ROOTCON Red Team Village

ROOTCON 14 Recovery Mode Virtual conference 2020

About ROOTCON 14 Recovery Mode

ROOTCON was founded back in 2008, the word ROOTCON is derivatives from the two words root (a unix super-user) and con as conference. The inception of ROOTCON was inspired due to the lack of legit security / hacking conference in the Philippines, how the conference is run is fully inspired from the worlds largest hacking conference in the world which is DEF CON, like DEF CON, ROOTCON controls and minimize product pitching from its sponsors which gives a hell of a boredom to its attendees. To maintain it's high-caliber talks, ROOTCON screens its speakers and topics through the Call For Papers. Like any other conference, ROOTCON also hosts mind-boggling hacker games such as Capture The Flag, Semprix' Mysterybox and of course the infamous Hacker Jeopardy. ROOTCON has maintained it's posture as the neutral grounds for the hacking community, both underground and the enterprise, we have been successful in keeping access to the conference affordable for the hacking community. This balance between content and affordability is the reason ROOTCON has been consistently a huge success.

ROOTCON 14 Recovery Mode Virtual Confrence 2020, October 8 & 10, 2020

Venue : Online.

Event URL:
village URL:
ROOTCON Schedule:
Red Team village Discord:

CTF top teams prizes sponsored by

Throwback vouchers sponsored by

ROOTCON 14 Village Agenda:

  • Talks on Red teaming tactics, Offensive cyber security and attack simulation
  • Training/Workshop on Adversarial attack simulation, Red teaming and Offensive cyber security
  • Live Interaction with the speakers and the community
  • Red Team - CTF (Capture the flag competition)

Red Team Village Workshops:

8th October, 2020 10:00 PHT to 19:00 PHT

8th October, 2020 10:00 PHT to 12:00 PHT

Workshop 1: Adversarial Simulation Lab using Splunk Attack Range

Rod Soto, Principal Security Research Engineer at Splunk

Abstract: The Splunk Attack range framework provides different tools to allow security analysts to test network, host and applications against a number of known adversarial TTPs based on Mitre ATT&CK framework. The Splunk Attack Range framework allows the security analyst to quickly and repeatedly replicate and generate data as close to "ground truth" as possible, in a format that allows the creation of detections, investigations, knowledge objects, and playbooks in Splunk Phantom. This 2 hour workshop will provide attendants with access to Splunk Attack Ranges containing adversarial simulations engines (Caldera, Atomic Red Team), target machines and a Splunk server receiving attack data. Instructors will provide step by step instructions on where to get the code for the framework, how to build it and how to use it to simulate attacks, create detections and defense artefacts.

  • Objective
  • Where to find it
  • Architecture
  • Configuration
  • Deployment
  • Caldera server
  • Kali Linux
  • Splunk Server
  • Domain Controller
  • Windows Client
  • Use Cases
  • Caldera
  • Atomic Red Team
  • Kali Linux
  • Splunk Server
  • Available Splunk Apps
  • Indexes Available
  • Walk through
  • Dashboards & other knowledge objects
  • Hands on with the Splunk Attack range
  • Executing Atomics
  • Using Caldera
  • Exploring dashboards
  • SPL Kung-fu → find the attack data
  • Build your own!

About the speaker: Principal Security Research Engineer at Splunk. Worked at Prolexic Technologies (now Akamai), and Caspida. Cofounder of Hackmiami and Pacific Hackers meetups and conferences. Creator of Kommand && KonTroll / NoQrtr-CTF.

8th October, 2020 16:45 PHT to 18:45 PHT

Workshop 2: Hacking Modern Desktop apps with XSS and RCE

Abraham Aranguren, Security Trainer, Director of Penetration Testing - 7A Security

Abstract: If you are the kind of person who enjoys webinars with practical information that you can immediately apply when you go back to work, this webinar is for you, all action, no fluff :)“Hacking Modern Desktop apps: Master the Future of Attack Vectors” is a desktop app security course that provides you with case studies from real-world vulnerable applications as well as know-how and techniques to take your desktop app security auditing kung-fu to the next level. The course covers attacks and mitigation against desktop apps on Linux, Windows and Mac OS X. The focus focuses on Electron but the techniques covered will be helpful against other desktop platforms, as well as CSP bypasses and other web security techniques. In this brief 60-minute webinar we will explain what the course covers and give you a few lab samples covering the following topics:
●Essential techniques to audit Electron applications
●What XSS means in a desktop application
●How to turn XSS into RCE in Modern apps
●Attacking preload scripts
●RCE via IPC
Attendants will be provided with training portal access to practice the attack vectors covered. This includes: Lifetime access to a training portal, vulnerable apps to practice, guided exercise PDFs and video recording explaining how to solve the exercises

About the speaker: After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (, a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. Former senior penetration tester / team lead at Cure53 ( and Version 1 ( Creator of “Practical Web Defense” - a hands-on eLearnSecurity attack / defense course(, OWASP OWTF project leader, an OWASP flagship project (, Major degree and Diploma in Computer Science, some certs: CISSP,OSCP, GWEB, OSWP, CPTS, CEH, MCSE: Security, MCSA: Security, Security+.
As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or Multiple presentations, pentest reports and recordings can be found at

ROOTCON 14 Red Team Village talks:

Talk 1: MSI.FAIL(s)

Melvin Langvik, BDO Cybersecurity Norway

Abstract: Showcase and background information for the AMSI.FAIL project, as well as examples of possible operational usage.

About the speaker: Melvin Langvik is a 24-year-old computer engineer with a life-long passion for offensive-security. He is currently working for BDO CyberSecurity in Norway as a penetration tester and previously worked as a C# Azure Developer and Integrations engineer. Melvin considers himself passionate in the field and loves contributing to the community. In late 2019 he broke into the HackTheBox hall of fame.

Talk 2: Gathering Vulnerability Intelligence from Darkweb

Nandakishore Harikumar, CEO at Technisanct

Abstract: It’s not new for Red teams and offensive hackers to buy 0day exploits from Darkweb. In last two year there has been a lot of Incidents where Red Teams/ offensive Security researchers need to regularly keep their third vision in these darkweb portals where they sell 0day exploits and other vulnerabilities ensuring the anonymity. Zoom to Tor, Exploits were easily accessible. Threat intelligence has opened up a scope of a new extended area of Vulnerability Intelligence that need to be gathered from Darkweb and other deep web platforms. The network of anonymous groups are extended from Darkweb to the Telegram/Jabber and to their marketing side on twitter handles which helps them to gain attention from Cyber Security journalists.

About the speaker: Nandakishore Harikumar is a cyber security entrepreneur. He is the CEO and Founder of a Cyber Security Start-up named Technisanct. Widely quoted in national and international media. He is an Engineer turned Entrepreneur. His start up is backed by IIT Mandi, Data Security Council of India (DCSI), India Accelerator Program and GAN(Global Accelerator Network). He was also the co-founder of the private intelligence firm Seclabs and Systems based out in Noida, Delhi

Talk 3: The Year of the C2 (Command & Control)

Quentin Rhoads-Herrera
Director Critical Start, Inc. | TeamARES

About the speaker: As CRITICALSTART’s director of professional services, Quentin leads the offensive and defensive teams known as TEAMARES. He is an experienced security professional with expertise in security analysis, physical security, risk assessment, and penetration testing. Quentin’s diverse background is built from a variety of staff and leadership positions in IT, with specific experience in threat and vulnerability management, penetration testing, network operations, process improvement, standards development and interoperability testing.

Charles Dardaman
Senior Adversarial Engineer at Critical Start, Inc. | TeamARES

About the speaker: As a Senior Adversarial Engineer on TEAMARES, Charles brings numerous years of experience in both offensive and defensive security. He is an expert in both network and web application penetration testing, as well as reverse engineering and binary analysis. He is an active member of the local security community, and often speaks at cybersecurity meet-ups.

Abstract: DeimosC2 is a Golang built command and control application that supports multiple communication methods such as QUIC, TCP, HTTPS, DOH, and pivot TCP. We have agents that are run on Windows, Linux, Darwin, and Android with iOS to come. For security purposes each listener has its own public and private RSA key that wraps AES encryption with the agent to make forensics more difficult. Each agent also supports functionality such as jitter, delay, EOL, and live hours to make it harder to detect. We also support webshells for the times that you have an arbitrary file upload on a website that allows you to manage your webshell. You can than take that webshell access and deploy a C2 agent to further your control over the victims device.
DeimosC2 also supports modules for multiple operating systems that have both agent and server sections. This allows us to collect looted data. DeimosC2 has a GUI that is built with Vue.js that makes it easier to use and supports collaboration between multiple red teamers. It supports MFA, password length restrictions, and two user roles (admin and user). The C2 server also supports archiving of the database and all log files for historical purposes which can also be replayed if the C2 infrastructure needs to be stood back up, to include the compiled agents that were used during the engagement.
One of the key features of DeimosC2 is that agents and modules can be developed in any language as long as the responding format to the C2 server is in the correct format which we made as JSON to simply everything. This makes it easily extendable. It is also easy to add custom agent functions like we did after a DefCon talk released the concept of Domain Hiding which we instantly added for our HTTPS agent. DeimosC2s future is moving towards mobile as a way to highlight the lack of security around enterprise mobile devices.

Talk 4: Data Enrichment and Intels to automate operational intelligence

Haran Kumar
Solutions Architect - Security Specialist at Elastic

Abstract: Recent problems in mitigating cyber attacks are the threats evolving into a highly sophisticated landscape. It is challenging to address “Known unknowns and unknown unknowns”. As data sets increase in size and complexity, the human effort required to inspect dashboards or maintain rules for spotting infrastructure problems and cyber attacks. Enriching your internal telemetry and automated threat intel lookups even at pre ingestion phase of the data provides more value to the data set in efficient hunting and automates the production of highly valuable operational intelligence.
This Paper talks about the automation of enriching data alerts and telemetries both at pre ingestion and post ingestion methods to addressing sophisticated threat landscapes.

About the speaker: Skills driven and passionate security professional with extensive experience in SOC architecture, SIEM log Management, Endpoint security, Incident Response and cybersecurity operations. Currently living his security passion by helping projects and prospects in architecting security solutions with Elastic stack. Working as a solutions architect managing cybersecurity use cases as security specialist with Elastic.

Talk 5: DockerENT: Open source docker runtime analysis framework

Rohit Sehgal
Cyber security engineer at Visa

Abstract: DockerENT is activE ruNtime application scanning Tool (RAST tool) and framework which is pluggable and written in python. It comes with a CLI application and Web Interface written with StreamLit. DockerENT is designed keeping in mind that during deployments there weak configurations that are sticky in production deployments and lead to severe consequences. This application connects with running containers in the system and fetches the list of malicious runtime configurations and generates a report. If invoked through CLI it can create JSON and HTML report. If invoked through web interface, it can display the scan and audit report in the UI itself. More at

About the speaker: OSCP Certified, Master’s degree from IITK with specialization in System Security and more than 3 years of professional security experience, across Development of security services, Penetration Testing, SecOps, System Security, SSDLC and Security Architecture. Experience in writing Checkmarx SAST Audit Queries (CxQL). Experience working with SAST & DAST tools. Currently Cybersecurity Engineer at Visa. A proud Author, Engineer, Maintainer, and Architect of extremely reliable and privacy friendly hosted disposable email service TrashEmail. Also Engineer and maintainer of a tool that can identify the weak configurations inside running dockers containers DockerENT. Authored a book and delivered various security sessions at International conferences. Inventor of 2 Patents and 1 Trade-secret. An active open source contributor. Drop by his GitHub too, there are really cool and awesome stuff, and you will love it. Delivered various global security trainings at past and current organization. Loves to create challenging problems for CTFs. Hosted a couple of CTF events organization wide and in public domain. Actively working to make security simple and reachable to every developer. An adventure freak, who loves to travel and call himself a philanthropist, a coder and ctf-player in his free time. Involved in active research in and around security.