{"id":18813,"date":"2022-10-14T09:00:00","date_gmt":"2022-10-14T08:00:00","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=18813"},"modified":"2022-10-13T15:43:42","modified_gmt":"2022-10-13T14:43:42","slug":"wavestones-cyber-summer","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/","title":{"rendered":"Wavestone\u2019s cyber summer"},"content":{"rendered":"\n

\u00a0<\/p>\n

This year again, we were delighted to be able to share our knowledge during Hacker Summer camp<\/em> (cybersecurity conferences that happen roughly at the same time in Las Vegas each year: BlackHat, BSides Las Vegas, and DEFCON).<\/p>\n

(Thomas is missing in this picture as he already left DEFCON to attend SANS DFIR Summit in Houston, TX).<\/em><\/p>\n

In this article, we share the materials used for our talks, workshops, and tool demos.<\/p>\n

\u00a0<\/h2>\n

CI\/CD security<\/h2>\n

CI\/CD pipelines are increasingly becoming part of the standard infrastructure within dev teamsand with the rise of new approaches such as Infrastructure as Code, the sensitivity level of such pipelines is escalating quickly. , with the rise of new approaches such as Infrastructure as Code, the sensitivity level of such pipelines is escalating quickly. In case of compromise, it is not just the applications that are at risk anymore but the underlying systems themselves and quite often the whole information system.<\/p>\n

We feel that those infrastructure, while not targeted by attackers for now, will become a prime focus point for attackers in the years to come. Both because of the credentials handled by the pipelines and the usual lack of monitoring on those environments.<\/p>\n

During Hacking Summer Camp, we explained how attackers are beginning to exploit those weaknesses both for supply chains attacks but also to escalate their privileges within the victim IS. We started with a talk at BSides Las Vegas which illustrated an attack path that we had already exploited in a real operation. Then, we conducted two workshops, at both BSides Las Vegas and at DEFCON, to allow students to exploit these attacks on a full-scale lab.<\/p>\n

\"\"<\/p>\n

The lab & slides will soon be published on the GitHub (wavestone-cdt\/DEFCON-CICD-pipelines-workshop (github.com)<\/a>.<\/p>\n

The replay of the talk at Bsides Las Vegas is available on YouTube (https:\/\/youtu.be\/a3SeASgtINY<\/a>).<\/p>\n

By R\u00e9mi ESCOURROU (@remiescourrou), Gauthier SEBAUX (@zeronounours) and Xavier GERONDEAU (@reivaxxavier1).<\/em><\/p>\n

\u00a0<\/p>\n

Industrial Control Systems<\/h2>\n

This year, we taught 2 workshops on ICS cybersecurity at DEFCON:<\/p>\n

An updated version of our very popular \u201cPentesting ICS 101\u201d workshop<\/h3>\n

We covered the basic of ICS and shared some feedback on the state of ICS cybersecurity. Then, using pre-configured virtual machines we learned how to exchange data with PLCs. This was then put into practice on real hardware with our model train setup:<\/p>\n

\"\"<\/p>\n

\u00a0<\/p>\n

A whole new workshop on PLC code security<\/h2>\n

We also started with an introduction to ICS, then dived into programming a software PLC, and demonstrating how applying practices from the PLC TOP20<\/a> can prevent attacks and\/or help detect them.<\/p>\n

To do this, we also created a very simplified process simulation that connects to the PLC simulator, that we also release. This could be used and adapted for ICS awareness and training.<\/p>\n

GitHub – wavestone-cdt\/plc-code-security: Experiments with the Top 20 Secure PLC Coding Practices<\/a><\/p>\n

You can find our process simulation here : https:\/\/github.com\/arnaudsoullie\/simple-process-simulation<\/p>\n

\u00a0<\/h2>\n

DEFCON30 demo lab: EDRSandblast<\/h2>\n

We shared a new and improved version of EDRSandblast during Demo Lab sessions at DEFCON 30. It was the occasion to introduce and detail the detection mechanisms employed by EDRs (user-land hooking, kernel callbacks, ETW Threat Intelligence provider \u2026), to show how to get around them, as well as to showcase the new features of our tool. On the list of updated features: a new detection mechanism is recognized and bypassed by the tool, multiple vulnerable drivers are now supported, EDRSandblast can now be included as a library in a third-party project, and much more!<\/p>\n

You can find the full list of updates, as well as the presentation on GitHub: https:\/\/github.com\/wavestone-cdt\/EDRSandblast\/blob\/DefCon30Release\/DEFCON30-DemoLabs-EDR_detection_mechanisms_and_bypass_techniques_with_EDRSandblast-v1.0.pdf<\/a><\/p>\n

By Maxime MEIGNAN (@th3m4ks) and Thomas DIOT (@_Qazeer).<\/em><\/p>\n

\u00a0<\/p>\n

SANS DFIR Summit 2022<\/h2>\n

In this talk, we gave a brief overview of an AD forest recovery procedure and focused on different means of persistence leveraged by threat actors in Active Directory, some well-known, other less so. Some features of the newly released FarsightAD PowerShell toolkit were also demoed, such as the detection of fully or partially hidden objects using the Directory Replication Service protocol. More techniques are covered in the slides than what was presented during the talk, so check the deck out!<\/p>\n

You can find the slides and FarsightAD here: https:\/\/github.com\/Qazeer\/FarsightAD<\/a><\/p>\n

By Thomas DIOT (@_Qazeer).<\/em><\/p>\n

\u00a0<\/p>\n

Happy reading, happy testing, hack the planet 😊<\/p>\n

\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

\u00a0 This year again, we were delighted to be able to share our knowledge during Hacker Summer camp (cybersecurity conferences that happen roughly at the same time in Las Vegas each year: BlackHat, BSides Las Vegas, and DEFCON). (Thomas is…<\/p>\n","protected":false},"author":20,"featured_media":18803,"comment_status":"open","ping_status":"closed","sticky":true,"template":"page-templates\/tmpl-one.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3273,3977],"tags":[4169,4170],"coauthors":[780,3896],"class_list":["post-18813","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ethical-hacking-indicent-response-en","category-focus","tag-camp-2","tag-hackers-2"],"acf":[],"yoast_head":"\nWavestone\u2019s cyber summer - RiskInsight<\/title>\n<meta name=\"description\" content=\"This year again, we were delighted to be able to share our knowledge during Hacker Summer camp\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Wavestone\u2019s cyber summer - RiskInsight\" \/>\n<meta property=\"og:description\" content=\"This year again, we were delighted to be able to share our knowledge during Hacker Summer camp\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/\" \/>\n<meta property=\"og:site_name\" content=\"RiskInsight\" \/>\n<meta property=\"article:published_time\" content=\"2022-10-14T08:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/09\/etecyberwsimage-1couv.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1386\" \/>\n\t<meta property=\"og:image:height\" content=\"728\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Arnaud Soulli\u00e9, Maxime Meignan\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Arnaud Soulli\u00e9, Maxime Meignan\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/\"},\"author\":{\"name\":\"Arnaud Soulli\u00e9\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8ba5826fcf8223b1c6c350c1d1fffc79\"},\"headline\":\"Wavestone\u2019s cyber summer\",\"datePublished\":\"2022-10-14T08:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/\"},\"wordCount\":735,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/09\/etecyberwsimage-1couv.jpg\",\"keywords\":[\"camp\",\"hackers\"],\"articleSection\":[\"Ethical Hacking & Incident Response\",\"Focus\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/\",\"name\":\"Wavestone\u2019s cyber summer - RiskInsight\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/09\/etecyberwsimage-1couv.jpg\",\"datePublished\":\"2022-10-14T08:00:00+00:00\",\"description\":\"This year again, we were delighted to be able to share our knowledge during Hacker Summer camp\",\"breadcrumb\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/#primaryimage\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/09\/etecyberwsimage-1couv.jpg\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/09\/etecyberwsimage-1couv.jpg\",\"width\":1386,\"height\":728},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Wavestone\u2019s cyber summer\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"name\":\"RiskInsight\",\"description\":\"The cybersecurity & digital trust blog by Wavestone's consultants\",\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\",\"name\":\"Wavestone\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"width\":50,\"height\":50,\"caption\":\"Wavestone\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8ba5826fcf8223b1c6c350c1d1fffc79\",\"name\":\"Arnaud Soulli\u00e9\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/author\/arnaud-soullie\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Wavestone\u2019s cyber summer - RiskInsight","description":"This year again, we were delighted to be able to share our knowledge during Hacker Summer camp","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/","og_locale":"en_US","og_type":"article","og_title":"Wavestone\u2019s cyber summer - RiskInsight","og_description":"This year again, we were delighted to be able to share our knowledge during Hacker Summer camp","og_url":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/","og_site_name":"RiskInsight","article_published_time":"2022-10-14T08:00:00+00:00","og_image":[{"width":1386,"height":728,"url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/09\/etecyberwsimage-1couv.jpg","type":"image\/jpeg"}],"author":"Arnaud Soulli\u00e9, Maxime Meignan","twitter_misc":{"Written by":"Arnaud Soulli\u00e9, Maxime Meignan","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/#article","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/"},"author":{"name":"Arnaud Soulli\u00e9","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8ba5826fcf8223b1c6c350c1d1fffc79"},"headline":"Wavestone\u2019s cyber summer","datePublished":"2022-10-14T08:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/"},"wordCount":735,"commentCount":0,"publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/09\/etecyberwsimage-1couv.jpg","keywords":["camp","hackers"],"articleSection":["Ethical Hacking & Incident Response","Focus"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/","url":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/","name":"Wavestone\u2019s cyber summer - RiskInsight","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/#primaryimage"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/09\/etecyberwsimage-1couv.jpg","datePublished":"2022-10-14T08:00:00+00:00","description":"This year again, we were delighted to be able to share our knowledge during Hacker Summer camp","breadcrumb":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/#primaryimage","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/09\/etecyberwsimage-1couv.jpg","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/09\/etecyberwsimage-1couv.jpg","width":1386,"height":728},{"@type":"BreadcrumbList","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/10\/wavestones-cyber-summer\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.riskinsight-wavestone.com\/en\/"},{"@type":"ListItem","position":2,"name":"Wavestone\u2019s cyber summer"}]},{"@type":"WebSite","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","name":"RiskInsight","description":"The cybersecurity & digital trust blog by Wavestone's consultants","publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization","name":"Wavestone","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","width":50,"height":50,"caption":"Wavestone"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8ba5826fcf8223b1c6c350c1d1fffc79","name":"Arnaud Soulli\u00e9","url":"https:\/\/www.riskinsight-wavestone.com\/en\/author\/arnaud-soullie\/"}]}},"_links":{"self":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/18813","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/comments?post=18813"}],"version-history":[{"count":4,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/18813\/revisions"}],"predecessor-version":[{"id":18895,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/18813\/revisions\/18895"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media\/18803"}],"wp:attachment":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media?parent=18813"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/categories?post=18813"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/tags?post=18813"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/coauthors?post=18813"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}