ROOTCON 14 - Red Team Village

ROOTCON 14 Recovery Mode Virtual conference 2020


About ROOTCON 14 Recovery Mode

ROOTCON was founded back in 2008, the word ROOTCON is derivatives from the two words root (a unix super-user) and con as conference. The inception of ROOTCON was inspired due to the lack of legit security / hacking conference in the Philippines, how the conference is run is fully inspired from the worlds largest hacking conference in the world which is DEF CON, like DEF CON, ROOTCON controls and minimize product pitching from its sponsors which gives a hell of a boredom to its attendees. To maintain it's high-caliber talks, ROOTCON screens its speakers and topics through the Call For Papers. Like any other conference, ROOTCON also hosts mind-boggling hacker games such as Capture The Flag, Semprix' Mysterybox and of course the infamous Hacker Jeopardy. ROOTCON has maintained it's posture as the neutral grounds for the hacking community, both underground and the enterprise, we have been successful in keeping access to the conference affordable for the hacking community. This balance between content and affordability is the reason ROOTCON has been consistently a huge success.

ROOTCON 14 Recovery Mode Virtual Confrence 2020, October 8 & 10, 2020

Venue : Online.

Event url: https://www.rootcon.org/html/recoverymode/
village url: https://www.rootcon.org/html/recoverymode/villages#redteamvillage
Schedule: https://www.rootcon.org/html/recoverymode/schedule
Discord: https://redteamvillage.org/discord


ROOTCON 14 Village Agenda:

  • Talks on Red teaming tactics, Offensive cyber security and attack simulation
  • Training/Workshop on Adversarial attack simulation, Red teaming and Offensive cyber security
  • Live Interaction with the speakers and the community
  • Adversaries and Defenders - CTF (Capture the flag competition)

ROOTCON 14 Red Team Village talks:

Talk 1: MSI.FAIL(s)

Melvin Langvik, BDO Cybersecurity Norway

Abstract: Showcase and background information for the AMSI.FAIL project, as well as examples of possible operational usage.

About the speaker: Melvin Langvik is a 24-year-old computer engineer with a life-long passion for offensive-security. He is currently working for BDO CyberSecurity in Norway as a penetration tester and previously worked as a C# Azure Developer and Integrations engineer. Melvin considers himself passionate in the field and loves contributing to the community. In late 2019 he broke into the HackTheBox hall of fame.



Talk 2: Gathering Vulnerability Intelligence from Darkweb

Nandakishore Harikumar, CEO at Technisanct

Abstract: It’s not new for Red teams and offensive hackers to buy 0day exploits from Darkweb. In last two year there has been a lot of Incidents where Red Teams/ offensive Security researchers need to regularly keep their third vision in these darkweb portals where they sell 0day exploits and other vulnerabilities ensuring the anonymity. Zoom to Tor, Exploits were easily accessible. Threat intelligence has opened up a scope of a new extended area of Vulnerability Intelligence that need to be gathered from Darkweb and other deep web platforms. The network of anonymous groups are extended from Darkweb to the Telegram/Jabber and to their marketing side on twitter handles which helps them to gain attention from Cyber Security journalists.

About the speaker: Nandakishore Harikumar is a cyber security entrepreneur. He is the CEO and Founder of a Cyber Security Start-up named Technisanct. Widely quoted in national and international media. He is an Engineer turned Entrepreneur. His start up is backed by IIT Mandi, Data Security Council of India (DCSI), India Accelerator Program and GAN(Global Accelerator Network). He was also the co-founder of the private intelligence firm Seclabs and Systems based out in Noida, Delhi



Talk 3: The Year of the C2 (Command & Control)

Quentin Rhoads-Herrera
Director Critical Start, Inc. | TeamARES

About the speaker: As CRITICALSTART’s director of professional services, Quentin leads the offensive and defensive teams known as TEAMARES. He is an experienced security professional with expertise in security analysis, physical security, risk assessment, and penetration testing. Quentin’s diverse background is built from a variety of staff and leadership positions in IT, with specific experience in threat and vulnerability management, penetration testing, network operations, process improvement, standards development and interoperability testing.

Charles Dardaman
Senior Adversarial Engineer at Critical Start, Inc. | TeamARES

About the speaker: As a Senior Adversarial Engineer on TEAMARES, Charles brings numerous years of experience in both offensive and defensive security. He is an expert in both network and web application penetration testing, as well as reverse engineering and binary analysis. He is an active member of the local security community, and often speaks at cybersecurity meet-ups.

Abstract: DeimosC2 is a Golang built command and control application that supports multiple communication methods such as QUIC, TCP, HTTPS, DOH, and pivot TCP. We have agents that are run on Windows, Linux, Darwin, and Android with iOS to come. For security purposes each listener has its own public and private RSA key that wraps AES encryption with the agent to make forensics more difficult. Each agent also supports functionality such as jitter, delay, EOL, and live hours to make it harder to detect. We also support webshells for the times that you have an arbitrary file upload on a website that allows you to manage your webshell. You can than take that webshell access and deploy a C2 agent to further your control over the victims device.
DeimosC2 also supports modules for multiple operating systems that have both agent and server sections. This allows us to collect looted data. DeimosC2 has a GUI that is built with Vue.js that makes it easier to use and supports collaboration between multiple red teamers. It supports MFA, password length restrictions, and two user roles (admin and user). The C2 server also supports archiving of the database and all log files for historical purposes which can also be replayed if the C2 infrastructure needs to be stood back up, to include the compiled agents that were used during the engagement.
One of the key features of DeimosC2 is that agents and modules can be developed in any language as long as the responding format to the C2 server is in the correct format which we made as JSON to simply everything. This makes it easily extendable. It is also easy to add custom agent functions like we did after a DefCon talk released the concept of Domain Hiding which we instantly added for our HTTPS agent. DeimosC2s future is moving towards mobile as a way to highlight the lack of security around enterprise mobile devices.



Talk 4: Data Enrichment and Intels to automate operational intelligence

Haran Kumar
Solutions Architect - Security Specialist at Elastic

Abstract: Recent problems in mitigating cyber attacks are the threats evolving into a highly sophisticated landscape. It is challenging to address “Known unknowns and unknown unknowns”. As data sets increase in size and complexity, the human effort required to inspect dashboards or maintain rules for spotting infrastructure problems and cyber attacks. Enriching your internal telemetry and automated threat intel lookups even at pre ingestion phase of the data provides more value to the data set in efficient hunting and automates the production of highly valuable operational intelligence.
This Paper talks about the automation of enriching data alerts and telemetries both at pre ingestion and post ingestion methods to addressing sophisticated threat landscapes.

About the speaker: Skills driven and passionate security professional with extensive experience in SOC architecture, SIEM log Management, Endpoint security, Incident Response and cybersecurity operations. Currently living his security passion by helping projects and prospects in architecting security solutions with Elastic stack. Working as a solutions architect managing cybersecurity use cases as security specialist with Elastic.



Talk 5: DockerENT: Open source docker runtime analysis framework

Rohit Sehgal
Cyber security engineer at Visa

Abstract: DockerENT is activE ruNtime application scanning Tool (RAST tool) and framework which is pluggable and written in python. It comes with a CLI application and Web Interface written with StreamLit. DockerENT is designed keeping in mind that during deployments there weak configurations that are sticky in production deployments and lead to severe consequences. This application connects with running containers in the system and fetches the list of malicious runtime configurations and generates a report. If invoked through CLI it can create JSON and HTML report. If invoked through web interface, it can display the scan and audit report in the UI itself. More at https://github.com/r0hi7/DockerENT

About the speaker: OSCP Certified, Master’s degree from IITK with specialization in System Security and more than 3 years of professional security experience, across Development of security services, Penetration Testing, SecOps, System Security, SSDLC and Security Architecture. Experience in writing Checkmarx SAST Audit Queries (CxQL). Experience working with SAST & DAST tools. Currently Cybersecurity Engineer at Visa. A proud Author, Engineer, Maintainer, and Architect of extremely reliable and privacy friendly hosted disposable email service TrashEmail. Also Engineer and maintainer of a tool that can identify the weak configurations inside running dockers containers DockerENT. Authored a book and delivered various security sessions at International conferences. Inventor of 2 Patents and 1 Trade-secret. An active open source contributor. Drop by his GitHub too, there are really cool and awesome stuff, and you will love it. Delivered various global security trainings at past and current organization. Loves to create challenging problems for CTFs. Hosted a couple of CTF events organization wide and in public domain. Actively working to make security simple and reachable to every developer. An adventure freak, who loves to travel and call himself a philanthropist, a coder and ctf-player in his free time. Involved in active research in and around security.