Workshops

There will be one session of workshops at GreHack. All workshops will be scheduled at the same time: you can only attend to one.

• Striking Down Cobalt Strike - by Matt Bromiley
• Introduction to hardware hacking with Hydrabus - by Nicolas Oberli & Karim Sudki
• HydraUSB3 hands-on - by Benjamin Vernoux
• Can’t Grep This: A Gentle Introduction to CodeQL - by Xavier René-Corail & Joseph Katsioloudes & Jaroslav Lobacevski
• Scapy hands-on - by Guillaume Valadon

Workshop descriptions

Striking Down Cobalt Strike - by Matt Bromiley

Two words can make any defender cringe when they hear them: Cobalt Strike. A popular exploit kit used by red teamers, ransomware attackers, and state-nexus actors alike, Cobalt Strike has become the “tool of choice” for many adversaries. Once entry is gained in a network, Cobalt Strike allows an attacker to exploit, move laterally, and compromise accounts and systems, all via relatively stealthy techniques.

However, Cobalt Strike may not be as stealthy as many think. It has telltale signs that, if caught, can stop an adversary in their tracks. In this workshop, we will uncover ways to detect this popular exploit kit, using deep technical analysis of both host- and network-based artifacts. Using what we know about Cobalt Strike’s behavior, we’ll analyze how to:

• Detect process manipulation
• Uncover privilege escalation and account abuse
• Find lateral movement between systems via host artifacts and network traffic.

Attendees in this technical workshop will gain the experience kit within their environment. However, despite its popularity, Cobalt Strike’s use of techni w to detect all types of adversarial activity. Our analysis ta hat can be implemented today. Even better - red teamers who jo s find new ways to remain stealthy in their target networks!

Prerequisites: This is a technical workshop focused on the detection of adversarial activity. Attendees will need some familiarity with (not expert level, but general knowledge of) host- and network-based artifacts. Blue or red teamers with prior experience or knowledge of exploit kits will find this workshop useful and informative.

Introduction to hardware hacking with Hydrabus - by Nicolas Oberli & Karim Sudki

Ever wondered how to start with hardware hacking ? This workshop will present you some simple techniques you'll need to get you started. Of course, the best way to learn is by doing so we prepared a target device for you to fiddle with during the workshop.

At the end of this workshop, you should be able to:

• Identify main components found on a device
• Read and understand a datasheet
• Get to know some of the usual protocols (UART / I2C)
• Dump the contents of a memory chip
• Debug and extract a microcontroller firmware

HydraUSB3 hands-on - by Benjamin Vernoux

HydraUSB3 V1 is an open source developer kit for the WCH CH569 MCU to experiment with streaming / high-speed protocols like HSPI and SerDes through USB3. The workshop is the continuation of the talk "Reverse Engineering of advanced RISC-V MCU with USB3 & High Speed peripherals (WCH CH569)" where the attendance will be able to try by themselves practical examples of communication on USB3 & High Speed peripherals.

Online documentation on the HydraUSB3 open source project: https://hydrabus.com/hydrausb3-v1-0-specifications and https://github.com/hydrausb3

Prerequisites:

• Notions in C language are strongly recommended.
• Laptop 64bits CPU, 8GB of RAM or more, 10GB free on HDD/SSD with at least 1 USB Type-A female USB2 High Speed or USB3 SuperSpeed port (Or an external USB3 Hub)
• For setup on Linux follow this page
• For setup on Windows follow this page
• It is mandatory to use wch-isp (with Zadig driver on Windows)

Can’t Grep This: A Gentle Introduction to CodeQL - by Xavier René-Corail & Joseph Katsioloudes & Jaroslav Lobacevski

In this workshop, we will guide you through writing your first CodeQL query by going over the basics of the language. We will then write incrementally more precise queries to find vulnerabilities in an open source project using real CVE as an example. CodeQL is a semantic code analysis engine that helps identify security vulnerabilities and harmful patterns in source code. This powerful query language allows you to audit code as if it were data, turning bug hunting into a search problem. This workshop is designed for beginners with no prior knowledge of CodeQL.

Learning Objectives:

• Understand the basic syntax of CodeQL queries
• Use the standard CodeQL libraries to write queries and explore code written in C/C++
• Use predicates and classes, the building blocks of CodeQL queries, to make your queries more expressive and reusable
• Use the CodeQL data flow and taint tracking libraries to write queries that find real security vulnerabilities

Prerequisites:

• This is a beginner-accessible course. No prior knowledge of CodeQL is required.
• Some knowledge of the C/C++ language.
• Visual Studio Code
• CodeQL extension for VS Code
• Cloned repository: https://github.com/github/vscode-codeql-starter

Scapy hands-on - by Guillaume Valadon @guedou

Scapy (http://www.secdev.org/projects/scapy & https://github.com/secdev/scapy) is a powerful Python-based interactive packet manipulation program and library. It can be used to forge or decode packets for a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more.

This workshop will describe its main features step by step, and will let you explore the following topics:

• packets manipulation
• sending & receiving packets
• visualization
• IPv6 and TLS support
• implementing a new protocol
• answering machines
• automaton
• pipes

Requirements: a laptop running Linux (native or virtualized) and a fresh Scapy install from github