--- title: "GCC 2023 Singapore Lectures" --- ## Web Hacking 101 Trainer: Rizan [MY] ### Abstract Learn how to conduct Web penetration tests. This instructor-led class will teach participants how to find and exploit common Web vulnerabilities. Learn how to use Burpsuite, Kali and other open source tools to conduct basic penetration tests. The course is designed to be 70% hands-on and 30% theory. Participants ~~will have to have~~ are expected to have some basic knowledge of IT networking, protocols, Operating Systems (Windows & Linux). ### Trainer Bio(s) Rizan is a passionate information security professional with more than 20 years of experience. He loves anything Linux or open-sourced. He had spent over 13 years securing one of the largest oil and gas company in the world from cyber threats. He holds several industry relevant certifications including OSCP, OSCE, OSWE, CISSP, CREST CRT and 9 public CVEs. He had reported security bugs to the US Department of Defense (US DoD), Spotify, Amazon, General Motors, Toyota, Alibaba, Airbnb, Dell, Starbucks & Rockstar Games. Rizan was also part of a cyber security surveillance group supporting law enforcement agencies globally in the area of lawful interception for mobile and desktop technologies. Prior to his current assignment, he worked at Telenor as a Cyber Security Advisor specializing in offensive security. He has conducted dozens of on-site and remote penetration tests in Sweden, Finland, Thailand, Bangladesh, Malaysia and Myanmar. - https://www.r00tpgp.com - https://hackerone.com/r00tpgp - https://packetstormsecurity.com/files/author/13424/ - https://www.exploit-db.com/exploits/47437 - https://gist.github.com/r00tpgp ## Hackathon of PowerShell Malware Detection Engine **SUGGESTION:** ## Powershell Malware Detection Engine Hackathon Trainer: Shota Shinogi [JP] ### Abstract PowerShell based malware is everywhere. It is often executed ~~from~~ using Office macros, ~~or~~ shortcut(LNK) or exploit + shellcode. The functionality can vary but we have observed that ~~the powershell script used as a stager to download or extract the next malware a lot~~ Powershell scripts are often being used as a stager to download and extract the next stage of the malware, and sometimes as a backdoor or ransomware. The attackers use ~~the~~ PowerShell ~~because it is a default tools on~~ as it is a default tool on Windows and the script can ~~be~~ run without touching the file system; file-less. ~~And~~ Most importantly, there are hundreds ~~way~~ of ways to obfuscate the script to make ~~the~~ detection harder. Microsoft is fighting against malicious PowerShell scripts with AMSI (AntiMalware Scan Interface) but the attackers ~~always use~~ will always find new bypass techniques. The training will start with ~~some~~ a lecture about the basics of PowerShell and its obfuscation techniques. Then the ~~attendess~~ attendees will be split into small groups and ~~get asked to~~ write a detection engine using the PowerShell logging feature of Windows ~~by~~ using Python. The attendees will start ~~with~~ by considering the methodology to detect the malicious script. For example, it can be pattern ~~match~~ matching/ black-listed API, symbols-alphanumeric frequency rates, or even AI based text detection engine. Any methodology will be welcomed as long as the attendees can build it. The last part of the training will be a competition, to determine which detection engine is the best. ~~Each g~~Groups will ~~bring~~ pit their detection engine against one another and we will measure the detection rate using malware samples. ### Trainer Bio(s) Shota Shinogi is a security researcher at Macnica (Japan), a pentest tools author and CTF organizer. He is an expert in writting malware for Red ~~Team purpose~~ Teaming and to evade ~~the~~ detection from EDR, sandbox, IPS, antivirus and other security solutions. He has more than 10 years experience ~~on the Cyber security industries~~ in the cybersecurity industry, starting his ~~carrier~~ career with HDD Encryption, NAC, IPS, WAF, Sandbox. He has spoken in several security/hacking conferences; Black Hat, DEF CON, BSides. He is also contributing ~~for the~~ to education for the next generation security engineers through the Security Camp ~~from 2015 consecutively~~ since 2015 in Japan. ## Reverse Engineering Malware Written in C++ with IDA and Semi-Automated Scripts Trainer: Hiroshi Suzuki / Hisao Nashiwa [JP] ### Abstract C++ is widely used in a variety of malware, such as RATs and banking Trojans, etc. Malware written in C++ is often object-oriented. Analyzing it requires knowledge and experience with classes and their inheritance, vtable, and basic strings, in addition to knowledge of analyzing malware written in C. In this course, attendees will learn how to quickly find and deal with such features. In this course, we will use IDA Free for analysis. Although Ghidra, which is popular among CTF players these days, is useful for analyzing simple and/or small programs, ~~and~~ under certain conditions, it is still inferior to IDA in many aspects, such as processing speed, decompiler accuracy, and a variety of third-party scripts and plug-ins. IDA is still the de facto standard reverse engineering tool. In this course, while learning how to use IDA, we will analyze actual malware written in C++, and aim to learn the techniques including the know-how. Afterwards, we will practice the techniques we have learned through CTF-style games, having fun, cooperating and competing with each other. ### Trainer Bio(s) **Hiroshi Suzuki** Hiroshi Suzuki is a malware analyst, a forensic investigator, an incident responder and a researcher, working for a Japanese ISP, Internet Initiative Japan Inc. He is a member of IIJ-SECT, which is the private CSIRT of his company. He is especially interested in targeted attacks, their RATs and their attack tools, such as PlugX, Mimikatz and so on. He has over 17 years dedicated to these areas. He has been a speaker and a trainer for international conferences such as Black Hat (USA, Europe, Asia and Japan), Virus Bulletin, and FIRST conference (Annual and TC) multiple times. **Hisao Nashiwa** Hisao Nashiwa is a threat analyst, working for Internet Initiative Japan as a CSIRT member of the company. His main jobs include incident response, analyzing malware and analyzing network traffic. He has observed malicious activities for over ten years. He has nine years of experience and knowledge in analyzing malware. He has been a speaker and a trainer for international conferences such as Black Hat and FIRST (Annual and TC) multiple times. ## Hypervisor 101 in Rust Trainer: Satoshi Tanda [JP] ### Abstract In this class, we will learn the basics of hardware-assisted virtualization technologies on x86 through writing a custom hypervisor in Rust for kernel-code fuzzing. Hardware-assisted virtualization such as Intel VT-x and AMD-V is the technology that enables today’s many workloads, including cloud computing, isolated software development and validation, and security research. While the understanding of “how it works” is essential for auditing such solutions ~~as well as using the technology for creative purposes~~, gaining knowledge and experience in this domain is often challenging due to its low-level nature. Given that, this course will offer the basic knowledge of how hypervisors realize the concept of “VMs”, and as an application of the concept, hands-on ~~experiences~~ experience in implementing the snapshot-based fuzzer that runs a target as a VM. The hands-on exercises include learning VMCS/VMBC, EPT/NTP, exception interception as well as debugging of CPU itself using Bochs. With knowledge acquired ~~by~~ from this course, the most successful students would discover 0-day vulnerabilities in non-user-mode software such as kernel and UEFI modules by extending their hypervisors or effectively using similar fuzzers such as WTF with the understanding of ~~underneath~~ underlying technology. ### Trainer Bio(s) Satoshi Tanda (@standa\_t) is a system software engineer and a security researcher with over a decade of experience. His experience spans the areas of virtualization technologies, UEFI- and Windows kernel-module programming and reverse-engineering, vulnerability discovery and exploitation, malware analysis, and teaching them to professionals and school students. He has taught hypervisor development for well over 100 working professionals. He works at CrowdStrike and develops Windows security software in Rust and C++. ## Practial Malware and Ransomware investigations Trainer: Yurii Khvyl [DK/SG] ### Abstract First Part: Practial Malware investigations From capturing sample, different way of ~~analisys~~ analysis(sandbox, protocol, reverse engineering), simulating protocol and monitoring, investigating infrastructure, making shutdown. Will be overviewed different practical cases , where author was involved from begining till the shutdown. **SUGGESTION:** Attendees will explore capturing of malware samples, followed by different ways of analysis (sandbox, protocol, reverse engineering), simulated protocol and monitoring, infrastructure investigation, and system shutdown. The instructor will also give an overview of different real-world cases that he was involved in from the beginning until the end. <END OF FIRST SUGGESTION></END> Second Part: Ransomware Attack Analysis and Mitigation Review of Ransomware technics from first infection vector, and then their different technics to get network access, and used tools. Will be reviewd practical examples of ransomware attacks, and different ways to recover company. (finding weeknes of encryptions algorithm, weeknes in encryption program, and also different ways of ransom payment negotiation). Overview of internal structure of ransomware gangs, and they tools and technics. **SUGGESTION:** Attendees will review ransomware techniques from the first infection vector to different techniques of gaining network access and tools used. Attendees will also review real-world examples of ransomware attacks, and different ways of remediation. (Finding weaknesses in the encryption algorithm/program, ways of ransom payment negotiation). Attendees would also gain an overview of the internal structure of ransomware gangs, and their tools and techniques. ### Trainer Bio(s) Yurri Khvyl has ~~Have~~ ~~+15 years of expirience~~ over 15 years of experience in the security industry. He has worked in CSIS Security Group, Denmark for more than 10 years ~~on position~~ as a Senior Malware Analyst ~~Participated~~ and has participated in different security conferences, like DCC, Frist, AVAR, CARO. ## Web Tracking and Browser Fingerprinting Trainer: Kai-Hsiang Chou [TW] ### Abstract Web tracking is the technique of assigning each user a distinct identifier so that future visits from the same users, whether or not to the same websites, may be recognized and linked. While web tracking techniques have some legitimate usages, they are often used in privacy-intrusive ways, such as profiling and ad targeting. In the early days, many advertisers and website owners relied on stateful tracking techniques. Recently, many have adopted stateless techniques, especially browser fingerprinting, due to their effectiveness and difficulties in blocking them. By running a script to collect browser-specific data, one may identify and track the users without storing any stateful identifiers. This training will introduce several common and novel web tracking techniques, including stateful tracking and browser fingerprinting, their mitigations, and open challenges. We will also discuss some progress in privacy-preserving web tracking. ### Trainer Bio(s) Kai-Hsiang Chou is an undergraduate ~~interesting~~ with an interest in web security. He was the lecturer at HITCON 101 hosted at HITCON 2018 and HITCON workshop hosted at HITCON 2022. Kai-Hsiang Chou is also known as Allen Chou. ## Drone Security and Signal Analysis Trainer: Captain Kelvin [HK/SG] ### Abstract Advancements in UAV (Unmanned Aerial Vehicle) technology are opening new opportunities and applications in various fields ~~of life~~. However, these advancements are also causing new challenges in terms of security, adaptability, and consistency. ~~Especially the small drones are even suffering from architectural issues and the definition of security and safety issues.~~(Ask author for explanantion on the last line) ### Trainer Bio(s) Captain is an independent security researcher. He ~~focus~~ focuses on hardware analysis and forensics research. He is the first and the only ~~one~~ Asian who ~~was leading~~ led a group of white-hat hackers to ~~held~~ hold an in-depth and hands-on hardware hacking village in DEFCON. He ~~was~~ (**is** if speaker still gives speech) also a frequent speaker and trainer in different top-level security and forensics conferences. ## Attacker behavior analysis based on attack vector analysis Trainer: Park Moonbeom [KR] ### Abstract ~~Analysis~~ Analyze hacking ~~technique~~ techniques to analyze the victim system hacked by the attacker, and ~~analysis~~ analyze various logs on the victim system to reconstruct the attacker's behavior. **SUGGESTION:** Attendees will learn to analyze an attacker's TTP (techniques, tactics and procedures), a victim's sytems, and various logs on the victim's system to reconstruct an attacker's behaviour. ### Trainer Bio(s) General Researcher (Ask author for more inputs)