Workshops @ DEATHCon 2023
DEATHCon is all about learning through hands-on workshops in a realistic lab. Check out all the workshops to find the ones you are most interested in. Because they are all asynchronous, you can choose your own schedule and do as many workshops as you want!
It's reasonable to plan on completing four or five workshops during the two days of the conference, while the workshop leaders will be available by chat to help you, but the lab will stay up through the end of November so you can finish all the workshops if you dedicate the time.
You'll have the best experience if you find a few other participants near your time zone and go through the workshops together, helping each other along the way. If you are attending DEATHCon in person (Seattle, Amsterdam, or Bon) you can do workshops with friends IRL!
by Kelcey Tietjen
Email Detection Engineering & Threat Hunting with Sublime & Yara
by Josh Kamdjou & Alfie Champion
Initially attendees will be introduced to the foundational technologies that enable threat hunting, detection engineering, and response in the email domain, before being given access to the email data of a fictitious company seeded with benign and real-world attack data. Throughout the day, participants will learn to hunt common phishing techniques including:
- VIP Impersonations
- HTML smuggling via links/attachments
- Malicious VBA macros
- Lookalike / homoglyph attacks
- Credential phishing
- Password protected archives
- Exploits (e.g. CVE-2023-23397, CVE-2021-40444)
- Fake invoices (Geek Squad)
Attendees will be guided through the rule creation process, utilizing detection engines including Sublime and Yara, and will be introduced to the signals and email attributes that can be used to craft high-fidelity rules, including targeted user groups, sentiment analysis, sender domain age, and attachment analysis. Having completed the training, attendees will have a strong understanding of the tools and techniques at their disposal to defend their organizations from all manor of email threats.
Beyond OS Credential Dumping: File Auditing in Windows & Linux
by Anton Ovrutsky
A few scripts and tools like Trufflehog will be utilized to identity files on endpoints and within file shares that can contain credential material, browser cookie theft will also be covered.
The ideas and concepts for the workshop are covered in two blog posts on the subject:
- Windows SACL auditing
- Set-AuditRule by Roberto Rodriguez
- Linux auditd / Laurel telemetry
- Two helper scripts that aid in turning on relevant auditd and SACL auditing
- Utilize a C2 framework to steal cloud credential files
- Utilize Mimikatz to decrypt an Azure token blob file on disk
- Utilize WhiteChocolateMacademiaNut by Justin Bui to steal Chrome/Edge browser cookies
Building a Malware Detector Using Static Analysis & Machine Learning
by Dr. Angelo Schranko de Oliveira
1) Static analysis feature selection and extraction using the PE library
2) Data preprocessing using the Pandas library
3) Feature engineering using the Feature Engine library
4) Data visualization using the Scikit Learn and the Matplotlib library
5) Model selection using the LazyPredict and Scikit Learn libraries
6) Hyperparameter optimization using the Scikit Learn library
7) Model performance evaluation using the Scikit Learn library
8) Model packing and inference tests
Advanced Detection & Response with Lima Charlie
by Josh Trombley
I will go through the basics of Lima Charlie and present some interesting advanced detection scenarios. This workshop will act as a primer to using Lima Charlie to create detection content during the event.
- Event Collection
Detection & Response Rules
- Rule Tuning
- Response Actions
Input and Output
- Microsoft Defender
Advanced Detection Scenarios
- Memory Strings detection
- Named Pipe Detections
- PCAP Detections
- Artifact Collection and Analysis
Developing & Testing Cloud-Based Detections Using Atomic Red Team *Delayed until December
by Jose Enrique Hernandez
Atomic Red Team is a library, and it cannot execute the attacks on its own, which means it needs an execution engine to function. In this blog, we'll use the most popular one, Invoke-AtomicRedTeam, led by Carrie Roberts (@OrOneEqualsOne) and maintained by the Atomic Red Team maintainers. Notably, the Atomic Red Team project is sponsored and hosted by Red Canary, a leading provider of managed detection and response services.
In this workshop, participants will learn how to develop and test cloud-based detections using Atomic Red Team and various cloud-native data sources like Kubernetes audit logs, AWS CloudTrails, and Linux syscall events. We will cover three examples from the MITRE ATT&CK Framework, focusing on the following techniques: T1053.003 (Replace crontab with reference file), T1609 (Exec into a container), and T1136.003 (Create new IAM user). These examples are designed to help you learn the basics of developing and testing cloud-based detections.
Additionally, we'll dive into real-world attack scenarios against AWS to further enhance your understanding of how to detect and respond to threats in the cloud. While we will use Lacework as an illustration for easier data acquisition, it's important to note that you can also utilize out-of-the-box cloud tooling such as AWS CloudTrail logs or other data sources for detecting threats.
Beginning your Detection Engineering Journey with Atomic Red Team
by Kevin Garlow
Atomic Red Team gives you the tools to run techniques that threat actors commonly use, such as different ways to dump credentials, persist malware through modifying the Outlook home page, escalate privileges, modify Group Policy, and more.
In the DEATHCon lab, you can run (and modify) the Red Team scripts, then observe the endpont events that they generate so that you can develop effective detections for behaviors rather than just file hashes and IP addresses. The trick is in writing a detection that is broad enough to cover variations of the techniques, but narrow enough to avoid flooding your SOC with false positive alerts on benign behavior. This workshop will help you develop the skills that you need to go from attacker technique to well-tuned detection with hands-on practice.
Detection Engineering with RPCFirewall and LDAPFirewall
by Dekel Paz and Sagie Dulce
If you said "All the time!" you probably have experience with incident response!
LDAP Firewall is a new open-source tool that lets you control and audit LDAP requests in order to protect Domain Controllers, mitigate LDAP-based attacks (such as sAMAccountName spoofing and BloodHound) and tightly control access to the Active Directory schema. The tool inspects incoming LDAP operations (which are used to read or modify entries in the Active Directory schema) and allows or blocks the request based on the configured rules. The operation also gets written into the Windows Event Log with the action took and other relevant fields (Distinguished Name, attributes, OID etc.).
RPC Firewall is another open-source tool released just over a year ago (and recently updated). It allows you to set up auditing of Remote Procedure Calls (RPCs) which will be logged and forwarded to Sentinel so we can hunt and craft detections.
In this workshop we will demonstrate how to run and configure the tools, and how they can be used to block LDAP-based and RPC-based attacks.
Uncovering Adversary Activity with Security Onion
by Bryant Treacle and Wes Lambert
Detection engineering involves developing and deploying custom detections to identify specific types of malicious activity. Security Onion provides a range of built-in detection rules and the flexibility to create custom rules to meet specific needs. We will cover the process of creating and testing custom rules, and discuss best practices for maximizing detection efficacy. Some items we'll cover during this portion of the workshop include:
- Identifying detection opportunities using file, host, log, and network data
- Developing detections within Playbook
- Testing and implementing detections
- Refining detections
- Protocol Tunneling
- Suspicious user agents
- Lateral Movement
- Suspicious Command Line Execution
- Misbehaving Powershell
PowerShell Attacks and Detections with Empire *Delayed until December
by Edna Jonsson and Maron Harrison
In this workshop, you'll think like an attacker and find many ways to slip malicious PowerShell past AV, AMSI, and EDR defenses -- then use what you learned to write threat hunting rules to discover suspicious PowerShell and analyze it to uncover its secrets.
Linux Threat Hunting Workshop
by Matt Ehrnschwender
In this workshop, we'll attack some Linux servers and sift through the logs to find ways we can more effectively hunt on Linux.
DEmystifying C2 Frameworks with Volatility and YARA
by Michael Sebrorowski
We will also briefly discuss the inherent dangers of using off-the-shelf and unverified C2 frameworks.
Unearthing Asp’s Ancient Abode: Detecting Pyramid framework
by Brandon George
We will build defenses around our endpoints to see where the weaknesses lie and how we might exploit them to better protect our endpoints.
How about winning fame and glory among your DEATHCon friends, not to mention some exclusive prizes for winning?
Whether you are in it to win it, or just want to learn by doing and practice in a game environment, this CTF has something for everyone!
Practical DEATH by Velociraptor
by Matt Green
- refresh/links - I will share some recent overview content from Mike for thats optional.
- lab setup (I think a standard VM should suffice)
- Performance and best practice
- RDP patch usecase - disk and memory
- bulk artifacts / IOCs
- server content management
- lnk files
- QBot detection and config extraction
Constructing a Post-Exploitation Framework: A Hands-on Workshop
by Alexander Rausch
The server component is built using Python3, while the agent is developed in C and C++. I will provide participants with a basic structure for both components, eliminating the need to start from zero.
The framework comes with essential features such as a reflective loader implementation, straightforward C2 communication, command dispatching, and an interactive shell interface on the backend. These features are pre-implemented to allow participants to focus on the core aspects of the workshop.
The workshop kicks off with a concise presentation on the architecture of C2 agents, providing a comprehensive understanding of their structure and functionality. Following this, we delve into the rudimentary development and debugging workflow. Subsequently, participants are guided through the implementation of several features, including:
- Execution of commands on the system shell
- Screenshot capturing functionality
- Process injection functionality
- Process injection using direct system calls
This segment of the workshop is expected to span approximately 3 hours. However, if time permits, there is an array of additional content to explore. This includes:
- File upload and download functionality
- Implementation of an interactive system shell
- Keylogger functionality
YARA Query Accelerators and You
by Steffen Enders and Daniel Plohmann
In this workshop, participants will gather some first hand experience with one such YARA query accelerator, their typical limitations, and what rules may profit from it the most. Working against a data set representing a wild mix of benign and malicious files, attendees will be tasked with the creation of various rules to solve a set of detection challenges. Additionally, they will be confronted with ensuring rule compatibility with the query accelerator and optimizing rule performance.
Historically Grown Active Directory Environments
by Michael Ritter
DEATH by Elastic
by Casey Stephens
SIEM/EDR Detection Engineering with Prelude Detect
by David, Waseem, Matt, and Robin from Prelude
Novel techniques are discovered, novel implementations of classic techniques are developed, and suddenly we find that detection engineering we believe to be protecting our network is no longer adequate.
Testing whether each SIEM/EDR detection rule is configured correctly can be extremely challenging. In many cases, we're not able to peer into the detection logic itself. Knowing with certainty that your security controls are working to protect you really isn't possible without testing against those controls directly. A SIEM or EDR, for example, may claim to detect or block some threat, but does it actually?
In this talk, we'll explore the use of Prelude Detect, a prod-scale continuous security testing platform, to enable diagnostics of SIEM and EDR detection content. Using data gathered in Detect, we'll discuss how continuous security testing can notify defenders of deviations from a known, secure state. Additionally, we'll explore how Detect can identify EDR failures and feed these findings back into the EDR to improve detection capability.
Azure AD Battle School: Hands-on Attack and Defense
by Mauricio Velazco