Jose Fernandez, CompSec Direct

Talk: Frony Fronius – Exploring Zigbee signals from Solar City

Solar equipment is becoming more readily used in homes and businesses due to cost savings, eco-friendly conservationism and current tax incentives. Companies like SolarCity use Power Inverters/Meters from 3rd parties in order to provide it’s services while making the solution affordable for customers. This research will focus on understanding the communication between the Inverter, Internet Gateway and web portal used to view electrical consumption of subscriber.

Paul Coggin

Talk: Hallowed Be Thy Packets

Blue and Red teams are missing the low hanging vulnerabilities that exist in many enterprise networks today. This session will show in detail how the red team can quickly identify and exploit numerous network protocol vulnerabilities that the previous security test team probably missed. Methods for securing routing and switching protocols will be covered. Detailed PCAP examples will be covered. Recommendations for adding visualization and instrumentation to the network to detect network exploits will be covered.

Sean Metcalf, Trimarc Security, LLC

Talk: Detecting the Elusive: Active Directory Threat Hunting

“Attacks are rarely detected even after months of activity. What are defenders missing and how could an attack by detected?
This talk covers effective methods to detect attacker activity using the features built into Windows and how to optimize a detection strategy. The primary focus is on what knobs can be turned and what buttons can be pushed to better detect attacks.
One of the latest tools in the offensive toolkit is “”Kerberoast”” which involves cracking service account passwords offline without admin rights. This attack technique is covered at length including the latest methods to extract and crack the passwords. Furthermore, this talk describes a new detection method the presenter developed.
The attacker’s playbook evolves quickly, defenders need to stay up to speed on the latest attack methods and ways to detect them. This presentation will help you better understand what events really matter and how to better leverage Windows features to track, limit, and detect attacks.”

Omar Santos, Cisco

Talk: IR Lessons Learned 53 68 61 64 6f 77 20 42 72 6f 6b 65 72 73 2c 20 56 61 75 6c 74 20 37 2c 20 61 6e 64 20 53 79 6e 66 75 6c 20 4b 6e 6f 63 6b

In this presentation we will cover several cases studies explaining the threat exploitation based on target industry-­types. We will cover several lessons learned while performing forensics of compromised embedded devices and infrastructure platforms. We will examine the details of custom sophisticated malware including SynFul Knock, exploits revealed by Shadow Brokers, and other examples. We will also discuss lessons learned in incident response and forensics when responding to these type of threats and incidents.

Jared Haight, Microsoft

Talk: Giving back to infosec: A beginners guide to being helpful

“The infosec community is driven by passionate people who give back through software, talks, teaching, etc. Its one of the things that makes our community a “”community””, but a lot of people don’t feel like they have anything to offer. Those that are new to the industry don’t feel like they know enough and veterans don’t think they have anything original to contribute.
In this feel good talk of the year, we’ll cover how everyone is an awesome and valuable human being who can help make our industry even better. We’ll go over how to contribute to Open Source Projects, how to submit to CFPs, how to help with cons, as well as other ways to help. We’ll also talk about the benefits of not being a sponge and how giving back can advance your career, help you make friends, make you more attractive, increase your APMs, and lead you true happiness.”

Lee Holmes, Microsoft


“Attackers, administrators and many legitimate products rely on PowerShell for their core functionality. However, its power has made it increasingly attractive for attackers and commodity malware authors alike. How do you separate the good from the bad?
A/V signatures applied to command line arguments work sometimes. AMSI-based (Anti-malware Scan Interface) detection performs significantly better. But obfuscation and evasion techniques like Invoke-Obfuscation can and do bypass both approaches.
Revoke-Obfuscation is a framework that transforms evasion into a treacherous deceit. By applying a suite of unique statistical analysis techniques against PowerShell scripts and their structures, what was once a cloak of invisibility is now a spotlight. It works with .evtx files, command lines, scripts, ScriptBlock logs, Module logs, and is easy to extend.
Revoke-Obfuscation has been used in numerous Mandiant investigations to successfully identify obfuscated and non-obfuscated malicious PowerShell scripts and commands.”