively. Why deal with these challenges when you can automate the basics?

In this talk, we'll discuss the design of a framework aimed at automating triage-level forensics, making it accessible for all analysts to integrate into their investigations. We'll explore the open-source tools we've incorporated and the design paradigms ensuring scalability, concluding with valuable lessons learned.

Over the last 12 months Microsoft’s AI Red Team (AIRT) has conducted nearly 100 assessments of AI systems including comprehensive reviews of foundation models, multiple reviews of Copilot features, and in-depth reviews of AI systems in sensitive domains such as health care. From this work AIRT has developed deep knowledge of the most impactful security, safety, and privacy risks that the usage of AI systems in the real world can cause, the techniques and tooling needed to elicit them, and approaches to prevent or detect these risks.

In this presentation we will cover what AI Red Teaming is, the processes and tooling AIRT has developed, and most interesting what the key trends have been in terms of techniques and weaknesses identified during our many assessments. We will discuss how AI security issues are tightly connected with traditional cybersecurity, but also how the safety aspect of AI introduces new and exciting challenges to our work. We will also touch on how AIRT’s work has informed the development of new defenses for AI systems and security professionals should approach defending the AI systems that they use.

We will also look ahead to next year and where the risks might go next, and how we might want to prevent them in a world where AI system capabilities are evolving at an extremely rapid pace.

With more and more organizations moving away from traditional on-prem infrastructures towards hybrid or full cloud environments, the need for breaching the network perimeter as an attacker becomes increasingly redundant to cause any impact. The primary identity solutions for companies are shifting from Active Directory towards Microsoft Entra ID, on-prem SMB shares are replaced by OneDrive and SharePoint Online, and Exchange Servers are decommissioned in favor of Exchange Online.

With the most sensitive information of an organization now being stored in the cloud, penetration testers and red teamers need to adapt their techniques and focus on this shifted attack surface. This led to the creation of GraphSpy, the Swiss Army Knife for attacking Microsoft 365 & Entra. In this workshop, you will be able to play with some of the most powerful capabilities of the tool to compromise and move laterally inside a realistic lab environment created by the author of GraphSpy.

Requirements:

1. This workshop requires a laptop or virtual machine on which python3 is installed (any OS should work). 

The workshop will be accessible for beginners, while also being fun and challenging for the more advanced participants. Both red and blue team backgrounds are welcome!

In recent years, there has been a lot of buzz around LLVM IR in the entire security industry. Both academia and the private sector are releasing papers and tools about fuzzing, symbolic execution and software (de)obfuscation. Traditionally, the learning curve for new people has been steep: The existing material requires a lot of fundamental knowledge about compiler theory, making it a difficult to get practical experience with.

This workshop aims to rectify this and focuses on practical exercises to get familiar with the LLVM ecosystem. The workshop is meant as a practical starting point for your journey into the LLVM ecosystem.

By the end of it we hope you will have a new tool to play with in your reverse engineering arsenal. Covered topics: Basics of LLVM IR Structure, instructions, navigating the manual. How to produce and manipulate it with command-line tools.