Talk/Event Schedule

Thursday

Thursday - 05:00 PDT

Thursday - 06:00 PDT

Thursday - 07:00 PDT

Thursday - 08:00 PDT

Thursday - 09:00 PDT

Thursday - 10:00 PDT

Thursday - 11:00 PDT

Thursday - 12:00 PDT

Thursday - 13:00 PDT

Thursday - 14:00 PDT

Thursday - 15:00 PDT

Thursday - 16:00 PDT

Thursday - 17:00 PDT

Thursday - 18:00 PDT

Thursday - 19:00 PDT

Thursday - 20:00 PDT

Talk/Event Descriptions

SOC - Thursday - 19:00-20:59 PDT

Join the local DC702 Group in this year's official DEF CON Meetup! The meetup will be casual and include typical meetup activities (e.g., socializing, "challenges," lockpicking, etc.) and maybe a few little surprises. To stay up-to-date, check out dc702.space/dc32-meetup.

DDV - Thursday - 16:00-19:59 PDT

About Us

The Data Duplication Village has all the updated bits and bytes available from infocon.org packed up into nice, neat packages. If you're looking for a copy of all the things, we've got what you need to fill up all your storage including a few nice hash tables and all of the DefCon talks. Add to that just about every other security con talk known to hacker-kind! Our village provides a "free-to-you" service of direct access to terabytes of useful data to help build those hacking skills and talk with other storage enthusiasts.

Check the schedule and/or dcddv.org for the most up-to-date information.

How It Works

The DDV provides a core set of drive duplicators and data content options. We accept 8TB and larger drives on a first come, first served basis and duplicate 'till we can no longer see straight. Bring in your blank SATA3 drives - check them in early - to get the data you want. Come back in about 24 hours to pick up your data-packed drive. Space allowing, we'll accept drives all the way through until Saturday morning - but remember, it's FIFO - get those drives in early!

What You Get

We're working on more content right up until the last minute so keep checking on dcddv.org for the latest. This year, we're adding new data to duplicate! Humans will be able to choose from the following data sources for duplication:

• A) Infocon.org Archive - 6TB archive of all the past hacking convention videos that DT could find, built on last years collection and always adding more for your data consuming appetite.
• B) Rainbow tables 1 of 3 - 6TB from freerainbowtables.com, the Lanman, MSQLSHA1, and NTLM hash tables plus freerainbowtables.com tools
• C) Rainbow tables 2 of 3 - 6TB from freerainbowtables.com, the A5/1 GSM, and MD5 tables plus freerainbowtables.com tools
• D) Vx Underground Archive - 8TB archive of the latest papers, samples, and code from Vx Underground
• E) Rainbow tables 3 of 3 - 8TB of New NTLM-9 hash tables and a copy of the Infocon.org mirrors

MISC - Thursday - 05:00-07:59 PDT

Thursday, Friday, Saturday and Sunday: 05:00 to 08:00, with random pop up meetings throughout the day in the con space.

Defcon.run is an evolution of the now long running DEF CON 4x5K running event. Due to stupendous growth, we’ve been forced to change up the format. This year's activity will look to match up folks for fun runs, and rucks (!), in small distributed groups around Las Vegas. It’s the same old event but at a distributed scale!

Show up in the morning, go for a run with folks, have a good time!

We’ll have a full set of routes for people to choose from from simple 5Ks to more ambitious distances. Full Information at https://defcon.run

SOC - Thursday - 12:00-12:59 PDT

We know DEF CON and Vegas can be a lot. If you're a friend of Bill W who's looking for a meeting or just a place to collect yourself, DEF CON 32 has you covered. Join us throughout the conference in the Friends of Bill W Community Space in room 301. Meetings will be Thursday, Friday, Saturday: 12:00-13:00, 17:00-18:00 Sunday 12:00-13:00

SOC - Thursday - 17:00-17:59 PDT

We know DEF CON and Vegas can be a lot. If you're a friend of Bill W who's looking for a meeting or just a place to collect yourself, DEF CON 32 has you covered. Join us throughout the conference in the Friends of Bill W Community Space in room 301. Meetings will be Thursday, Friday, Saturday: 12:00-13:00, 17:00-18:00 Sunday 12:00-13:00

CON - Thursday - 12:00-12:59 PDT

Hybrid Contest On-site Hours: Friday and Saturday 10:00-18:00; Sunday: 10:00-12:00 Becomes available online Thursday 12:00 Online and In-Person platforms will close Sunday 12:00 Players will only be able to turn in scavenger hunt items during On-site Hours.

This Pac-Man themed set of challenges takes Players on a journey through learning and demonstrating hacker and information security skills to earn points. With multiple subject-matter specific challenge groups and tracks, this hacker challenge game has something for everyone. You, dear Player, are Hac-Man (or Ms. Hac-Man, or Hac-Person), making your way through various dark mazes eating pellets, fruit, and ghosts. Each ghost represents a hacker puzzle or skills challenge. Upon completing each challenge, you’ll be awarded points and can continue on to attempt further challenges. Many challenges have unlockable hints and location information, which you can unlock by spending your collected fruit.

There is a leaderboard! As you collect points, you’ll show up on this leaderboard. The top 10 Players at the end of the game will be awarded various prizes from a prize pool.

HRV - Thursday - 10:00-16:59 PDT

Learn and earn your Amateur (Ham) License @ DEF CON 32 with this free class offered by Dan KB6NU and the Ham Radio Village!

Always been interested in getting your ham license but never had the time to study? Now's your chance! The Ham Radio Village is offering a one-day class where you can learn all the required knowledge to pass the exam.

Topics include: - Electrical Principles - Electronic principles and components - Radio and electromagnetic wave properties - Antennas and Feedlines - Amateur Radio Signals - Safety - Station Setup and Operation - Operating Procedures - Rules and Regulations

After the class, you can earn your license by taking the exam (for free) at DEF CON on your choice of Friday, Saturday, or Sunday. (Online testing is also available post-conference)

The class will run from 10 A.M. to 5 P.M. on Thursday, August 8th at the Clark County Library** located nearby to the LVCC at 1401 E Flamingo Rd. A lunch break will be provided.

Best of all, this class is completely free, thanks to a grant from the Amateur Radio Digital Communications.

Last year, we sold out of capacity and had to turn folks away. We highly recommend placing a deposit to reserve your seat. The deposit will be refunded upon attendance of the class.

Note: this event is not located at the Las Vegas Convention Center but at the nearby Clark County Library. If you're planning on taking public transit, it is directly served by bus routes CX, 109, 202. Free parking (with EV charging) is available onsite.

Clark County Library, 1401 E Flamingo Rd, Las Vegas, NV 89119 Google Maps Apple Maps

This program is not a Library District event. The views expressed and other information presented are solely those of the producing entity.

HDA - Thursday - 10:00-17:59 PDT

DEF CON has made HDA a community, and we now have a community room! This room will be dedicated to the attendees with ADA needs, their friends, helpers, and anyone who wants to hang out and be social! So far we plan on providing charging stations, chill out sessions, an open call for a modular synth jam session, and more to come! Let's all work together to make DEFCON Awesomely Accessible!

(Please note that on Thursday, we will be open only to provide assistance to those in need. Regular community programming will begin on Friday.)

Hang out, chill out deck out your mobility device and more!

MISC - Thursday - 08:00-19:59 PDT

Our human registration process this year will be very similar to previous years. Please be patient. All of the times listed here are approximate.

Basics

Who needs a badge?

A badge is required for each human age 8 and older.

Human?

You are a human if you do not know otherwise. People that are not humans include goons, official speaker, village/community/contest/creator staff, press, black badge holders, or similar. If you are not a human, you need to register separately. If you don't know how, see an NFO goon (NFO Node, formerly known as an infobooth, is where you can get help). The remainder of this message applies only to humans.

Lines? Linecon?

Linecon is your optional opportunity to stand (or sit) in line for human registration to open. Doors will open for linecon on Wednesday at approximately 17:00. When human registration opens on Thursday at approximately 08:00, they start working the linecon queue, and the line will start moving quickly. (Please understand that we will begin processing the line on Thursday morning as soon as the cashiers and materials are in place; we will strive for Thursday 08:00, but actual start may be slightly earlier or later.)

Online badge purchase (aka pre-registration) has no impact on linecon. You can join the line on Wednesday (if you wish) regardless of whether you purchased a badge online or intend to pay with cash. There is only one linecon for both types of badge sales.

Please help us make this a great experience for everyone by following directions given by goons. After human registration opens, there may be one line for all of registration, or there may be two lines (one for online sales (pre-registration) and one for cash sales). This may also change over time, based on available staffing and necessary crowd control. We will strive to make it easily understandable in-person as to which line you should join.

Ways to buy a badge

• $480 online purchase until August 1, 2024. Tickets are transferable. Please read the details on the linked page.
• $460 cash purchase on-site.
• As part of a BlackHat registration.

Online Purchase

You will be emailed a QR code to the email address provided when you bought your badge. Please guard that QR code as though it is cash -- it can only be redeemed once, and anyone can redeem it if they have it (including a photo of it). Badges are picked-up on-site -- they will not be mailed or shipped.

We can scan the QR code either from your phone's display or from a printed copy. You must have the QR code with you in order to obtain your badge. As you approach the front of the line, if you are going to show your QR code on an electronic device, please ensure that your display is set to maximum brightness.

If you pre-registered, but ultimately are unable to attend DEF CON and want to cancel your purchase, the only way to get a refund is from the original online source. We are unable to provide any refunds on-site at DEF CON. There is a fee to have your badge canceled: $34 until July 15, and $84 on and after July 15.

Online purchases are provided a receipt via email when the purchase is made.

Online purchase -- often referred to as pre-registration -- does not allow you to skip any line/queue to pick up your badge. Once you arrive on-site, you will need to join the existing line for human registration. There may or may not be a dedicated line for pre-registration badge pickup, depending on when you arrive, how long the line is, available staff, etc.

Cash Purchase

Badges will be available for purchase on-site at DEF CON. All badge sales are cash only. No checks, money orders, credit cards, etc., will be accepted. In order to keep the registration line moving as quickly as possible, please have exact change ready as you near the front of the line.

There are no refunds given for cash sales. If you have any doubt about your desire to buy a badge, please refrain from doing so.

We are unable to provide printed receipts at the time of the sale. A generic receipt for the cash sale of a badge will be made available on media.defcon.org after the conference. You are welcome to print your own copy of the receipt on plain paper.

Via BlackHat

If you attend BlackHat, it is possible to purchase a DEF CON badge with your BlackHat registration. If you did so, please get your DEF CON badge from BlackHat before they close.

BlackHat should send you an email with instructions for how to obtain your DEF CON badge. In case you missed it, you can go to the second floor, at the concierge desk, halfway down Black Hat Blvd.

Misc

Want to buy multiple badges? No problem! We're happy to sell you however many badges you want to pay for.

If you lose your badge, there is unfortunately no way for us to replace it. You'll have to buy a replacement at full price. Please don't lose your badge. :(

If you are being accompanied by a full-time caretaker (such as someone who will push your wheelchair, and will accompany you at all times), please ask to speak to a Registration Goon. Your caretaker will receive a paper badge that will permit them to accompany you everywhere you go.

Still need help?

If you have questions about anything regarding human registration that are not addressed here, please ask to speak to a Registration Goon.

MISC - Thursday - 07:00-01:59 PDT

If you find something that seems to have been lost, please take that item to the nearest NFO Node. The item will enter the DEF CON Lost & Found system.

If you've lost something, the only way to check on it (or reclaim it) is by going to the Lost & Found department yourself. The Lost & Found department is in room LVCC - L2 - W238. You may also call Lost & Found at +1 (725) 377-5045.

The Lost & Found department plans to be open Thursday - Saturday, during all hours that the conference operates. On Sunday, the Lost & Found department will open with the venue at 08:00, but will close at the beginning of DEF CON 32 Closing Ceremonies (15:00). Shortly thereafter, all remaining lost items will be transferred to the LVCC West Lobby Security Office. If you need to reach LVCC's West Lobby Security Office, you may call +1 (702) 943-3532.

MISC - Thursday - 08:00-17:59 PDT

All merch sales are USD CASH ONLY. No cards will be accepted.

The published hours for the merch area are only an approximation: supplies are limited, and when merch is sold out, the merch area will close for the year. (We intend to update this schedule to reflect their true operating status, but this is strictly best-effort.)

Note that the closing hours here are when sales must have ended. For example, if sales must end by 18:00, and we estimate that it will take 2 hours to clear the queue, doors are likely to close around 16:00. Because of this dynamic nature, we can't predict the length of the line or when doors will be closed.

SOC - Thursday - 20:00-01:59 PDT

• 20:00 - 21:00 - Stitcharoo
• 21:00 - 22:00 - Talk Sinn
• 22:00 - 23:00 - deaddoll
• 23:00 - 00:00 - CaptHz
• 00:00 - 01:00 - Relay
• 01:00 - 02:00 - Acid-T

SOC - Thursday - 20:00-01:59 PDT

• 20:00 - 21:00 - Daemon Chadeau
• 21:00 - 22:00 - DotOrNot
• 22:00 - 23:00 - PatAttack
• 23:00 - 00:00 - DJ Vulp
• 00:00 - 01:00 - CTRL / rsm
• 01:00 - 02:00 - Grind613

SOC - Thursday - 16:00-17:59 PDT

Come by this informal mixer to meet others in the lgbtqia+ community who are a part of this wonderful world that is InfoSec. This is a safe and inclusive space to meet and talk to others with your shared experience and is a nice environment to network and unwind with a drink.

WS - Thursday - 14:00-17:59 PDT

Assembly language has a reputation for being intimidating, but once you learn the basics--and know how to read the documentation for the rest--there's nothing you can't follow. There are many interesting fields of study in computer security that depend on the ""closer to the metal"" knowledge you'll gain from learning to code in assembly: - Software reverse engineering - Vulnerability and exploit research - Malware/implant development - Digital forensics ...among others. There is no substitute for the confidence that you gain from being able to research and understand computer systems at lower levels of abstraction. The purpose of this workshop is to introduce Intel x64 assembly language to the attendees. We will be using the Microsoft Macro Assembler, and we will be examining our code step-by-step in the x64dbg debugger. No prior programming experience is required--we will be working on things from first principles. There will be few slides. Concepts will be presented primarily within the x64dbg environment, with a focus on experimentation and using primary documentation. Attendees can follow along with their own laptops and programming environments. We will cover the following topics: - Assembling and linking code - The execution environment of x64 programs - Memory - Registers - A wide variety of instructions - Addressing modes - How to read instruction documentation in the Intel manuals - Moving data around - Stack operations - x64 ABI and calling conventions - Representing data - Integer math - Program flow: conditional execution, loops - Leveraging the Windows API - How to read MSDN articles on Windows API functions - Resources for reference and future learning

Dr. Wesley McGrew directs research, development, and offensive cyber operations as Senior Cybersecurity Fellow for MartinFederal. He has presented on topics of penetration testing and malware analysis at DEF CON and Black Hat USA and taught a self-designed course on reverse engineering to students at Mississippi State University, using real-world, high-profile malware samples. Wesley has a Ph.D. in Computer Science from Mississippi State University for his research in vulnerability analysis of SCADA HMI systems.

WS - Thursday - 09:00-12:59 PDT

Threat actors skillfully deploy malware to evade detection, outmaneuvering traditional security tools. In this workshop, "Dissecting Malware for Defense - Crafting Custom Yara Rules", you'll harness the power of malware analysis and crowdsourced intelligence to build tailored Yara rules. These rules will supercharge your security systems, enabling you to detect emerging threats, enhance threat hunting, and accurately pinpoint malicious activity. This fast-paced course will guide you in mastering static and behavioral detections, empowering you to safeguard your organization. By the end, you'll expertly translate malware analysis insights into high-quality Yara rules, bolstering your defensive arsenal.

Francisco is a skilled security professional with a strong background in detection engineering and a keen interest in reverse engineering. With extensive blue team experience, he currently works as a Security Engineer at Google's VirusTotal Research team where he leverages his operational expertise to investigate malware trends and create insightful technical content. Francisco's background includes roles as a SecOps Engineer and Professor of Computer Security.

Josh is an experienced malware analyst and reverse engineer and has a passion for sharing his knowledge with others. He is a reverse engineer with the FLARE team at Google, where he focuses on tackling the latest threats. Josh is an accomplished trainer, providing training at places such as Ring Zero, BlackHat, Defcon, Toorcon, Hack-In-The-Box, Suricon, and other public and private venues. Josh is also an author on Pluralsight, where he publishes content around malware analysis, RE, and other security topics.

WS - Thursday - 14:00-17:59 PDT

The workshop will walk through a number of state of the art techniques used for detection and will show the process of thinking used to research and develop cutting-edge evasion techniques. We will dive deep into interesting aspects of Windows and AV internals with respect to malware development. The focus will be on the mindset used to defeat security products starting with the analysis of a variety of detection mechanisms and ending with the final development of countermeasures. Moreover, the training will contain a number of live demonstrations to practically show how to apply those concepts and how to integrate them, showing how to develop evasive implants and post-exploitation tools. By altering the fundamental rules of engagement, we can confound EDR systems and reshape their perception of the digital environment. The workshop will dig deep into the internals of certain aspects of AV/EDRs and the Windows operating system to identify the area to exploit to lower the detection rate, it will involve the usage of Visual Studio and debuggers.

Dimitri "GlenX" Di Cristofaro is a senior security consultant and researcher at the London office of SECFORCE LTD where he performs Red Teams on a daily basis. The main focus of his research activities is about Red Teaming and in particular on identifying new ways of attacking operating systems and looking for cutting edge techniques to increase stealthiness in strictly monitored environments. He enjoys malware writing and offensive tools development as well as producing electronic music in his free time.

Giorgio "gbyolo" Bernardinetti is lead researcher at the System Securitiy division of CNIT. His research activities are geared towards Red Teaming support activities, in particular design and development of advanced evasion techniques in strictly monitored environments, with emphasis on (but not limited to) the Windows OS, both in user-space and kernel-space. He is certified OSCP and OSCE, and enjoys playing electric guitar in his free time.

WS - Thursday - 14:00-17:59 PDT

Red and blue are two sides of the same coin. Offensive and defensive teams deliver the best results when working together; sharing knowledge, ideas, and understanding with each other. And a core part of this information exchange is understanding each respective perspective. This is the overarching theme of the workshop; attackers thinking like defenders, and defenders thinking like attackers.

This workshop is the second version of Flipping the Coin and features upgraded attack paths, and lab environments.

By the end of the workshop, attendees will:

1. Understand and perform common offensive attacks (supported by the Metasploit Framework) against Windows Domains, including:

   • Pass the Hash attacks;
   • gMSA Golden Attack;
   • ADCS abuse;
   • Common tunnelling techniques;
   • PrintSpoofer exploits;
   • LSASS exploitation (using Mimikatz);
   • AD enumeration (using BloodHound);
   • DACL abuse;
   • Kerberos golden tickets; and
   • DLL hijacking.

2. Understand the process of detecting attacks against Windows infrastructure, including how to design and implement their own detection rules based on attendees’ previous attacks, using:

   • Sigma/Yara rules.
   • Log ingestion/normalisation platforms, and query engines (e.g. ELK).

3. Understand and appreciate how the actions and processes of red and blue teams are interlinked, for the greater collective good.

Recommended (but not required) prior reading: - https://nooblinux.com/metasploit-tutorial/ - https://posts.specterops.io/introducing-bloodhound-enterprise-attack-path-management-for-everyone-39cfd8d6eb7c - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview - https://socprime.com/blog/sigma-rules-the-beginners-guide/ - https://github.com/socprime/SigmaUI - https://blog.netwrix.com/2021/11/30/how-to-detect-pass-the-hash-attacks/ - https://posts.specterops.io/certified-pre-owned-d95910965cd2 - https://www.elastic.co/guide/en/security/current/suspicious-print-spooler-point-and-print-dll.html

Much of the material and core concepts of the workshop remain the same from the DEF CON 31 workshop with some updated topics for DEF CON 32, including an updated environment, and gMSA attacks within the lab.

Angus (0x10f2c_) is currently a Senior Security Engineer working at a tech company. He obtained a love for all things computers by scavenging computer parts from local garbage pickups as a kid, and then trying to make them work together without blowing up. Angus eventually realised that a career could be made out of his skills hacking together poorly written LUA code in Garry’s mod, and finished a Bachelors in Network Security. In his professional career Angus has 5+ years working in Security Consulting, working across many industries and gaining many shells. More recently Angus has made the move to a security engineer focused role. When not hacking he loves to ski on the little snow that Australia has, and loves to paint small miniatures while listening to Drone Metal.

Following over a decade in the UK and Australian InfoSec industries, including an 8-and-a-half year stint in red teaming, Troy jumped the proverbial fence from red to blue, and is currently a Security Engineering Manager at a tech company. His interest and experience is in detection engineering, red teaming, threat modelling, hardware, and assessing ICS environments. Other interests include music, electronics, the outdoors, travel, rugby, CTF, and making piano-related noise.

WS - Thursday - 14:00-17:59 PDT

In the 201 version of Hide your kids, turn off your Wi-Fi, they Rogue APing up in here, we will launch the next level of attacks using Rogue APs and other wireless tools. We will look into different ways to attack wireless networks and leverage credentials harvested to gain a foothold, PITM, deliver payloads, and demonstrate impact to the client. During the workshop we will walk through different attacks against OPEN, WPA2, and 802.1X networks. During the CTF participants will have the chance to attack a simulated client network to leverage the attacks learned during the workshop. We will be using EAPHAMMER, BERATE_AP, WIFIPUMPKIN3, BETTERCAP, and RESPONDER. This workshop will be at the Intermediate level(all skill levels welcome), participants should have a solid knowledge of Linux, 802.11, networking, and using virtual machines. It is recommended that all students use the provided VM.

James Hawk (He/Him) is a Senior Consultant with Google Public Sector, within Proactive Services. He is the wireless subject matter expert for his team. James has led and contributed to multiple assessments (Red Teams and Pen Tests). He has developed internal training and tool updates for 802.11 for his company and team. James is a 20-year veteran of the U.S. Army and has over 10 years of hands-on experience in wireless technologies. James is always researching/testing 802.11 attacks against his home lab. He is a fan of hockey, Letter Kenny, and almost anything Sci-Fi.

WS - Thursday - 14:00-17:59 PDT

Command and Control (C2) play a crucial role for Red Teams and Advanced Persistent Threats (APTs), establishing persistent access and control over targeted networks. This workshop offers an in-depth exploration of the C2 frameworks, with a specific focus on the open-source Empire framework. Participants will gain valuable insights into the deployment, features, and real-world application of C2 in offensive security. Attendees will learn how to leverage Empire to create, customize, and execute advanced attack scenarios, honing their skills as red team operators. Through practical exercises, attendees will learn to navigate the Empire framework, from basic setup to deploying sophisticated C2 infrastructures. The workshop covers key aspects such as listener configurations, agent management, and the utilization of Empire's diverse modules for effective post-exploitation. A unique feature of this training is the inclusion of a mini Capture-The-Flag (CTF) challenge, offering participants a hands-on opportunity to apply their skills in a controlled, competitive environment. By the conclusion of this workshop, participants will be equipped with the knowledge and skills to leverage the Empire framework effectively in their red team operations, enhancing their capabilities in conducting advanced cyber attacks and navigating the complexities of modern cybersecurity landscapes. Key Workshop Highlights: Comprehensive Introduction to Empire: Gain a solid understanding of Empire's capabilities, setup procedures, and its role in modern offensive operations. Hands-On Deployment and Configuration: Learn through doing, with exercises designed to build proficiency in configuring Empire, managing agents, and customizing listeners. Advanced Attack Scenarios: Delve into sophisticated techniques for post-exploitation, credential harvesting, and evasion, enhancing your arsenal as a red team operator. Real-World Application: Translate workshop learnings into actionable skills through a mini CTF challenge, simulating real-world offensive scenarios in a cloud-hosted environment.

Jake "Hubble" Krasnov is the Red Team Operations Lead and Chief Executive Officer of BC Security. He has spent the first half of his career as an Astronautical Engineer overseeing rocket modifications for the Air Force. He then moved into offensive security, running operational cyber testing for fighter aircraft and operating on a red team. Jake has presented at DEF CON, where he taught courses on offensive PowerShell and has been recognized by Microsoft for his discovery of a vulnerability in AMSI. Jake has authored numerous tools, including Invoke-PrintDemon and Invoke-ZeroLogon, and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/.

Kevin "Kent" Clark is a Security Consultant with TrustedSec and a Red Team Instructor with BC Security. His previous work includes Penetration Testing and Red Team Operator, focusing on initial access and active directory exploitation. Kevin contributes to open-source tools such as PowerShell Empire and publishes custom security toolkits such as Badrats and WindowsBinaryReplacements. Kevin authors a cybersecurity blog at https://henpeebin.com/kevin/blog.

Rey "Privesc" Bango is a Principal Cloud Advocate at Microsoft focused on empowering companies and information technologists to take full advantage of transformative technologies. He works to build patterns and practices that streamline the development of solutions that take advantage of Artificial Intelligence and Machine Learning while ensuring that trust and confidence are a top priority, whether through security or responsible use of technology. Since 1989, Rey has explored the world of information technology through the lens of software developer, open-source contributor, cybersecurity practitioner, and an advocate for the secure and responsible use of artificial intelligence for social good.

WS - Thursday - 09:00-12:59 PDT

Connected medical device and medical device security assessments utilize a varying and wide range of practices, from reverse engineering to hardware exploitation. If you have ever been curious about how to get started, this is the class for you. We will be covering how to get started in Adversarial Medical Device testing, tooling, tactics, exploits and certain bypasses to restrictions you may encounter during testing these devices. Use the tactics learned to exploit devices within the Device Lab!

Alex is medical device testing sledgehammer. He is a DevSecOps guru for a large medical device company and cut his teeth building, maintaining and hacking medical devices.

Michael Aguilar (v3ga) is a Principle Consultant for Secureworks Adversary Group. He runs Adversary Simulation operations, Physical Security and Network/Web based assessments as well as Adversarial Medical Device Tests. When not doing computer things, he reads a lot and likes to run to de-stress. He is also an avid fan of playing guitar really fast and screaming at people.

WS - Thursday - 09:00-12:59 PDT

Microsoft Configuration Manager, formerly SCCM (System Center Configuration Manager), is a powerful technology that has been used to deploy software to Windows systems in the majority of enterprise environments since it was released by Microsoft in 1994. Although SCCM has a high potential for abuse due to its privileged access to entire fleets of servers and workstations, it has not been heavily researched or leveraged by security professionals until recently, presumably due to the time-consuming installation process and learning curve. In this workshop, students will be provided access to a live environment that reflects an enterprise SCCM deployment, gain an understanding of how the different components of SCCM interact, and learn how to execute recently discovered attack primitives that can be used compromise SCCM clients, servers, and entire hierarchies. By completing both guided exercises and optional CTF challenges in this lab environment, students will learn how to demonstrate the impact of attack paths involving SCCM.

By the end of this workshop, participants will be able to: - understand the foundational concepts needed to attack and defend SCCM - understand SCCM defaults and configurations that can be abused - use SCCM to complete a realistic attack chain, including recon, privilege escalation, credential gathering, site takeover, and lateral movement - understand how to use offensive security tools to interact with SCCM, such as SCCMHunter, SharpSCCM, sccmwtf, PXEThief, and ntlmrelayx

To get the most out of this training, participants will benefit from reviewing the following resources, although they are not required: - Misconfiguration Manager (misconfigurationmanager.com) - System Center Configuration Manager Current Branch Unleashed, by Kerrie Meyler - Configuration Manager Terminology - Looking Inside Configuration Manager - Network Design - Client Management

This workshop is the second version of Flipping the Coin and features upgraded attack paths, and lab environments.

By the end of the workshop, attendees will:

1. Understand and perform common offensive attacks (supported by the Metasploit Framework) against Windows Domains, including:

   • Pass the Hash attacks;
   • gMSA Golden Attack;
   • ADCS abuse;
   • Common tunnelling techniques;
   • PrintSpoofer exploits;
   • LSASS exploitation (using Mimikatz);
   • AD enumeration (using BloodHound);
   • DACL abuse;
   • Kerberos golden tickets; and
   • DLL hijacking.

2. Understand the process of detecting attacks against Windows infrastructure, including how to design and implement their own detection rules based on attendees’ previous attacks, using:

   • Sigma/Yara rules.
   • Log ingestion/normalisation platforms, and query engines (e.g. ELK).

3. Understand and appreciate how the actions and processes of red and blue teams are interlinked, for the greater collective good.

Recommended (but not required) prior reading:

• https://nooblinux.com/metasploit-tutorial/
• https://posts.specterops.io/introducing-bloodhound-enterprise-attack-path-management-for-everyone-39cfd8d6eb7c
• https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview
• https://socprime.com/blog/sigma-rules-the-beginners-guide/
• https://github.com/socprime/SigmaUI
• https://blog.netwrix.com/2021/11/30/how-to-detect-pass-the-hash-attacks/
• https://posts.specterops.io/certified-pre-owned-d95910965cd2
• https://www.elastic.co/guide/en/security/current/suspicious-print-spooler-point-and-print-dll.html

Much of the material and core concepts of the workshop remain the same from the DEF CON 31 workshop with some updated topics for DEF CON 32, including an updated environment, and gMSA attacks within the lab.

Since 2022, Chris, Duane, and Garrett have released a combined 8 blog posts and authored 3 tools (SharpSCCM, SCCMHunter, and Misconfiguration Manager) that demonstrate novel offensive techniques to abuse SCCM functionality.

Chris Thompson (@_Mayyhem) is a Principal Consultant at SpecterOps, where he conducts red team operations, research, tool development, and training. Chris has instructed at Black Hat USA/EU and spoken at Arsenal, DEF CON Demo Labs, SO-CON, and Troopers. He is the primary author of Maestro and SharpSCCM and co-author of Misconfiguration Manager, an open-source tool and knowledge base that can be used to help demonstrate, mitigate, and detect attacks that abuse Microsoft Configuration Manager (formerly SCCM).

Duane Michael (@subat0mik) is a Managing Consultant at SpecterOps, where he conducts red team operations, penetration tests, research, course development, and training. Duane has instructed courses on red teaming and vulnerability research at BH USA/EU, NorthSec, and SO-CON. He has presented at Arsenal and DEF CON Demo Labs, contributes to various open source projects, and is a co-author of Misconfiguration Manager.

Garrett Foster (@garrfoster) is a Senior Consultant at SpecterOps, where he conducts red team operations, penetration testing, research, training, and course development. Garrett has presented at WWHF and BsidesPDX. Garrett is a the primary author of SCCMHunter and a co-author of Misconfiguration Manager.

WS - Thursday - 09:00-12:59 PDT

Arjun Gopalakrishna is a Senior Software Security Engineering Manager in Azure Security with more than a decade of experience at Microsoft. His work has been instrumental in fortifying Microsoft's Azure platform against a myriad of cyberthreats. His expertise lies in developing and implementing robust security measures to protect cloud-based systems and data. Arjun has presented at DEFCON in 2021, in addition to numerous security talks internally at Microsoft. Arjun's commitment to continuous learning and development, coupled with his passion for cybersecurity, continues to drive his contributions to the field.

Gautam Peri is a Senior Security Engineer in EPSF SERPENT (Service Pentest) team at Microsoft. He has over 8 years of experience as a security professional in multiple organizations including Microsoft and Citibank N.A. He started his career as a software developer and became a security professional. Currently, Gautam focuses on securing in Azure Edge & Platform & Devices services at Microsoft. He is passionate about identifying vulnerabilities at scale. Gautam presented at multiple internal events and got accepted to OWASP BASC (Boston Application Security Conference) 2024. Gautam holds CISSP & GCPN certifications, he is committed to continuous learning and development and drives internal knowledge share events.

Marcelo Ribeiro is a Senior Offensive Security Engineer in Azure Security with over 20 years of experience in various organizations, including Microsoft, IBM, and the Brazilian Navy. As a former Navy Officer, Marcelo was instrumental in establishing the Brazilian Navy's Cyber Security capacity. He also played a pivotal role in building IBM's DFIR (Digital Forensics and Incident Response) practice in Latin America. Currently, Marcelo focuses on enhancing the security of Microsoft's Azure platform against the constantly evolving cyber threats landscape. Always seeking new challenges, Marcelo's commitment to learning keeps his passion for cybersecurity alive. Marcelo holds several certifications, including CISSP, CISM, OSCP, CEH, GXPN, GPEN, GWAPT, GAWN, GPYC, GREM, GISP, GICSP, GRID, GNFA, GCIH, GCIA, GSEC, and MCSE, among others. In 2023, Marcelo was inducted into the EC-Council's CEH Hall of Fame in recognition of his outstanding career achievements.

WS - Thursday - 09:00-12:59 PDT

Code obfuscation is fast becoming a normal part of modern Windows malware. Pioneered by Emotet and popularized by the Conti ransomware leaks, we now see even simple credential stealers using commercial grade code virtualization! The solution… if you can’t reverse it, just run it! In this workshop we will cover different tracing techniques that can be used to bypass and extract information from protected code. The workshop is divided into modules covering tracing with x64dbg, dynamic binary instrumentation with PIN, and API tracing with DTrace. A challenge binary is provided with each module for students to practice and the final challenge is a real world malware sample that has been virtualized. This workshop is aimed at reverse engineers and malware analysts who have experience analyzing malware and are comfortable with debugging in userland. If you don’t have experience with malware but you do have a few hours behind the debugger you should have no problem completing the workshop. Students must bring a laptop/workstation capable of running a Windows Virtual Machine (VM) and a preinstalled Windows 10 (64bit) 20H1(or later) VM with at least 50G of free space. You will be provided with detailed tools installation and setup instructions prior to the workshop

Sean, a co-founder of OpenAnalysis Inc., splits his time between reverse engineering, tracking malware and building automated malware analysis systems. Sean brings over a decade of experience working in a number of incident response, malware analysis and reverse engineering roles.

Sergei is a co-founder of OpenAnalysis Inc. When he is not reverse engineering malware Sergei is focused on building automation tools for malware analysis, and producing tutorials for the OALABS YouTube channel. With over a decade in the security industry Sergei has extensive experience working at the intersection of incident response and threat intelligence.

MISC - Thursday - 15:00-20:59 PDT

The humans of Vegas invite you to our unofficial welcome party. Whether it's your 1st or 18th time, we're still in the EXACT SAME PLACE. Join us off-Strip in the shade for a volunteer-run grill and chill.

We stock the larder with the basics: burgers, dogs, meatless delights, and all the fixin's. You procure your favorite food, drinks, and sides to keep the party going. Volunteer for setup, grill-up, or clean-up. Most of all, show up and become a part of what makes Toxic BBQ the best place to start your con.

Check out https://www.toxicbbq.org for more news, and watch #ToxicBBQ for the latest info.

Off-site at Sunset Park, Foxtail Pavilion