Post

Tales from DEFCON 28 Safe Mode - Retrospective

Posted Updated
By Michael Giordano 5 min read

Introduction

DEFCON has been cancelled! The long-running joke come true. Not all is lost though, including my deposit on a room at Planet Hollywood. My wife and I were pretty bummed given this is more or less our one getaway of the year, but all things considered, the right call was made to move to a socially distanced approach for the con.

We still kept our PTO at work for this so we could still enjoy the downtime, watch some talks, and do other staycation stuff in between. Staycation activities, unfortunately, did not include stopping in the LINQ Promenade to eat at Haut Doggery - miss me with that In-N-Out garbage.

Safe Mode Experience

One of the weird things I look forward to at DEFCON is stopping by the swag area to pick up some goodies. Walking in, seeing hundreds of folks looping around caution tape as far as the eye can see, and reluctantly joining the line. While waiting on line, it’s fun to keep an eye on the door to see others come in, look at the line, and leave. Of course there was still the ability to score swag and a badge this year from eBay!

dc28badge

As hectic as it may seem attending in Vegas, given the running from casino to casino and navigating among the chaos at each location, I was more overwhelmed navigating all the different Discord servers and channels - context switching between DEFCON, Blue Team, Red Team Discords, and trying to find the right channel therein. Watching the overwhelming amount of text flying across the screen in lieu of all the madness happening around you IRL. Don’t mind me, I’m just salty because I miss the adventure.

At least there was a beachball emote in the DEFCON Discord.

Red Team Village

There were a lot of great talks in the Red Team Village this year. Of course, most providing great perspective and some knowledge to bring back to the office or elsewhere.

The talk I found most entertaining of the RTV talks this year was @jrwr’s talk “What College Kids Always Get Wrong” JRWR participates in the Collegiate Cyber Defense Competition (CCDC) where a blue team comprised of students get together to go head-to-head in an offense/defense war game against a red team made up of experienced penetration testers. Red team wreaking havoc on blue team newcomers, where the red team has no regard to OPSEC making it all the more fun (peanutbutterjellytime.gif)! The constant interruptions from the mock CEO was choice.

“I’m not going to sell the other house in the Hamptons, I’m gonna fire you first.” -CEO

Blue Team Village

After the awesome badge that the Blue Team Village put together last year, I was looking forward to see how they could top it this year. Unfortunately, there was no BTV badge this year. Not a problem, though! The OpenSOC CTF that is hosted by the BTV is a treat in and of itself, which I’ll cover in a below section.

The talk I enjoyed the most was Detecting The Not-PowerShell Gang by @tas_kmanager which provides useful insight into PowerShell logging capabilities, living off the land (LOLBAS), and dissecting C2 agent/beacon evasion techniques.

Hack for Satan

While I was looking forward to some exercise and a treasure hunt, it wasn’t going to be the same this year. At the time of writing, there isn’t yet a HFS badge but rather some t-shirts to pacify us. Of course, I purchased two! Currently keeping close to HFS’s Twitter and online shop for any badge-related developments. Rumor has it that they’re still held up in the hotel room they used the t-shirt money for.

hackforsatan

OpenSOC CTF

One of the things in my personal DEFCON 27 retrospective was to (try) and sit through an entire OpenSOC CTF. Doing so was substantially easier as, well, I’m at home and didn’t have to walk from casino to casino for other talks. While I didn’t sit beginning to end, I would take a break and watch some talks in the Red and Blue Team Villages, or just step away and eventually come back. Still, I participated more this year than previously, so I guess that’s the “MVP” from my DC27 retrospective!

Armed with awesome open source tools such as Kibana, Moloch, and Graylog, I was prepared to go chipping away at the challenges!

The CTF got off to a rocky start with the scoreboard becoming overloaded with the sudden influx of over 300 teams hitting it all at once! However, the tools maintained availability while the scoreboard was down which gave me time to look ahead and start flagging down any interesting events (which definitely helped as some of the artifacts were required to answer questions down the line), which included:

  • Base64 encoded PowerShell & script block logging events
  • PsTools activity
  • LOLBAS activity

I sat through the CTF for a decent amount of time, completing three different scenarios. By the time I stepped away, I was in 76th place out of around 320 teams. While it wasn’t in the Top 10, I was happy with it considering I participated as a single-person team.

What to do Next Year?

  • Sit even longer through OpenSOC CTF (hopefully in Vegas next year)
  • Less talks, more engagement - talks are usually recorded anyways
  • Get my steps in for HFS badge shenanigans
  • Make a more technical-focused blog post on the OpenSOC CTF (sans the specifics, as I believe they reuse to some degree the scenarios)
Other, DEFCON
defcon defcon28
This post is licensed under CC BY 4.0 by the author.