50 Shades of Purple: Mastering the Art & Science of Purple Team Evolution
by: Pengfei "BigZaddy" Yu
Remember when we thought putting red & blue teams in the same room was revolutionary? Yeah...about that.
After spending quite sometime in the trenches implementing purple teams across various sectors, I've collected enough failures and unexpected wins to piece together what actually works. Trust me - it wasn't pretty at first, but those hard lessons led to something valuable.
My talk ""50 Shades of Purple"" gets right to the heart of the matter. I'll break down why most ""purple team"" exercises fail to deliver real value (hint: it's not the tools), then walk through the 4-phase methodology I developed through painful trial & error - and more importantly, how we transformed that initial framework into a continuous, integrated process that actually keeps pace with today's threats.
We'll explore:
- How we evolved from one-off exercises to a continuous validation ecosystem
- The emergence of ""Continuous Purple Teaming"" as a game-changer
- The good/bad/ugly of manual vs automated testing (& when each makes sense)
- Measuring stuff that executives actually care about
- The path toward Adversarial Exposure Validation (AEV) - Gartner's term for the next evolution in security validation that's transforming how we approach defense
Whether you're struggling with your first purple team exercise or trying to convince leadership why your existing program needs more investment, this talk delivers concrete next steps. No silver bullets or vendor pitches - just honest lessons from someone who's screwed this up enough times to finally get it right.
(P.S. Yes, I know the title is a terrible pun. No, I'm not sorry.)
AI As Your 6th Man: Your Red Team Operator Off-the-Bench
by: ar33zy
Incorporating AI in Cybersecurity has been most prominent in blue team practices, enhancing defensive workflows through automation, from anomaly detection and log analysis to report generation. With vast amounts of data handled and daily repetitive tasks, these cases align well with the concept of AI assistance. However, this AI-driven mindset is also becoming relevant to red teaming, focusing on enhancing speed and adaptability during red teaming engagements.
In this presentation, we will explore how AI can effectively support red team workflows by automating the preparation stage of the pipeline, focused on developing certain outcomes, such as infrastructure setup, scripting, and social engineering prompts. We present real-world use cases demonstrating AI's value in executing these tasks, while addressing the challenges and limitations in accuracy where the operator's expertise is still essential.
Furthermore, we will also deal with the things to consider when making AI your red team companion, with an emphasis on prompt handling and ethical considerations. Based on direct experience of integrating AI into red teaming engagements, our insights will provide a balanced view of AI's role, not as a replacement for human operators, but as a supporting 6th man that enhances efficiency and adaptability within red team operations.
AI-Augmented Threat Detection in the Cloud: Lessons from Building Prowler
by: Sergio "@MrCloudSec" García
With the rapid growth of multi-cloud environments, traditional detection methods fall short against modern threat landscapes. As both attackers and defenders adopt AI, how do we stay ahead without falling for hype?
In this talk, I’ll share real-world strategies to augment cloud threat detection using both open source tools and AI. As a founding engineer of Prowler, one of the most widely used open-source cloud security tools, I’ll walk through how we’ve started integrating AI to:
- Prioritize risks based on context and exploitability
- Detect anomalies across AWS, Azure, and GCP
- Automate triage and remediation suggestions
- Reduce noise in security findings and enhance analyst workflows
This session is highly practical, and grounded in real-world deployments, open-source tools, and the challenges we’ve faced scaling security in cloud-native environments. If you're curious how AI is really reshaping cloud defense, this is your talk.
CLR DLL Side-Loading, a secret technique used by APT41
by: Georgy Kucherin
APT41 is a sophisticated Chinese-speaking threat actor that has been targeting high-profile organizations around the world for more than a decade. Campaigns of this APT have always been regarded as astonishing, as they commonly involve use of complex implants and unique infection techniques.
While researching activities of APT41, we identified a peculiar series of attacks conducted by this actor. It turned out that these attacks had one unique detail in common, as they involved use of a highly interesting defense evasion technique. It has not been previously observed in the wild, and we dubbed it CLR DLL Side-Loading.
As the name of this technique suggests, it allows to side-load malicious DLLs into legitimate processes managed by the CLR environment that is used for running code in languages such as C#, PowerShell or Visual Basic. As we found out, CLR DLL Side-Loading is different from the traditional and well-known DLL Side-Loading technique in a way that it is has less limitations. Unlike the traditional technique, CLR DLL Side-Loading can be leveraged to abuse trusted system libraries, such as ntdll.dll. Furthermore, with this technique, the malicious DLL does not need to be stored in the same folder as the legitimate executable – thus making it more difficult for security solutions to detect side-loading.
In our talk, we firstly provide information on the discovered attacks: we discuss how the observed targets have been infected, describe the detected malicious implants, as well as explain their attribution to APT41. Then we dive into the internals of CLR DLL Side-Loading and detail how it is able to break the above-mentioned limitations of the traditional DLL Side-Loading technique. Afterwards, we demonstrate the wider implications of the discovered technique: as we have found out, it can be used not just to load DLLs into processes, but also establish persistence in interesting, undocumented ways, and even interfere with operations of security solutions. Finally, we conclude the discussion of this technique by stating how developers can prevent their software from being abused with it.
Lights Out and Stalled Factories: Real-World Modbus Exploitation in Industrial Control Systems Using MATRIX
by: Karl Biron
Industrial Control Systems (ICS) remain a high-value target for attackers due to legacy protocols like Modbus, which lack fundamental security features. This paper presents MATRIX (Modbus Attack Tool for Remote Industrial eXploitation), a custom-built offensive security tool designed to simulate and demonstrate real-world Modbus-based cyberattacks in critical infrastructure environments.
MATRIX enables in-depth adversarial testing with capabilities including unauthorized read operations, coil and register manipulation, passive sniffing, replay attacks, denial-of-service, and malicious slave response injection. Each module is crafted to illustrate the operational impact of successful exploitation, bridging the gap between theoretical vulnerabilities and their practical consequences.
Complementing the attack simulations is an OSINT-driven reconnaissance effort that includes Shodan-based global heatmaps of Modbus server exposure, detection of a real Modbus system, and identification of ICS honeypots in the wild. These findings align with insights from my prior IEEE peer-reviewed publication, which ranked Modbus among the most frequently targeted ICS protocols based on honeypot and darknet data analysis.
The presentation will offer live demonstrations of attacks against simulated industrial setups, highlighting how simple protocol-level exploits can cause device manipulation or downtime in operational environments. By combining academic rigor with practical execution, this work aims to raise awareness of Modbus protocol weaknesses and provide defenders with a deeper understanding of the risks and countermeasures associated with insecure ICS deployments.
Lying Lazarus? Or Are We Just Lying to Ourselves? - Understanding DPRK’s Cyber Capabilities
by: Aaron Aubrey Ng
The Democratic People’s Republic of Korea (DPRK) represents one of the most enduring and challenging threats in cyberspace to nation states and private sector companies today. Over the past two decades, DPRK’s cyber capabilities made consistent progress at a rapid pace and continuously evolves with sophistication. Since the pivotal moment in 2013, when Kim Jong-Un declared “cyberwarfare, along with nuclear weapons and missiles, as an All-Purpose Sword (마능의 보검) that guarantees our military’s capability to strike relentlessly”, DPRK has employed offensive cyber operations for an expansive spectrum of objectives. From engaging in DDoS attacks to destructive wiper attacks, political and economic espionage campaigns, to an ever evolving repertoire of financially motivated revenue generation operations, cyber is a key lever of state power wielded to achieve the Kim regime’s strategic priorities.
Since the end of WWII, DPRK remains a totalitarian, closed country, and is considered the most reclusive government in the world. In intelligence parlance, this is a denied area, often requiring significant clandestine government-grade collection capabilities to achieve a very limited understanding of the inner workings of the DPRK state. This status quo holds true with regard to understanding DPRK’s cyber capabilities. For this primary reason, many of the prolific DPRK cyber operations including Dark Seoul, Ten Days of Rain, the Sony Picture Entertainment Hack, the Bangladesh Bank Heist, and WannaCry have been attributed to the “Lazarus Group”. Over time, Lazarus became the mainstream term to refer to the hacking arm of the DPRK government. Due to the dearth in collection coverage, many security researchers stuck with the Lazarus label when attributing DPRK’s intrusions and campaigns, resulting in ambiguity and confusion when others attempt to understand DPRK’s cyber capabilities. Understanding the different institutions within this secretive hermit nation and how they continue to evolve and share resources is paramount in enabling organisations in proactively defend against the DPRK threat.
In that spirit, this presentation will unveil the organisations and structures responsible for DPRK’s cyber operations, offering participants accurate insights into the respective DPRK cyber units. The presentation also examines the evolutionary arc of the DPRK’s offensive cyber program, revealing how the DPRK is dynamically leveraging their cyber capabilities to adapt to their changing geopolitical and economic circumstances. Importantly, the presentation will offer the participants with a current understanding of recent DPRK operations and their respective tactics, techniques, and procedures (TTPs) so as to win the fight against the Adversary.
Oops, I Hacked It Again: Tales and disclosures
by: Ignacio Navarro
Breaking into supermarket systems, ticketing platforms, and more. I’ll share some of my latest hacking stories, showing how I found the vulnerabilities, reported them, and collaborated with the companies. We’ll dive into tools, the challenges of disclosure, the importance of being “ethical”, lessons learned and how these experiences help improve security and build trust between hackers and organizations.
Description
The talk is divided into 6 chapters. In the first one, I’ll relate what an Ethical Hacker is and what he does, and I’ll also prepare the audience for the upcoming hackings tales.
Chapter 2: Hacking tales. In this chapter I’ll talk about different ethical hacker stories that happened to me recently. Each story will have the technical part about how I exploit it and what I can do in the system, the way that I communicate it to the company and their responses.
The first story is about a large supermarket chain. After escalating in some web servers and getting root access, I had read/write access to the customer and employee database and was even able to modify product prices among other things.
The second one is about a ticket sales and distribution company. The results were similar, getting all the tickets, customers and employees, being able to generate some free tickets and getting admin access. But the way to get access was different, and the response from the company was the best, ending in a request for pentesting and a security talk to the entire company.
A transportation company, after some idors and business logic vulnerabilities were able to get all tickets, user data and generate free tickets.
The last tale, an e-commerce platform that allows businesses to create and manage their online stores: A bunch of exposed files, some .js files with the body of apis. After reading some code, we were able to login as any user in any business(Insurance, airlines, banks) including some CEO accounts.
Chapter 3: In this chapter I’ll dive into the different tools(90% open source) that I use on a daily basis, methodologies and the most common mistakes that we can find.
Chapter 4: Different types of disclosure. I’ll explain why this is important, from the point of view of hackers, companies and the community. Below I’ll show the way I always present my reports, following the examples used by my friends and others.
Also, in this chapter I'll show the normal responses from the companies and the way to handle it, cause in some cases it can be frustrating and even threatening.
To close the chapter I’ll talk a bit about BBP and VDP.
Chapter 5 will discuss the impact we can get from good feedback from companies, seeing how more companies have improved their security posture and relationship with hackers. Also, perhaps the most important part, personal growth, recognition and learning new methods/attacks in a real world scenario.
Chapter 6: Ending and conclusions. Part of the takeaways are to encourage new generations to do ethical hacking and help generate a good relationship between hackers and companies. The idea of promoting the ""ethical"" part arises because unfortunately every day we see more cybercriminals selling user data and other confidential information of third parties. We have a responsibility to educate, identify and work on security vulnerabilities.
Outline
- Introduction
- Whoami
- Disclaimer
- What's an “ethical hacker”?
- Hacking tales
- Large supermarket chain
- Tickets sales and distribution company
- Transport company
- E-commerce platform
- Essentials
- Tools
- Methodology
- Common mistakes
- Disclosures
- Types
- Why is it important?
- My way to report
- Other ways to report
- Handling responses from companies
- BBP/VDP
- Impact of ethical hacking
- Feedback from companies who I hacked
- Encouraging others to get involved in ethical hacking
- Conclusions
- Takeaways
- Q/A"
Practical Hacking to RFID
by: Dennis Goh
Malaysia's Touch 'n Go RFID system powers millions of toll transactions daily – but what if an attacker could silently inflate a card's balance to any value? This talk exposes critical vulnerabilities in a key national payment infrastructure, demonstrating a full practical exploit chain against the Touch 'n Go card using accessible RFID research tools.
We dive deep into the hands-on reverse engineering process: capturing card communication, analyzing proprietary protocols, and uncovering the cryptographic (or algorithmic) flaws enabling arbitrary balance manipulation. See a live demo where we weaponize this research to top up a card with any desired value – no physical theft or complex hardware required.
Beyond the spectacle, this session delivers critical insights for:
Red Teams & Pentesters: Methodology for attacking proprietary RFID systems – signal analysis, protocol fuzzing, and algorithmic reverse engineering.
Security Researchers: Understanding systemic flaws in closed payment ecosystems and credential design.
Defenders & Architects: Concrete mitigation strategies – from cryptographic best practices to transaction anomaly detection – to harden similar systems.
This isn't just theory; it's a wake-up call for the physical-digital attack surface. Learn how everyday RFID technology can become a critical threat vector, and how to defend against real-world attacks targeting payment and access systems.
Smart Threats, Smarter Defenses: Leveraging Machine Learning to Shrink and Sharpen Cyber Threat Intelligence on IP Addresses
by: Wilson Chua
In a world drowning in data, bigger isn't always better—especially when it comes to Cyber Threat Intelligence (CTI). As security teams struggle to keep up with bloated threat feeds and ever-growing lists of malicious IPs, a smarter approach is emerging: using Machine Learning to not only accelerate detection but to trim the fat without losing the threat.
This talk dives into the cutting-edge fusion of CTI and ML, revealing how AI-driven models can intelligently reduce massive IP datasets while preserving—and even enhancing—their ability to detect real threats. We'll explore practical strategies, success stories, and pitfalls to avoid when implementing these techniques in live environments. Expect a fast-paced, thought-provoking session with real-world takeaways for anyone serious about improving detection speed, lowering resource demands, and staying ahead of the threat curve.
If you're a cybersecurity leader, threat analyst, or technologist looking to level up your defenses with smart, lean data—this is the session you can’t afford to miss.
The Silent Data Breach: Unintended Exposure of Sensitive Information in Microsoft Enterprise Enrollment, Entra, and Intune
by: OfflineIsNewLuxury & Parameswaran Ganesan
This talk reveals a silent but critical misconfiguration in Microsoft Enterprise Enrollment that allows any authenticated user to export sensitive enterprise user data, including emails, job roles, and contact info, without elevated permissions. We'll uncover how this overlooked flaw can lead to data breaches and share best practices for securely configuring Azure to prevent similar risks.
This is based on a real-world external penetration testing engagement. During the assessment, my team discovered a service account exposed through an insecure website. We were able to leverage this account and abuse a misconfiguration in Microsoft Enterprise Enrollment, Entra, and Intune. This misconfiguration led to the unintended exposure of sensitive enterprise user data, including thousands of employee email addresses, job roles, and contact information. I'm looking forward to sharing the technical details, impact, and lessons learned from this discovery.