Texas Cyber Summit II

Model View Controller (MVC)is a software design pattern that decouples related program logic into three interconnected elements allowing for code reuse and parallel development
Support Vector Machine(SVM)are supervised learning models with associated learning algorithms that analyze data used for classification and regression analysis

MVC Components•Model•The central component of the pattern. It is the application's dynamic data structure, independent of the user interface. It directly manages the data, logic and rules of the application.•View•Any representation of information such as a chart, diagram or table. Multiple views of the same information are possible, such as a bar chart for management and a tabular view for accountants.•Controller•Accepts input and converts it to commands for the model or view

Identifying assets on modern networks is more complicated than ever due to the adoption of software defined networks, virtual machine environments, container environments, hybrid clouds, and internet-connected smart devices. This presentation dives into original research and lesser-known techniques that can be used to quickly discovery devices across complex environments, without the use of passive traffic analysis or credentials.

Larry will walk you thorugh the technical details of building nimble Red Team infrastructure that
leverages cloud native orchestration frameworks such as Kubernetes and service meshes
such as Istio. Special attention will be paid to containerizing and developing deployment
artifacts in Helm for popular C2 frameworks. Automated Kubernetes cluster deployment will be covered for AWS, Google Cloud, and Azure. Details will be given on configuring the Envoy proxy as a redirector and filter in order to obfuscate the infrastructure from unwanted probing by defenders. Techniques for real time monitoring of implant communication will be addressed. The talk will also review the recipes currently available in the Kubered framework (https://github.com/cloudc2/kubred) and other resources helpful for cloud native Red Team operations.

Hack the Clouds, see it Rain !

StringSifter: Learning to Rank Strings Output for Speedier Malware Analysis
In static analysis, one of the most useful initial steps is to inspect a binary's printable characters via the Strings program. However, running Strings on a piece of malware inevitably produces noisy strings mixed in with important ones, which can only be uncovered after sifting through the entirety of its messy output. To address this, we are releasing StringSifter: a machine learning-based tool that automatically ranks strings based on their relevance for malware analysis. In our presentation, we'll show how StringSifter allows analysts to conveniently focus on strings located towards the top of its predicted output, and that it performs well based on criteria used to evaluate web search and recommendation engines. We’ll also demonstrate StringSifter live in action on sample binaries.

PErfidious is a Python3 tool that aims to directly take a benign PE executable and malicious shellcode as input. Next, it transforms the shellcode into individual pieces of independent code that can be connected via jumps and calls and then converts the transformed code back into individual collection of bytes. These collections are then injected into appropriate locations in the .text section of the PE file. After injection, PErfidious performs all the recalculations required to incorporate the changes in the .text section. This makes sure that all the regular traces of code injection are gotten rid of. The only way for the endpoint detection system to verify that the program was injected is to calculate or read the hash/checksum of the PE file and compare it with the has/checksum provided by the original author of the benign application that was injected by us.
Apart from being a tool, PErfidious is also a Python3 library that can be used for inspecting, dissecting and injecting PE files. It extracts every data structure inside a PE file and convert it into an editable class file with appropriately nested subclasses(it even outputs the entire structure in XML so that a user can develop web applications around it). It aims at being a modern and extensible replacement for pefile package and the go-to library for working with anything related to PE32/PE32+/DLL type files.

GraphQL is a query language for APIs set to replace RESTful architecture. The use of this technology has achieved rapid adoption and is now leveraged by companies such as GitHub, Credit Karma, and PayPal. Despite its popularity, this new approach to building APIs can leave organizations at risk. While it solves real-world problems, proper implementation is left up to developers who often don't fully understand how to secure their API. Security best practices are easily overlooked, and rushed development can leave cracks in the armor. These issues create a new attack surface for us to explore as well as new ways to exploit underlying infrastructure and code. From Queries and Mutations to Types and Fields, properly attacking a target requires that you understand it. We will learn enough about GraphQL to be dangerous. Demonstrate how to use the technology’s intricacies against itself while taking advantage of implementation errors and misconfigurations. Examine GraphQL specific attacks as well as tried and true techniques adapted to fit into the GraphQL context. Then walk through how to carry out these attacks efficiently and effectively.