WWHF @ Mile High 2025

Everyone else is doing automated testing - why aren't red teamers? Be confident your payload will execute, regardless of the options you picked, by integrating shellidate into your continuous integration pipelines!

Most Endpoint Detection & Response solutions (‘EDRs’) heavily rely on analysing process events for detecting suspicious behaviour; in particular, command-line arguments are inspected for keywords or character sequences that may indicate malicious activity. This is still common practice, despite the widely known fact that a process’ command line can be altered, hidden, or otherwise spoofed, which may bypass such defensive measures.  Lesser known is that, particularly on Windows operating systems, there is a wealth of system-native programs that happily accept ‘unexpected’ command-line transformations, such as character substitutions, deletions or insertions. An implication of this is that command-line-based detections can be bypassed with minimal effort, and unlike command-line spoofing, without the need for special system calls. Tools vulnerable to this include those often leveraged in attacks that ‘live off the land’ (also known as LOLBins or LOLBAS).   This talk will show, based on empirical analysis of the 60 most commonly used LOLBins, how many detections can bypassed making minimal tweaks to how a LOLBins are called. Furthermore, we will introduce a new web-based tool that not only documents the results for all these executables, it allows everyone to generate obfuscated command lines themselves with the click of a button.

This presentation will explore the strategic use of social engineering in penetration testing, focusing on gaining covert access to a client's server room. I will outline how to perform reconnaissance, gather intelligence on company structure, employee behavior, and security vulnerabilities. Attendees will learn effective social engineering tactics such as pretexting, tailgating, baiting, and phishing, all designed to manipulate human behavior and bypass physical security.

I will cover the importance of crafting a believable pretext, from creating fake work orders to using props like ID badges and uniforms, and demonstrate techniques for gaining access to restricted areas like server rooms, and later on how to navigate the target environment, avoid detection, and plant a symbolic flag.

Finally, the session will discuss post-engagement reporting, vulnerabilities identified, and recommendations for strengthening defenses against social engineering attacks.

This talk emphasizes the ethical considerations and the need for careful planning, confidence, and adaptability throughout the operation.

Are you ready to become the Golden Unicorn of cybersecurity—a technical powerhouse who bridges the gap between hacking and risk management? The industry buzz around Golden Unicorns refers to individuals who are not only masters of red teaming but also fluent in the language of governance, risk, and compliance (GRC). They’re rare, powerful, and essential to shaping a secure organization.In this session, we’ll decode the mystery of risk management and why it matters to hackers and red teamers. You’ll learn how the vulnerability tools you already use—like Snyk and Qualys—fit into risk management plans and how to level up your skills to communicate risks effectively to leaders and stakeholders. Plus, we’ll break down how to read workpapers and understand the fundamentals of control assessments, demystifying processes that are critical for effective risk mitigation.This session is packed with actionable insights and practical takeaways—so bring your A-game and get ready to rock and roll. Join me to hack risk management, elevate your career, and become the Golden Unicorn that every organization needs. It’s time to own the spotlight and prove that hackers can lead the way in managing risk with innovation and technical excellence.

In this talk I will cover how you can enrich BloodHound with different fields and edges to expose previously unidentified attack paths. By combining multiple open source tools, it is possible to track password sharing relationships across separate accounts, and even across different Active Directory forests.

In this talk, Mike will cover two highly effective techniques for obfuscating shellcode in your payloads.

Jargon is a shellcode obfuscation method that substitutes dictionary words in place of shellcode bytes and uses each word's position in a dictionary array to resolve the shellcode bytes at runtime. This provides two benefits - your loader doesn't have any shellcode, and the use of dictionary words reduces the entropy of your loader, sidestepping entropy detections built into some AV & EDR. We've found Jargon to be highly effective in evading detection.

Jigsaw is a shellcode obfuscation routine designed to hide your shellcode without requiring encryption. Jigsaw uses Python’s shuffle function to create a randomized array of shellcode and then reconstructs the original shellcode at runtime. This eliminates possible signatures related to including encryption libraries in your payload while also avoiding significant increases in entropy. Our research indicates that very few AV/EDR are aware of this technique. This technique could be an effective part of your shellcode loader arsenal.

Large Language Models (LLMs) have opened up the floodgates for a whole new generation of security tooling. One of the most obvious applications is automatic discovery of vulnerabilities which so far has had extremely mixed results. Can LLMs “get good” at vulnerability discovery? In this talk, we cover our approach to the problem going into all the success and fails along the way. Finally, we will be tool dropping VulnHuntr, which implements our approach to using LLMs for discovering vulnerabilities through static code analysis along with presenting a number of 0days that were found by it.

This talk explores the dynamic potential of PowerShell for Linux in the realms of penetration testing and red teaming. Delving into its capabilities, attendees will discover how this versatile tool enhances offensive security strategies. Intended for cybersecurity professionals and enthusiasts seeking to leverage PowerShell's prowess within Linux environments, the session promises insights and practical guidance for optimizing offensive tactics.

Participating in Capture The Flag (CTF) competitions is always a thrilling experience, but this time, I had a secret weapon up my sleeve: AI. From cracking codes to navigating complex cyber challenges, AI became my go-to sidekick. Here's how I teamed up with AI to tackle CTF puzzles and what I learned on this wild ride.

TL;DR: This talk shares our journey building a custom SOAR-like solution for Microsoft Sentinel that 1) combines full-code flexibility with low-code simplicity, and 2) overcomes the limitations of Logic Apps in performance, maintainability, and debugging. Learn about architecture and design decisions, integrations, limitations and other lessons we learned when building our SOAR.
 
Microsoft Sentinel offers a robust SIEM platform, but its automation capabilities are heavily reliant on Logic Apps, Azure’s low-code automation tool. While functional, Logic Apps present a lot of challenges, most notably in performance, maintainability, and debugging. This is especially true for more complex automation needs.
These limitations motivated us to develop a custom SOAR-like solution that combines the flexibility of low-code automation with the power and precision of full-code capabilities.
 
We built a solution designed to:

• Support both full-code and low-code automations.
• Operate modularly across diverse environments.
• Be extensible for custom integrations and enhancements.
• Address known limitations in Sentinel’s native automation.
• Run seamlessly within Azure.

 
In this talk, we share the architecture, implementation, and lessons learned from building this system. Key topics include:

• System architecture and design decisions.
• Integration with Sentinel data.
• UI and dashboarding for visibility.
• External and internal interfaces.
• Caching strategies.
• Error handling, traceability, and debugging.

 
By the end of this session, you will have actionable insights to build or enhance your own automation solutions on Microsoft Sentinel, avoiding common pitfalls and maximizing efficiency.

Insecure Direct Object Reference (IDOR) attacks have been a common vulnerability for decades. It still shows up in lots of big websites including Dell, Reddit, US DoD, GitLab, Shopify, and more. Join Josh Wright for a hackventure in spotting and exploiting this bug as a fun way to get started with bug hunting. Also, #AI.

At DEFCON 32, my team taught over 160 people the limitations of manual code review to solve secrets sprawl. We did not use new tech, we did not use computers or anything that needed electricity. We used paper cards. What we learned along the way was eye opening and changed the way I think about security.  This talk is a quick recap of the surprising findings we unexpectedly gathered and the power of getting away from the keyboard.  I will reveal my new theory on driving better conversations across teams and roles to actually try and improve security and not just show how clever we are.

Between Python version mismatches, virtual environments, and containers, getting even popular software to work on every operating system and setup is more cumbersome than it should be. Hackers should be fighting vulnerabilities, not their own tooling. Nix has solved this for me and I need to share it with people.  It takes "it works on my machine" to a whole new level. Nix suffers from an inordinate degree of mystery that turns a lot of people away from it, but those of us who have pushed through the haze have come to appreciate just how brilliant Nix is. But it doesn't have to be complicated, and I'll be demonstrating that.  

Within and without NixOS, the Nix package management system alone offers hackers the ability to (at a minimum):
- Effortlessly install packages not available in their default repositories
- Replicate system setups for any machine or server with a single file
- Only activate virtual environments and access specific dependencies based on isolated environments or even just entering system directories

This is all done without technologies like Ansible or Docker, making even the base system dependency overhead much smaller.

Since this talk involves creating environments that help users deal with dependency management, tool installation, and system deployment, I'll be demonstrating all of those things. For example, we will:
1. Build a working Python virtual environment, handle all the dependencies, and successfully run highly opinionated tooling (impacket) alongside other highly opinionated tooling (CrackMapExec) using an ".envrc" file of our making.
2. Demonstrate native containerization via systemd-nspawn for keeping hacking tools isolated from the main system.
3. Deploying my favorite tools to a brand new virtual private server to starting hacking from it in seconds.

Much of these capabilities will be available as script and file templates via a Github repo I'll make public alongside the talk.

Malware used in ransomware campaigns and targeted attacks makes a concerted effort to conceal its injected code from AVs, EDRs, and manual inspection. This deception includes removing obvious signs of malicious code like regions that are allocated readable, writable, and executable or DLLs loaded from unusual directories. Instead, modern forms of code injection, such as process hollowing, process ghosting, module stomping, and their many variants are used to bypass scanners that rely on outdated detections. In this talk, attendees will be taken through the methods that modern malware uses to inject code in a stealthy manner along with how such malware can be detected using volatile memory analysis. This analysis will be performed using Volatility 3, the latest version of the most widely used open-source memory forensics framework. Attendees will leave understanding how to detect modern code injection and with slides documenting how to integrate such detection workflows in real-world, enterprise settings.

A successful ransomware attack is the culmination of numerous steps by a determined attacker: gaining initial access to the victim’s environment, identifying sensitive data, exfiltrating sensitive data, encrypting original data, etc. We can all agree that Ransomware is tough. It’s hard on the target, but harder for the Attacker. The logistics of attacking, storing the data, encrypting it locally, uploading, making it as undetectable as possible until they don’t need to anymore. It’s a mess. So, as everybody does it these days, they are paying for a Cloud Service to help with it. This talk will outline how an attacker can abuse the principle of Least-Privilege on KMS keys to encrypt the data on its target's buckets, making them not accessible. This talk will also show how a defender can protect or detect against these attacks, rendering them useless.

I would like for this conversation to be an in depth deep dive into both Nmap and other open source reconnaissance tools. A lot of times peers leave it at the very bare minimum and use the same script everytime they run these open source tools due to the fact they use them so often. These are tools that everyone has access to but they only use about 5% of the tool itself. I have worked with specific Open Source tools to learn every little thing there is to know especially the ones needed for every engagement and would love the opportunity to showcase these different arguments that a lot may not have knowledge of until shown like I was.

This presentation will consist of thorough research on narcotics, narcoterrorism and the fentanyl epidemic are a new cyber crime issue. In my presentation I will speak about how OSINT can be used to combat illicit narcotic transactions , narcoterrorism and uncover valuable information from OSINT on the dark web.

The expansion of wireless technologies has introduced a diverse range of hardware, protocols, and radio frequencies. When a large mix of acronyms and names like LoRa, BTLE, ZigBee, RFID and Wi-Fi are thrown-in, one can easily get confused and overwhelmed.  This presentation offers a comprehensive introduction to the RF spectrum for those new to wireless security that will also provide value for experienced practitioners. By taking a broad, big-picture approach, we'll begin by exploring the electromagnetic spectrum, covering familiar technologies and concepts like infrared, visible light, and x-rays, before narrowing our focus to the portion dedicated to radio frequencies. Key concepts such as wavelength, frequency, and modulation will be explained along the way.  We'll then delve into the specific wireless frequencies and protocols security professionals are likely to encounter, providing practical examples and tools for detecting, analyzing, and testing these devices and signals.

The sheer volume of pentest and vulnerability data can overwhelm security teams, making it challenging to turn this information into actionable insights. Manual reporting and prioritization of findings are often time-consuming and prone to error. This presentation will explore how AI can streamline these processes by automating report writing and prioritizing findings based on business impact and risk frameworks. Attendees will learn how to safely and effectively leverage AI to: Streamline report generation: AI can automatically create comprehensive, customized reports, significantly reducing the time and effort required by security teams. Improve accuracy: By analyzing data objectively, AI minimizes human error and identifies potential inconsistencies. Prioritize findings based on business impact: AI evaluates the potential effects of vulnerabilities on critical business functions, ensuring that remediation efforts target the most significant risks. Align with risk frameworks: AI can assist organizations in aligning their risk management practices with industry standards and regulatory requirements. This session will provide practical insights into how AI can automate pentest and vulnerability reporting, enabling security teams to focus on higher-value activities and make more informed decisions.

The sheer volume of pentest and vulnerability data can overwhelm security teams, making it challenging to turn this information into actionable insights. Manual reporting and prioritization of findings are often time-consuming and prone to error. This presentation will explore how AI can streamline these processes by automating report writing and prioritizing findings based on business impact and risk frameworks.
Attendees will learn how to safely and effectively leverage AI to:

• Streamline report generation: AI can automatically create comprehensive, customized reports, significantly reducing the time and effort required by security teams.
  
• Improve accuracy: By analyzing data objectively, AI minimizes human error and identifies potential inconsistencies.
  
• Prioritize findings based on business impact: AI evaluates the potential effects of vulnerabilities on critical business functions, ensuring that remediation efforts target the most significant risks.
  
• Align with risk frameworks: AI can assist organizations in aligning their risk management practices with industry standards and regulatory requirements.
  

This session will provide practical insights into how AI can automate pentest and vulnerability reporting, enabling security teams to focus on higher-value activities and make more informed decisions

We'll use Scapy, a python packet library, to create packets from scratch - with exactly the fields you want!  This technique can be used either by hand or inside your own python script.  A little familiarity with Python will be helpful.