There will be one session of workshops at GreHack. All workshops will be scheduled at the same time: you can only attend to one.

Workshop descriptions

Striking Down Cobalt Strike - by Matt Bromiley

Two words can make any defender cringe when they hear them: Cobalt Strike. A popular exploit kit used by red teamers, ransomware attackers, and state-nexus actors alike, Cobalt Strike has become the “tool of choice” for many adversaries. Once entry is gained in a network, Cobalt Strike allows an attacker to exploit, move laterally, and compromise accounts and systems, all via relatively stealthy techniques.

However, Cobalt Strike may not be as stealthy as many think. It has telltale signs that, if caught, can stop an adversary in their tracks. In this workshop, we will uncover ways to detect this popular exploit kit, using deep technical analysis of both host- and network-based artifacts. Using what we know about Cobalt Strike’s behavior, we’ll analyze how to:

Attendees in this technical workshop will gain the experience kit within their environment. However, despite its popularity, Cobalt Strike’s use of techni w to detect all types of adversarial activity. Our analysis ta hat can be implemented today. Even better - red teamers who jo s find new ways to remain stealthy in their target networks!

Prerequisites: This is a technical workshop focused on the detection of adversarial activity. Attendees will need some familiarity with (not expert level, but general knowledge of) host- and network-based artifacts. Blue or red teamers with prior experience or knowledge of exploit kits will find this workshop useful and informative.

Introduction to hardware hacking with Hydrabus - by Nicolas Oberli & Karim Sudki

Ever wondered how to start with hardware hacking ? This workshop will present you some simple techniques you'll need to get you started. Of course, the best way to learn is by doing so we prepared a target device for you to fiddle with during the workshop.

At the end of this workshop, you should be able to:

HydraUSB3 hands-on - by Benjamin Vernoux

HydraUSB3 V1 is an open source developer kit for the WCH CH569 MCU to experiment with streaming / high-speed protocols like HSPI and SerDes through USB3. The workshop is the continuation of the talk "Reverse Engineering of advanced RISC-V MCU with USB3 & High Speed peripherals (WCH CH569)" where the attendance will be able to try by themselves practical examples of communication on USB3 & High Speed peripherals.

Online documentation on the HydraUSB3 open source project: and


Can’t Grep This: A Gentle Introduction to CodeQL - by Xavier René-Corail & Joseph Katsioloudes & Jaroslav Lobacevski

In this workshop, we will guide you through writing your first CodeQL query by going over the basics of the language. We will then write incrementally more precise queries to find vulnerabilities in an open source project using real CVE as an example. CodeQL is a semantic code analysis engine that helps identify security vulnerabilities and harmful patterns in source code. This powerful query language allows you to audit code as if it were data, turning bug hunting into a search problem. This workshop is designed for beginners with no prior knowledge of CodeQL.

Learning Objectives:


Scapy hands-on - by Guillaume Valadon @guedou

Scapy ( & is a powerful Python-based interactive packet manipulation program and library. It can be used to forge or decode packets for a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more.

This workshop will describe its main features step by step, and will let you explore the following topics:

Requirements: a laptop running Linux (native or virtualized) and a fresh Scapy install from github