This workshop aims to provide attendees hands-on experience on writing custom backdoor payloads using C# for the most common command and control frameworks including Metasploit, Powershell Empire and Cobalt Strike. The workshop consists in 7 lab exercises; each of the exercises goes over a different technique that leverages C# and .NET capabilities to obtain a reverse shell on a victim Windows host. The covered techniques include raw shellcode injection, process injection, process hollowing, runtime compilation, parent pid spoofing, antivirus bypassing, etc. At the end of this workshop attendees will have a clear understanding of these techniques both from an attack and defense perspective.
https://www.defcon.org/html/defcon-27/dc-27-workshops.html
syzkaller is an unsupervised, coverage-guided Linux syscall fuzzer.
The presentation covers basic of operation of the fuzzer, gives tutorial on how to run it and how to extend it to fuzz new drivers.
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
Most nefarious activities carried out by malware—such as running code in Internet Explorer in an attempt to steal passwords, hijack sessions, or conduct Man-in-the-Browser fraud, require code injection.
This session exposes additional new user- and kernel-mode injection techniques. One of these techniques we’ve coined as “code-less code injection” since, as opposed to other known injection techniques, does not require adding code to the injected process.
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
Smart connected devices such as mobile phones, tablets and Digital TVs are required to handle data with strong security and confidentiality requirements. A “Trusted Execution Environment” (TEE) provides an environment for processing data securely, protected from normal platform applications. This talk is intended as an introduction to Trusted Execution, and the open-source Trusted Execution Environment OP-TEE in particular. It introduces the GlobalPlatform TEE Specifications, explains how Trusted Execution is implemented by ARM TrustZone and OP-TEE, and outlines how trusted boot software manages the secure boot of an ARM platform. Finally, it gives some pointers on how to get started with OP-TEE.
syzkaller is an unsupervised, coverage-guided Linux syscall fuzzer.
The presentation covers basic of operation of the fuzzer, gives tutorial on how to run it and how to extend it to fuzz new drivers.
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
Most nefarious activities carried out by malware—such as running code in Internet Explorer in an attempt to steal passwords, hijack sessions, or conduct Man-in-the-Browser fraud, require code injection.
This session exposes additional new user- and kernel-mode injection techniques. One of these techniques we’ve coined as “code-less code injection” since, as opposed to other known injection techniques, does not require adding code to the injected process.
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
Smart connected devices such as mobile phones, tablets and Digital TVs are required to handle data with strong security and confidentiality requirements. A “Trusted Execution Environment” (TEE) provides an environment for processing data securely, protected from normal platform applications. This talk is intended as an introduction to Trusted Execution, and the open-source Trusted Execution Environment OP-TEE in particular. It introduces the GlobalPlatform TEE Specifications, explains how Trusted Execution is implemented by ARM TrustZone and OP-TEE, and outlines how trusted boot software manages the secure boot of an ARM platform. Finally, it gives some pointers on how to get started with OP-TEE.
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
Bu doküman, alıntı vererek kullanılabilir ya da paylaşılabilir ancak değiştirilemez ve ticari amaçla kullanılamaz. Detaylı bilgiye https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.tr bağlantısından erişebilirsiniz.
EMBA - Firmware analysis DEFCON30 demolabs USA 2022MichaelM85042
Penetration testing of current embedded devices is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify, optimize and automate the complex task of firmware security analysis.
Project page: https://github.com/e-m-b-a/emba
Conference page: https://forum.defcon.org/node/242109
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.
CNIT 124 Ch 13: Post Exploitation (Part 1)Sam Bowne
Slides for a college course in "Advanced Ethical Hacking" at CCSF. Instructor: Sam Bowne
Course Web page:
https://samsclass.info/124/124_F17.shtml
Based on "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman -- ISBN-10: 1593275641, No Starch Press; 1 edition (June 8, 2014)
EMBA - Firmware analysis - Black Hat Arsenal USA 2022MichaelM85042
IoT (Internet of Things) and OT (Operational Technology) are the current buzzwords for networked devices on which our modern society is based on. In this area, the used operating systems are summarized with the term firmware. The devices themselves, also called embedded devices, are essential in the private and industrial environments as well as in the so-called critical infrastructure.
Penetration testing of these systems is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify and optimize the complex task of firmware security analysis. EMBA supports the penetration tester with the automated detection of 1-day vulnerabilities on binary level. This goes far beyond the plain CVE detection: With EMBA you always know which public exploits are available for the target firmware. Besides the detection of already known vulnerabilities, EMBA also supports the tester on the next 0-day. For this, EMBA identifies critical binary functions, protection mechanisms and services with network behavior on a binary level. There are many other features built into EMBA, such as fully automated firmware extraction, finding file system vulnerabilities, hard-coded credentials, and more.
EMBA is the open-source firmware scanner, created by penetration testers for penetration testers.
Project page: https://github.com/e-m-b-a/emba
Conference page: https://www.blackhat.com/us-22/arsenal/schedule/index.html#emba--open-source-firmware-security-testing-26596
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
This course gets you started with writing device drivers in Linux by providing real time hardware exposure. Equip you with real-time tools, debugging techniques and industry usage in a hands-on manner. Dedicated hardware by Emertxe's device driver learning kit. Special focus on character and USB device drivers.
This presentation will provide the information about the Linux Root File systems and its hierarchy. So any technocrate who is willing to gain info about root files of Linux can easily understand . preffered for Embedded system design Students who are pursuing diploma courses in various CDAC centers.
Bootloader utilizes to program microcontrollers by providing a medium of communication between them. Hence small bootloader uses to make controller programmable very often as like Arduino series board. Microcontrollers like 8051, PIC without bootloader requires the external programmer to burn the program inside the memory of the microcontroller. In addition to it requires preciously control output states of various pin mode which should be in sequence according to the datasheet of the manufacturer. Here this PPT has portrayed as an example of idle configurations that requires to run the bootloader and what happens if the bootloader is installed inside the memory of the controller.
Malware analysis, threat intelligence and reverse engineeringbartblaze
In this presentation, I introduce the concepts of malware analysis, threat intelligence and reverse engineering. Experience or knowledge is not required.
Feel free to send me feedback via Twitter (@bartblaze) or email.
Blog post: https://bartblaze.blogspot.com/2018/02/malware-analysis-threat-intelligence.html
Labs: https://github.com/bartblaze/MaTiRe
Mind the disclaimer.
Linux Kernel Cryptographic API and Use CasesKernel TLV
The Linux kernel has a rich and modular cryptographic API that is used extensively by familiar user facing software such as Android. It's also cryptic, badly documented, subject to change and can easily bite you in unexpected and painful ways.
This talk will describe the crypto API, provide some usage example and discuss some of the more interesting in-kernel users, such as DM-Crypt, DM-Verity and the new fie system encryption code.
Gilad Ben-Yossef is a principal software engineer at ARM. He works on the kernel security sub-system and the ARM CryptCell engine. Open source work done by Gilad includes an experiment in integration of network processors in the networking stack, a patch set for reducing the interference caused to user space processes in large multi-core systems by Linux kernel “maintenance” work and on SMP support for the Synopsys Arc processor among others.
Gilad has co-authored O’Reilly’s “Building Embedded Linux Systems” 2nd edition and presented at such venues as Embedded Linux Conference Europe and the Ottawa Linux Symposium, as well as co-founded Hamakor, an Israeli NGO for the advancement for Open Source and Free Software in Israel. When not hacking on kernel code you can find Gilad meditating and making dad jokes on Twitter.
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
This talk describes the current state of the Veil-Framework and the different tools included in it such as Veil-Evasion, Veil-Catapult, Veil-Powerview, Veil-Pillage, Veil-Ordnance
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
Bu doküman, alıntı vererek kullanılabilir ya da paylaşılabilir ancak değiştirilemez ve ticari amaçla kullanılamaz. Detaylı bilgiye https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.tr bağlantısından erişebilirsiniz.
EMBA - Firmware analysis DEFCON30 demolabs USA 2022MichaelM85042
Penetration testing of current embedded devices is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify, optimize and automate the complex task of firmware security analysis.
Project page: https://github.com/e-m-b-a/emba
Conference page: https://forum.defcon.org/node/242109
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.
CNIT 124 Ch 13: Post Exploitation (Part 1)Sam Bowne
Slides for a college course in "Advanced Ethical Hacking" at CCSF. Instructor: Sam Bowne
Course Web page:
https://samsclass.info/124/124_F17.shtml
Based on "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman -- ISBN-10: 1593275641, No Starch Press; 1 edition (June 8, 2014)
EMBA - Firmware analysis - Black Hat Arsenal USA 2022MichaelM85042
IoT (Internet of Things) and OT (Operational Technology) are the current buzzwords for networked devices on which our modern society is based on. In this area, the used operating systems are summarized with the term firmware. The devices themselves, also called embedded devices, are essential in the private and industrial environments as well as in the so-called critical infrastructure.
Penetration testing of these systems is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify and optimize the complex task of firmware security analysis. EMBA supports the penetration tester with the automated detection of 1-day vulnerabilities on binary level. This goes far beyond the plain CVE detection: With EMBA you always know which public exploits are available for the target firmware. Besides the detection of already known vulnerabilities, EMBA also supports the tester on the next 0-day. For this, EMBA identifies critical binary functions, protection mechanisms and services with network behavior on a binary level. There are many other features built into EMBA, such as fully automated firmware extraction, finding file system vulnerabilities, hard-coded credentials, and more.
EMBA is the open-source firmware scanner, created by penetration testers for penetration testers.
Project page: https://github.com/e-m-b-a/emba
Conference page: https://www.blackhat.com/us-22/arsenal/schedule/index.html#emba--open-source-firmware-security-testing-26596
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
This course gets you started with writing device drivers in Linux by providing real time hardware exposure. Equip you with real-time tools, debugging techniques and industry usage in a hands-on manner. Dedicated hardware by Emertxe's device driver learning kit. Special focus on character and USB device drivers.
This presentation will provide the information about the Linux Root File systems and its hierarchy. So any technocrate who is willing to gain info about root files of Linux can easily understand . preffered for Embedded system design Students who are pursuing diploma courses in various CDAC centers.
Bootloader utilizes to program microcontrollers by providing a medium of communication between them. Hence small bootloader uses to make controller programmable very often as like Arduino series board. Microcontrollers like 8051, PIC without bootloader requires the external programmer to burn the program inside the memory of the microcontroller. In addition to it requires preciously control output states of various pin mode which should be in sequence according to the datasheet of the manufacturer. Here this PPT has portrayed as an example of idle configurations that requires to run the bootloader and what happens if the bootloader is installed inside the memory of the controller.
Malware analysis, threat intelligence and reverse engineeringbartblaze
In this presentation, I introduce the concepts of malware analysis, threat intelligence and reverse engineering. Experience or knowledge is not required.
Feel free to send me feedback via Twitter (@bartblaze) or email.
Blog post: https://bartblaze.blogspot.com/2018/02/malware-analysis-threat-intelligence.html
Labs: https://github.com/bartblaze/MaTiRe
Mind the disclaimer.
Linux Kernel Cryptographic API and Use CasesKernel TLV
The Linux kernel has a rich and modular cryptographic API that is used extensively by familiar user facing software such as Android. It's also cryptic, badly documented, subject to change and can easily bite you in unexpected and painful ways.
This talk will describe the crypto API, provide some usage example and discuss some of the more interesting in-kernel users, such as DM-Crypt, DM-Verity and the new fie system encryption code.
Gilad Ben-Yossef is a principal software engineer at ARM. He works on the kernel security sub-system and the ARM CryptCell engine. Open source work done by Gilad includes an experiment in integration of network processors in the networking stack, a patch set for reducing the interference caused to user space processes in large multi-core systems by Linux kernel “maintenance” work and on SMP support for the Synopsys Arc processor among others.
Gilad has co-authored O’Reilly’s “Building Embedded Linux Systems” 2nd edition and presented at such venues as Embedded Linux Conference Europe and the Ottawa Linux Symposium, as well as co-founded Hamakor, an Israeli NGO for the advancement for Open Source and Free Software in Israel. When not hacking on kernel code you can find Gilad meditating and making dad jokes on Twitter.
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
This talk describes the current state of the Veil-Framework and the different tools included in it such as Veil-Evasion, Veil-Catapult, Veil-Powerview, Veil-Pillage, Veil-Ordnance
Owning computers without shell access 2Royce Davis
These are the slides from my talk at BSides Puerto Rico 2013. I will post a link to the slides later.
Abstract:
For many years Penetration Testers have relied on gaining shell access to remote systems in order to take ownership of network resources and enterprise owned assets. AntiVirus (AV) companies are becoming increasingly more aware of shell signatures and are therefore making it more and more difficult to compromise remote hosts. The current industry mentality seams to believe the answer is stealthier payloads and super complex obfuscation techniques. I believe a more effective answer might lie in alternative attack methodologies involving authenticated execution of native Windows commands to accomplish the majority of shell reliant tasks common to most network level penetration tests. The techniques I will be discussing were developed precisely with this style of attack in mind. Using these new tools, I will demonstrate how to accomplish the same degree of network level compromise that has been enjoyed in the past with shell-based attack vectors, while avoiding detection from AV solut
Do any VM's contain a particular indicator of compromise? E.g. Run a YARA signature over all executables on my virtual machines and tell me which ones match.
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.
I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Zephyr RTOS in One Hour | HARDWARIO @ IoT North UKHARDWARIO
Pavel Hübner (from HARDWARIO) will provide a crash course into the Zephyr RTOS. Zephyr is an innovative operating system targeting 32-bit microcontrollers and is suitable for connected IoT products. Such devices are often low-power and provide a multi-year battery lifespan. The ambitious 60-minute live session with be held on a configurable IoT gateway CHESTER - a platform based on Nordic Semiconductor SoCs nRF52840 / nRF9160. Throughout the course, Pavel will go from the key Zephyr fundamentals to connecting a fully-fledged IoT application over the NB-IoT network.
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
This talk goes over how stagers work in a different manner. Rather than standard function calls, I show how to utilize the same functionality in a slightly different way. It talks about Veil-Evasion, and a signature that was developed for it. Finally, I get into custom code and showcase three pieces of custom code that completely bypass antivirus.
Defending enterprise networks against attackers continues to present a difficult challenge for blue teams. Prevention has fallen short; improving detection & response capabilities has proven to be a step in the right direction. However, without the telemetry produced by adversary behavior, building and testing detection capabilities will be a challenging task.
PurpleSharp is an open-source adversary simulation tool written in C# that executes adversary techniques against Windows environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection program. PurpleSharp executes different behavior across the attack lifecycle following the MITRE ATT&CK Framework’s tactics: execution, persistence, privilege escalation, credential access, lateral movement, etc.
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack SimulationsMauricio Velazco
After obtaining an initial foothold in a corporate environment, adversaries will most likely have to interact with Active Directory across the attack lifecycle before achieving operational success. Prevention has fallen short and defender's best shot at uncovering threats in their environments is to design and deploy effective monitoring/detection strategies for AD-based attacks.
PurpleSharp is an open source adversary simulation tool written in C# that executes adversary techniques against Windows environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection program. PurpleSharp executes different behavior across the attack lifecycle following the MITRE ATT&CK Framework's tactics: execution, persistence, privilege escalation, credential access, lateral movement, etc.
PurpleSharp 2.0 introduces the ability to execute automated adversary simulation playbooks that are flexible and customizable against Active Directory environments. This allows defenders to measure detection coverage across various scenarios and variations of the same techniques.
Defending enterprise networks against attackers continues to present a difficult challenge for blue teams. Prevention has fallen short; improving detection & response capabilities has proven to be a step in the right direction. However, without the telemetry produced by adversary behavior, building new and testing existing detection capabilities will be constrained. PurpleSharp is an open source adversary simulation tool written in C# that executes adversary techniques within Windows Active Directory environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection engineering program. PurpleSharp leverages the MITRE ATT&CK Framework and executes different techniques across the attack life cycle: execution, persistence, privilege escalation, credential access, lateral movement, etc
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
After obtaining an initial foothold, adversaries will most likely target or abuse Active Directory across the attack lifecycle to achieve operational success. It is essential for Blue Teams to design and deploy proper visibility & detection strategies for AD-based attacks and executing Adversary Simulation/Purple Team exercises can help. This talk will introduce the Active Directory Purple Team Playbook, a library of documented playbooks that describe how to simulate different adversary techniques targeting Active Directory. The playbooks can help blue teams measure detection coverage and identify enhancement opportunities. After this talk, attendees will be able to run purple team exercises against development or production Active Directory environments using open source tools.
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Mauricio Velazco
Demo 1: https://www.youtube.com/watch?v=cpnrCkj1308
Demo 2: https://www.youtube.com/watch?v=JmtjtiI3-fc
Demo 2 1/2: https://www.youtube.com/watch?v=KRdNbYbJSiI
Demo 3: https://www.youtube.com/watch?v=6gB-upKXTZ4
Automated adversary simulation is often perceived as a hard, dangerous and complicated program to implement and run. Fear no longer, our methodology and tooling will let you test and measure your defenses throughout your production environment to test not only your detection rule’s resilience but the whole event pipeline as well as your team’s response procedures. In this talk, we’ll share with the audience the open source tools we built and the methodology we use that will allow them to hit the ground running at nearly no cost.
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitMauricio Velazco
After obtaining an initial foothold on an environment, attackers are forced to embark in lateral movement techniques in order to be successful in identifying and exfiltrating sensitive information. To stay ahead of the bad guys, the Blue team needs to have a clear understanding of these techniques as well as the forensic artifacts these techniques leave behind on the victim hosts. Armed with this knowledge, we can proactively hunt for lateral movement in the environment before exfiltration can occur. This presentation will analyze Lateral Movement from both a Red and Blue team perspective and introduce Oriana, a lateral movement hunting tool that can assist the Blue team in catching the adversary.
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...Mauricio Velazco
Executing adversary simulations in properly monitored environments allows defenders to test and enhance their detection capabilities. Unfortunately, red & purple team engagements cannot be executed too often. This talk will describe the benefits of blue team led simulations by dissecting common red team techniques, show how they can be detected and release a new tool to simulate them.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
5. Command & Control
■ Communication channel
established between an
infected host and a
server used to control
the victim host remotely
■ Client - server
architecture
https://www.activecountermeasures.com/blog-beacon-analysis-the-key-to-cyber-threat-hunting/
7. Metasploit & Meterpreter
■ Extensible C-based payload that uses in memory DLL injection to load
modules at runtime
■ Meterpreter and the modules it loads run from memory, without
touching disk.
■ Supports HTTP & HTTPs
11. Command & Control Frameworks
https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html
12. C Sharp 101
■ Object oriented programming language released in 2001 as part of
the .NET initiative
■ C# source is compiled to IL (Intermediate Language) which can then
be translated into machine instructions by the CLR (Common
Language Runtime)
https://docs.microsoft.com/en-us/dotnet/standard/clr
■ Managed Code vs Unmanaged
https://docs.microsoft.com/en-us/dotnet/standard/managed-code
19. Console Class
■ Represents the standard input, output, and error streams for
console applications.
Console.WriteLine(“Hello World!”);
Console.ReadKey();
■ https://docs.microsoft.com/en-
us/dotnet/api/system.console?view=netframework-4.8
20. Windows API
■ Exposes programming interfaces to the services provided by the
OS
■ File system access, processes & threads management, network
connections, user interface, etc.
■ https://docs.microsoft.com/en-us/windows/desktop/api/
23. MessageBox
■ Displays a modal dialog box
that contains a system icon, a
set of buttons, and a brief
application-specific message
■ If the function fails, the return
value is zero
26. Web.Client Class
■ Provides common methods for sending data to and receiving data
from a resource identified by a URI.
WebClient client = new WebClient();
client.Headers["User-Agent"] ="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/60.0.3112.113 Safari/537.36";
byte[] response = client.DownloadData("https://www.google.com/");
■ https://docs.microsoft.com/en-
us/dotnet/api/system.net.webclient?view=netframework-4.8
27. VirtualAlloc
■ Reserves a region of memory
within the virtual address
space of the calling process.
■ If succeeds, it returns the
base address of the allocated
region
28. Marshal Class
■ Provides a collection of methods for allocating unmanaged memory,
copying unmanaged memory blocks, and converting managed to
unmanaged types
■ https://docs.microsoft.com/en-
us/dotnet/api/system.runtime.interopservices.marshal?view=netframework-4.8
public static void Copy (byte[] source, int startIndex, IntPtr destination, int length);
29. CreateThread
■ Creates a thread within the
virtual address space of the
calling process
■ If it succeeds, it returns a
handle to the new thread
30. WaitForSingleObject
■ Waits until the specified
object in the signaled state
■ If succeeds, the return value
indicated the event that
caused the function to return
31.
32.
33. Capture The Flag #1
■ As shown on the screenshot above,
the payload opens a console
window that will be visible to the
victim and easy to spot. Change the
source code of Exercise 2 to hide
the console using Windows API calls.
35. Shellcode
■ Sequence of bytes that
represent assembly
instructions
■ Usually used as the payload
after successful exploitation
■ Metasploit’s msfvenom
generates shellcode for
different payloads
39. InstallUtil
■ “Command-line utility that allows you to install and uninstall
server resources by executing the installer components in
specified assemblies”
https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool
■ Microsoft signed binary that can be used to run any .NET
assembly ☺
InstallUtil.exe /logfile= /LogToConsole=false /U malicious.exe
45. Exclusive Or ( XOR )
■ Exclusive disjunction (exclusive or ) is
a logical operation that outputs true
only when inputs differ
■ Commonly used by malware to
bypass signature detection
46. Advanced Encryption Standard (AES)
■ Symmetric block cipher, subset of the Rijndael block cipher
■ Adopted by the US government and used worldwide
■ https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf
50. .NET Brothers
■ C# and PowerShell are effectively frontends for the .NET framework.
■ They can both call and execute each other’s code
http://executeautomation.com/blog/calling-c-code-in-powershell-and-vice-versa/
■ Powershell.exe is a process that hosts the
System.Management.Automation.dll
using System.Management.Automation
51. PowerShell Class
■ Provides a simple interface to execute a PowerShell command or
script
■ https://docs.microsoft.com/en-
us/dotnet/api/system.management.automation.powershell?view=ps
core-6.2.0
55. Dll Injection
■ Technique used to run arbitrary code within the address space of
another process by forcing it to load a DLL
■ Use legitimately by applications like anti malware for API hooking
https://nagareshwar.securityxploded.com/2014/03/20/code-injection-and-api-hooking-techniques/
■ Also used by malware as a means to avoid detection and obtain
visibility into other process memory
56. Process Modules
■ “A module is an executable file or DLL. Each process consists of one or
more modules”
https://docs.microsoft.com/en-us/windows/win32/psapi/module-information
■ The API EnumProcessModules can be used to list a process modules
https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumprocessmodules
■ .NET also implements an interface to interact with process modules
57. Process Class
■ Provides access to local and
remote processes and
enables you to start and stop
local system processes.
https://docs.microsoft.com/en-us/dotnet/api/system.diagnostics.process?view=netframework-4.8
59. OpenProcess
■ Opens an existing local
process object.
■ If succeeds, it returns a
handle to the process
60. VirtualAllocEx
■ Reserves, commits, or
changes the state of a region
of memory within the virtual
address space of a specified
process
■ If succeeds, the return value is
the base address of the
allocated region
67. Capture The Flag #3
■ Using the source code under the
ShellcodeInjectionDll folder as a
guide, create your own DLL that
provides a reverse meterpreter
shell. Once you have that, modify
Exercise 3 to identify explorer.exe
and inject the malicious DLL into
its memory space without user
interaction.
68. TO Do: Reflective Dll Injection
■ Technique in which the concept of reflective programming is
employed to perform the loading of a library from memory into a host
process
■ The injected DLL does not have to touch disk
■ https://github.com/stephenfewer/ReflectiveDLLInjection
70. Process Hollowing
■ Technique by which a legitimate process is started with the purpose
of being used as a container for arbitrary code
■ At launch, the process memory is replaced with malicious code
■ Used by malware as a means to avoid detection and bypass security
controls
74. Process Class
■ Provides access to local and
remote processes and
enables you to start and stop
local system processes.
https://docs.microsoft.com/en-us/dotnet/api/system.diagnostics.process?view=netframework-4.8
75. OpenThread, SuspendThread, ResumeThread
■ Opens an existing thread object
■ Suspends the specified thread
■ Decrements a thread's suspend count. When the suspend count is
decremented to zero, the execution of the thread is resumed
76. Custom Process Hollowing
■ The original Process Hollowing technique involves unmapping
memory sections (NtUnmapViewOfSection) and overwriting the
base address of the container process
■ This is required when the goal is to execute a binary in the memory
space of the container
■ For this lab, we will skip some steps as our goal is to inject shellcode
to obtain a shell
77.
78. CreateProcess
■ Creates a new process and its
primary thread. The new
process runs in the security
context of the calling process.
■ If the function succeeds, the
return value is nonzero.
84. UpdateProcThreadAttribute
■ Updates the specified
attribute in a list of attributes
for process and thread
creation.
■ If the function succeeds, the
return value is nonzero.
85.
86.
87. Capture The Flag #4
■ Modify the source code of Exercise
1 to obtain a reverse shell using the
parent process spoofing
technique. Use what you have
learned on previous labs or
exercises.