SEC-T - 0x10sion

10-13th of September 2024

Quick news update.

As soon as the speaker selection process is finished be publishing a preliminary schedule.

But we have gotten a lot of questions on when the talks start and end on the different days.

Community night will open on Wednesday at 18.00. If possible we will open the doors earlier, but that will be announced on the schedule.

Thursday the conference will open at 8.30 and the talks will start at 9.00.

Friday the talks start at 9.00 and the entire event ends at 17.00.

More information to follow.


The SEC-T Organizers

Network forensics for incident response

A hands-on network forensics training that allows you to deep dive into analyzing captured full content network traffic in PCAP files. The training data is a completely new and unique data set captured during 30 days on an Internet connected network with multiple clients, an AD server, a web server, an android tablet and some embedded devices.

We will analyze traffic from multiple intrusions by various attackers, including APT style attackers and botnet operators. The initial attack vectors are using techniques like exploitation of web vulnerabilities, spear phishing, a supply chain attack and a man-on-the-side attack!

Each attendee will be provided with a free single user license of NetworkMiner Professional and CapLoader. These licenses will be valid for six months from the first training day.


Day 1 : Theory and Practice using Open Source Tools


Investigating spear phishing email with malware attachment

Reassembling exfiltrated data

Identifying C2 traffic in decrypted HTTPS traffic

Analyzing decrypted HTTPS traffic from a transparent TLS inspection proxy

Using NetFlow with Argus

Tracking lateral movement with stolen AD credentials

Searching application layer data with Wireshark, tshark, tcpflow and ngrep

Threat Hunting with Security Onion

Leveraging passive DNS to track C2 domains

Decoding proprietary C2 traffic from a RAT

Extracting files from PCAP with NetworkMiner

Sandbox execution of malware and behavioral analysis

Supply chain attacks

Extracting files from SMB and SMB2 traffic

Analyzing exfiltration by an APT style attacker

Investigating a spear phishing attack with credential theft


Day 2 : Advanced Network Forensics using Netresec Tools


Theory: HTTP Cookies

Analyzing Cobalt Strike beacons

Investigation of botnet infection (TrickBot)

Extracting and verifying X.509 certificates from network traffic

Learning about Man-on-the-Side (MOTS) attacks, such as NSA’s QUANTUMINSERT and HackingTeam’s “Network Injection”

Investigating a brute force attack on a web CMS

Analyzing exploitation of a web server

Tracking commands sent to web shells

Tracking lateral movement via Linux servers

Using JA3 to track TLS encrypted malware traffic

Live TLS decryption lab

Securing public cloud infrastructure

This training focuses on elevating your threat detection, investigations, and response knowledge into the cloud. This hands-on training with CTF-style exercises simulates real-life attack scenarios on cloud infrastructure & applications. It then teaches you to build defensive guard rails against such attacks by using cloud native services on AWS. This makes it an ideal class for red & blue teams.


By the end of this training, we will be able to:

* Use cloud technologies to detect IAM attacks.

* Understand and mitigate cloud native pivoting and privilege escalation and defense techniques.

* Use serverless functions to perform on-demand threat scans.

* containers to deploy threat detection services at scale.

* build notification services to create alerts

* analyze malware-infected virtual machines to perform automated forensic investigations and artifacts collection.

* Use Elasticsearch and Athena for building SIEM and security data-lake for real-time threat intelligence and monitoring.


**Day 1:**




– Introduction to cloud services

– Basic terminologies: IAM, VPC, AMI, serverless, ARNs etc.

– Understanding cloud deployment architecture.

– Introduction to Logging services in cloud.

– Introduction to shared responsibility model.  

– Setting up your free tier account.

– Setting up AWS command-line interface.

– Understanding Cloud attack surfaces.


 *Detecting and monitoring against IAM attacks.*


   – Identity & Access management crash course.

   – Policy enumeration from an attacker’s & defender’s perspective.

    – Detecting and responding to user account brute force attempts.

    – Building anomaly detection using CloudWatch events.

– Building controls against privilege escalation and access permission flaws.

– Attacking and defending against user role enumeration.

– Brute force attack detection using cloudTrail.

– Automated notification for alarms and alerts.

– Exercise on detecting IAM attacks in a simulated environment containing web application compromise and lateral movement.  


  *Malware detection and investigation on/for cloud infrastructure*


– Quick Introduction to cloud infrastructure security.

– Building clamAV based static scanner for S3 buckets using AWS lambda.

– Integrating serverless scanning of S3 buckets with yara engine.

– Building signature update pipelines using static storage buckets to detect recent threats.

– Malware alert notification through SNS and slack channel.

– Adding advanced context to slack notification for quick remediation.  

– Exercise on simulating a malware infection in AWS and building an automated detection & alerting system.



**Day 2:**


*Threat Response & Intelligence analysis techniques on/for Cloud infrastructure*


– Integrating playbooks for threat feed ingestion and Virustotal lookups.

– Building a SIEM-like service for advance alerting and threat intelligence gathering using Elasticsearch.

– Creating a Security datalake for advance analytics and intelligence search.

– Building dashboards and queries for real-time monitoring and analytics.

– CTF exercise to correlate multiple logs to determine the source of infection.


*Network Security & monitoring for Cloud Infrastructure*


    – Understanding Network flow in cloud environment.

    – Quick introduction to VPC, subnets and security groups.

    – Using VPC flow logs to discover network threats.

    – VPC traffic mirroring to detect malware command & Control.


*Forensic Acquisition, analysis and intelligence gathering of cloud AMI’s.*


– Analysis of an infected VM instance.

– Building an IR ‘flight simulator’ in the cloud.

– Creating a step function rulebook for instance isolation and volume snapshots.

– lambda functions to perform instance isolation and status alerts.

– Building forensic analysis playbook to extract key artifacts, run volatility and build case tracking.

– Automated timeline generation and memory dump.

– Storing the artifacts to S3 bucket.

– On-demand execution of Sleuthkit instance for detailed forensic analysis.

– Enforcing security measures and policies to avoid instance compromise.

Attacking and securing APIs

This is a fully hands-on practical concentrated course on securing and attacking web and cloud APIs. APIs are everywhere nowadays: In web apps, embedded systems, enterprise apps, cloud environments and even IoT, and it is becoming increasingly necessary to learn how to defend, secure and attack API implementation and infrastructure. This training aims to engage you in creating secure modern APIs, while showing you both modern and contemporary attack vectors.


You will learn:


    Attacking and defending web APIs. (REST, GraphQL):

    Learn REST and GraphQL security best practices.

    Create APIs that are easy to use securely and hard to use insecurely.

    Techniques and tools to design, test and attack APIs and microservices.

    Mitigate and defend against security weaknesses in APIs.

    Implement secure web socket channels and defend against Cross-Site WebSocket Hijacking.

    Attacking and securing Amazon cloud (AWS) APIs and infrastructure.

    Attack and defend against injection vulnerabilities such as Template Injection, SQL injection, NoSQL injection, pickle and YAML deserialization, object injections… etc

    Perform post exploitation and pivot attacks against AWS environments.

    Performing modern injection attacks:

    Attack and defend against injection vulnerabilities such as Template Injection, SQL injection, NoSQL injection, pickle and YAML deserialization, object injections… etc

    Securing passwords and secrets in APIs:

    Learn how to effectively manage the problem of credential storage.

    Attack insecure password protection schemes and export credentials.

    Utilize open-source and platform-independent credential management solutions.

    Implement secure password storage and handling.

    API authentication and authorization techniques.

    Understanding the intricate and minute details of authentication and authorization frameworks and technologies.

    Obtain actionable knowledge and experience in using secure tokens, cookies, keys and tickets for authentication and authorization.

    Understand OAuth2, JWT/JWS and other authentication technologies.

    Attack and fix insecure JWT and cookie implementations.

    Attack insecure implementations of session management, input validation, output encoding and loosely coupled components.

    Implement and attack multi factor authentication for APIs.

    Designing secure API architecture:

    API and microservices security architecture.

    Handle files securely by allowing only authorized downloads even in segmented microservice architectures.

    Learn and understand cache security and what threats and vulnerabilities can arise out of insecure caching methods and configurations.

    Attack and secure cache implementations and infrastructure.

    Securing development environments:

    Securing source code using secure Git configurations and live monitoring.

    Securing software dependency and supply chain.

Introduction to reverse engineering

This one-day training aims to give the participant an introduction into the field of software
reverse engineering. We will look at various types of programs including both machine code,
Java and Javascript. They will be analyzed using a mix of static and dynamic analysis
including using off-the-shelf tools and writing scripts of our own to help us in our effort. The
goal of the training is to both give a general understanding of the different approaches that
are available to us as a reverse engineer but also hands-on experience with applying some
of these techniques.
After completing the training the student will have a solid foundation to continue their reverse
engineering studies with as well as a basic toolbox to approach real-world problems with
whether it’s analysis of simpler malware or debugging third-party software.

Course Contents
The course will cover the following topics. Topics marked with “*” will be covered as part of
the introduction/background without accompanying exercises. Topics marked with “**” are
advanced topics covered as part of an introduction into how to proceed after the training.
● Introduction
○ Why reverse engineering?*
○ Types of reverse engineering*
● Static analysis
○ Disassembly

○ Decompilation
○ Identifying patterns
● Dynamic analysis
○ Debugging
○ Emulation
○ Tracing
○ Hooking
● Technologies
○ Low-level: x86/ARM
○ Mid-level: Java/.NET
○ High-level: Javascript
● Methodology
○ Automation
○ Signatures**
○ Diffing**

SEC-T 2021 Ticket Release

On Wednesday 23:rd of June 2021 at 20:00 CEST we will be releasing a first batch of 300 tickets for this years SEC-T conference.

The conference is set to take place on the 9-10 of September 2021. We will also be releasing tickets for the SEC-T2ion Training taking place on the 7-8:th of September.

Attendees of the SEC-T2ion Training are eligible for conference tickets.

Should corona restrictions allow us to run a larger conference there will be more tickets released.

Stay tuned…

Date and venue for SEC-T Spring Pub 2020

This years Spring Pub Event will take place on the 23:rd of April at Cafe Opera.

Expect a social hacker event with a few lightning talks and a nice bar setting. The event is free and open for everyone so save the date and spread the word!

See the Spring pub page for future updates.

Recordings from SEC-T 2019

After a lot of hard work from our media team we have now finished cutting and uploading all talks from SEC-T 0x0COMPUTE.

Make sure to check out our youtube playlist for 0x0C!

Last round of talks announced and tickets now sold out (again!)

We’re super happy to announce that we’ve managed to fill the venue with 750(!) people, from 450 last year. This means our tickets are sold out, and we can’t extend it more (we changed our booking so we could fit another 100 a few weeks ago but those are sold out as well). However, tickets might become available in case of cancellations or similar.

For non ticket holders

For you that didn’t manage to get a ticket, fear not! There are still things to do:


The last talks and speakers

We have now finished the CFP proccess. We have accepted and got confirmation from the last few speakers for this year:

Three more talks confirmed, tickets almost sold out

Three more talks

We are happy to announce another three talks for this year:

  1. Operation SoftCell – a global campaign against cellular providers – by Amit Serper, Mor Levi & Assaf Dahan
  2. How to bug hotel rooms – by Dan Tentler
  3. Chinese Police and CloudPets – by Abe

One seat left on Basics of binary exploitation training

A seat on Basics of binary exploitation training has opened up. This is the last training seat we have available so make sure to book it before it’s too late!

Tickets almost sold out

When writing this we have less than 50 tickets left. We expect to be sold out before the conference so if you plan on attending make sure to grab one before we’re out!