Full Report
When we finally decided on a date, sensecon 2020 was little over a month away. Unlike our public client events, internally sensecon is a three day conference filled with trainings, a hackathon and a ton of fun. Traditionally we would have had the hackathon in person, but this year our only option was to do it remotely. Overall we had a blast, both in the preparation phase but also during the conference. It was the largest one we had to date, consisting of over 120 Orange Cyberdefense hackers from 8 countries around the globe! This blog post will be a reflection on these three days filled with incredibly exciting hacks, talking about how we got there, how it went and what we had learned along the way. All while I recover from a little sleep deprivation.
Analysis Summary
# Main Topic
Reflection and overview of the remote **Sensecon 2020** conference and internal hackathon hosted by Orange Cyberdefense, focusing on its structure, execution across multiple timezones, and the technical training and challenges presented to over 120 global participants.
## Key Points
- The event was conducted remotely for the first time, utilizing **Discord** as the primary platform, with **Teams** as a backup.
- The conference combined training sessions, a hackathon, and social events over three days (November 5th to 7th, 2020).
- Goals focused on "make a new **friend** & learn something **new**."
- Challenges included a password challenge (involving hash cracking), a programming challenge, and an unannounced Discord bot challenge.
- Training covered advanced security topics, forcing organizers to switch larger sessions to Zoom mid-conference for better scalability.
## Threat Actors
- No specific malicious threat actors or external cyber campaigns were discussed.
- The context involves internal "Orange Cyberdefense hackers."
## TTPs
The summary focuses on defensive training and projects undertaken by participants, which implicitly cover offensive TTPs:
- **Training Covered:**
- Introduction to **CodeQL** for vulnerability query recreation (e.g., related to CVE-2017-9805).
- Active Directory attacks: Kerberos, Resource-based Constrained Delegation, Discretionary Access Control List (DACL) abuse.
- Windows privilege escalation and persistence (Access Control Entries, Access Tokens, DLL injection).
- Using **eBPF** for Linux kernel instrumentation (probes and custom programs).
- **Hackathon Projects Implied TTPs:**
- Red Team Payload AV evasion (CI/CD).
- NetNTLM hash cracking using Hashcat and NT hashes.
- Environment variable-based LOLBin hunting.
- Hacking the Telegram mobile application ("Near me feature" abuse).
## Affected Systems
- Systems/technologies discussed as subjects of training or hackathon projects include:
- Active Directory environments.
- Windows operating systems (focus on privilege escalation).
- Linux operating system internals (via eBPF focus).
- Router firmware (via binary emulation project).
- OWASP Top 10 vulnerable APIs.
## Mitigations
- Mitigations are implied through training subjects:
- Secure coding practices (implied by CodeQL usage).
- Understanding and hardening Active Directory configurations related to delegation and ACLs.
- Robust endpoint security monitoring (implied by persistence and evasion training).
## Conclusion
Sensecon 2020 successfully transitioned to a large-scale, remote format, emphasizing advanced technical training across areas like AD exploitation, Windows internals, and Linux tracing (eBPF). While focused on internal growth and learning, the projects and training covered relevant offensive tradecraft applicable to real-world threats, suggesting a proactive defense posture for the participating team members.
# Morning News Roll-up
## Overview
The provided context is a retrospective blog post on Sensecon 2020, an internal Orange Cyberdefense cybersecurity conference. It describes the successful pivot to a remote format, scale (120+ attendees), training curriculum, and hackathon structures.
## Top Stories
### Sensecon 2020 Successfully Executed Remotely
- Summary: Sensecon 2020, Orange Cyberdefense's internal three-day conference, successfully transitioned to a remote format, hosting over 120 hackers from 8 countries using Discord as the main platform.
- Source: sensecon 2020 ex post facto
### Advanced Security Training Provided Across Multiple Domains
- Summary: Training sessions covered advanced topics including CodeQL introduction, Active Directory attack scenarios (Kerberos, Constrained Delegation), Windows privilege escalation techniques, and leveraging eBPF for Linux kernel introspection.
- Source: sensecon 2020 ex post facto
### Hackathon Featured Diverse Offensive Security Projects
- Summary: The hackathon included challenges and team projects focused on offensive security aspects such as Red Team payload AV evasion, NetNTLM hash cracking implementation, vulnerable API creation, and abuse testing against applications like Telegram.
- Source: sensecon 2020 ex post facto