WWHF @ Mile High 2025

Your organization’s recent red teaming exercise revealed critical gaps in detecting advanced attacks, which bypassed the out-of-the-box detections. Your Azure environment proved to be containing several misconfigurations, which led to a comprehensive breach.

In this workshop we will explain several common misconfigurations that can lead to a severe compromise. We'll provide access to an environment which has some of these misconfigurations applied. You will simulate a successful device code phishing attempt after which you will collect data with AzureHound which data we will use to find possible attack paths. We will teach you how to find some of these misconfigurations and how to detect or remediate them.

The lab will have 1 challenge in there that will award a prize to the first to successfully exploit it.

Requirements:
Non corporate laptop with internet access
Docker installed, ideally with a working BloodHound installation.

Join us for a community event centered around Atomic Red Team, an open source library of tests designed to test your organization's security controls. Check out our demos, get some Atomic Red Team gear, learn from your peers, have some snacks, and meet other nerds IRL.

Learn how to use Atomic Red Team to test your defensive controls and exercise your incident response program. One of the open source project’s creators will walk through use cases and test plans based on the most commonly encountered threats and adversary techniques. You’ll walk away knowing how to do the following:

• Leverage open source intelligence to identify top threats and adversary techniques
• Use Atomic Red Team to test your defenses against adversary techniques
• Operationalize and scale your testing using free and open source tools
• Share what you’ve learned with the community

Cybercriminals increasingly leverage Artificial Intelligence (AI) and Generative AI in Open Source Intelligence (OSINT) activities to enhance reconnaissance efforts targeting individuals and organizations. By utilizing AI-driven techniques, attackers can efficiently gather, analyze, and exploit publicly available data, facilitating the creation of highly targeted and convincing social engineering schemes, phishing campaigns, and other forms of cyber attacks. The role of AI in OSINT not only broadens the scope of potential attack vectors but also raises significant considerations for cybersecurity strategies focused on detecting and mitigating AI-enhanced threats.

The Impersonator Shell started as a combination of two popular hacker tools: Netcat and Printspoofer. The exploit is named after the Windows privilege that Printspoofer uses to get administrative access to Windows machines, the SeImpersonate privilege. This shell abuses the SeImpersonate privilege to create an administrative reverse or bind shell.  Users running server software on Windows hosts will commonly have the SEImpersonate enabled. Security engineers who can obtain RCE on said servers can also obtain an administrative shell by abusing the SEImpersonate privilege. Instead of uploading Netcat and the corresponding kernel exploit, security engineers can use the Impersonator shell. If the inbuilt exploit does not work, security engineers will be provided a non-administrative shell. The Impersonator shell can connect to a Metasploit listener and be upgraded to a meterpreter shell. The Impersonator Shell can also leverage native Windows API functions to grab a process and capture information about the token associated with the process.  People who attend this talk can expect to learn the inner mechanics of reverse shells and bind shells, Offensive Windows API use, and the basics of exploit coding in the C programming language all under the umbrella of the newly created Impersonator shell.

Learn how to use Atomic Red Team to test your defensive controls and exercise your incident response program. One of the open source project’s creators will walk through use cases and test plans based on the most commonly encountered threats and adversary techniques. You’ll walk away knowing how to do the following:

• Leverage open source intelligence to identify top threats and adversary techniques
• Use Atomic Red Team to test your defenses against adversary techniques
• Operationalize and scale your testing using free and open source tools
• Share what you’ve learned with the community

Surveyor is a free and open source tool for quickly baselining your environments to help identify abnormal activity. You can use it to query supported endpoint detection and response (EDR) products in search of potentially dangerous software that shouldn’t be in your environment. In this session, we’ll look at remote monitoring and management (RMM) tools as an illustrative example—they have a variety of legitimate use cases, but bad guys use them as well. You’ll learn how to use Surveyor to list all of the RMM tools present in your environment, including ones you might not expect to be there.

How many times have you heard, "Are you doing anything right now that could [verb] our [noun]?" The answer is sometimes "Yes", always "Maybe", and hopefully "No". After a recent client call, I set up a range and hammered common web servers to figure out the impact that pentesting tools have on typical client systems. I tried to answer questions like, "Does Nuclei cause performance issues for the target?", "Is testssl.sh slowing down that Linux server?" "How many Gobuster threads does it take to max out a standard WordPress server?" In this talk, I'll discuss results from tool testing that may or may not surprise you but will definitely leave you with more evidence for your next client call.

2024 was the year of fear, uncertainty, and doubt about generative AI. Many organizations moved rapidly to deploy AI solutions for "fear of being left behind" while others struggled with understanding their security implications. Regardless of how you feel about AI, one thing is for sure: AI is being embedded in the products your organization deploys. That means stakeholders will be looking to you to secure it. In this talk, Jake will break down the real risks of generative AI applications while helping to dispel the FUD. You'll walk away better equipped to answer questions from stakeholders and the confidence you're focusing your limited security resources in the right places.