For the third time in a row, we’ve followed Pass the SALT, a small but high quality, three days, conference dedicated to free software and security. This edition, that we sponsored, gave 21 talks but also 9 workshops with top-notch speakers (and attendees of course). Here are all the slides and videos of the talks and rumps. And as usual, you can find a quick review of our favourite talks.
Yeti (Sébastien Larinier and Thomas Chopitea)
Sébastien Larinier and Thomas Chopitea presented how Yeti can help blue teamers with triaging. The software came out of the idea that reverse engineering is hard and time consuming while network IOCs are easier to use, but when working on multiple cases/campaigns, no software could link network artefacts extracted from pcap files or live captures.
Yeti is based on 3 pilars :
- observables: technical elements such as hashes, IP addresses or URLs.
- indicators: can be regexes or yara rules.
- entities: tactical elements such as campaigns, threat actors, malware, etc.
Yeti has evolved over the years, Sébastien and Thomas did not hesitate to make disruptive modifications as they noticed some decisions they took earlier in the project lead them to a dead end. Now the project focuses on graphs and to do its job uses ArangoDB, a graph-oriented database, which still uses Javascript as Thomas seems to love it ;) Non malicious indicators, such as a list of known good hashes, can be added to create whitelists, the data model relies on STIX 2.0 format. Both speakers agree to say Yeti is to be referred to as a forensic intelligence store, so it can be used during incident response as well as digital forensic investigations.
Hunting automation (Xavier Mertens)
This presentation from Xavier Mertens focuses on reducing the burden of threat hunters. Instead of repeating boring tasks, Xavier took the decision to automate as much as he could. This decision resulted in an ingenious system composed of the following elements: First, catch suspicious or malicious scripts automatically, Xavier grabs them from multiple sources :
- catch-all mailboxes from which attachments are dumped using
ripMIME
and sent to a personal repository using a python script run from a cronjob. - hunting yara rules on Virus Total helps find suspicious powershell scripts.
- MalwareBazaar and other known malware repositories.
Xavier then showed how he uses the open-source project karton
as an orchestrator for malware analysis automation. Using karton
and different modules, he was able to classify malware families, but he didn’t only use the software out of the box, he quickly demonstrated how to extend it with a few lines of python.
Kunai updates (Quentin Jerome)
Quentin Jerome started the kunai project in 2022 out of the frustration of Sysmon for Linux. He wasn’t able to monitor the events the way he wanted and decided to code his own tool in Rust. Two years later, the project is production ready and has features any blue teamer would love to find in a commercial EDR :
- monitoring of specific events : of course execve, file read and write but also shared objects loading, BDF program execution
- events grouping for more accurate anomaly detection
- parent and grand parent processes tracking
- enrichment with data from previous events
- tracking of events inside containers
- events filtering to reduce noise while keeping context
- ability to use IOC lists to scan
- integration with MISP to ingest feeds or export events
Quentin has a roadmap full of interesting features :
- add yara-xi, also coded in rust
- add triggers : dump memory, kill processes, collect information
- monitor kernel changes impacting kunai
Fighting phishing by introducing WikiPhish (Gabriel Loiseau)
The WikiPhish project is an attempt at building a phishing dataset using machine learning. According to a recent FBI Internet crime report, phishing is by far the most important threat nowadays, the second one being data leaks and the third one is non payment / non delivery.
The samples used to build this dataset come from known sources : openphish, phishtank. Using machine learning in this case allows diversity, up-to-date samples as well as transparency.
Date collection challenges faced are the evolution of the phishing ecosystem, the short life of phishing websites and last but not least the difficulty to collect legitimate content. Also, many datasets or limited to URLs, omitting HTML content, thus limiting machine learning.
The lack of standardisation is also a difficulty, making it hard to compare datasets and models.
Hunt for phishing URLs, scammers, and their materials (Thomas Damonneville)
Thomas Damonneville presented his StalkPhish project and the associated tools. First was PKHunter, a tool to look at possible phishing attempts. To accomplish its job, particular strings, mostly related to phishing campaigns, are searched in reverse proxies logs.
In 2018, Thomas decided to use OSINT to improve his tools and capacity to detect phishing kits. OSINT source were used to enrich data, get access to new versions of phishing kits and extract IOC : email addresses, telegram channels. This way Thomas was able to investigate on multiple campaigns and gained much knowledge about the phishing scene. For now, Thomas relies on Phishtank, Openphish, Phistats, Phishing.Database, URLquery and URLscan.
Actors in the phishing community are well aware blueteamers are spying on them, now phishing website protections such as geofencing, antibots are set up. To bypass such protections, Thomas uses VPN stacks and tries to keep a low profile.
But you may ask “is collecting phishing kits more of a hobby than a useful action ?”. The answer is that collecting kits allows revealing:
- more relevant strings to search in RP logs.
- developers and actors behind phishing campaigns.
- new malware dropped by phishing campaigns (such as fake mobile apps).
- panels used by actors.
Analysing malicious documents and files with oletools (Philippe Lagadec)
Philippe Lagadec presented the oletools and explained the reasons of writing every piece of software. Any person in the defensive field has used directly or indirectly at least one of the oletools. This talk was designed to make people understand which command to use first and how to chain all of them to get a complete analysis of any MS Office related suspicious or malicious document. Philippe introduced the latest commands added:
ftguess
which comes as handy replacement for files when it comes to having details about an MS Office fileolemsi
to parse msi and msix files
He also explained the difficulties he faced when writing such tools, such as lack of documentation, or no documentation at all.
Fuzzing confused dependencies with Depfuzzer (Pierre Martin and Kévin Schouteeten)
Pierre Martin and Kévin Schouteeten from Synacktiv presented their tool: Depfuzzer. This tool was written for an engagement with one of their customers who wanted to check if an attacker with access to his private git repository could easily lead a dependency confusion attack.
Kévin and Pierre developed the tool to automate search for nodejs, python, rust and go languages that use public registries to host project dependencies. depfuzzer
parses pyproject.toml and requirements.txt for python applications, go.mod for go apps, Cargo.toml for rust projects and package.json for nodejs to retrieve the list of dependencies and see which could be “confused” by an attacker.
In particular, this tool leverages the deps.dev web application made by Google.
Path of rev.ng-ance: from raw bytes to CodeQL on decompiled code (Alessandro Di Federico)
During this presentation, Alessandro presents rev.ng
an open-source binary analysis framework and a decompiler. rev.ng
uses QEMU to lift binaries. They decided to use QEMU since it supports many architectures. Once a binary has been lifted to the Tiny Code intermediate representation (IR), this representation is directly translated to the LLVM IR. Although QEMU is used to lift binaries, they are never executed (nor emulated). rev.ng
does not use symbolic execution to work, but it could be used with symbolic execution engine, such as KLEE. Alessandro showed how to use rev.ng
, and how it is possible to use it to retrieve a Use-After-Free vulnerability with KLEE. He also explained that rev.ng
can be used with other code analyzer such as CodeQL and Clang static analyzer.
Sandwich: crypto-agility demystified (Thomas B.)
The goal of the Thomas’ presentation was to present the philosophy of the crypto-agility. MacOS/iOS uses a lot of libraries to perform cryptographic operations, which increases the attack surface on the system. The purpose of the crypto-agility is to reduce the number of cryptographic dependencies, to provide a unified API which allows to switch easily to switch between different cryptographic primitives. That’s why they decided to develop Sandwich, a meta-library which wants to respect the different concepts behind the crypto-agility. This library is developed in Rust, and proposes API for C, Python and Golang. Today, Sandwich supports three backend libraries: OpenSSL, BoringSSL and ring It also includes some post-quantum algorithms. To use Sandwich, a program must provide a configuration file based on Protobuf which defines the encryption algorithm to use among other things.
Affordable EMFI Attacks Against Modern IoT Chips (Davide Toldo)
EMFI stands for electromagnetic fault injection. At a high level, it uses the physical properties of electromagnetism to alter software behaviour. Davide’s goal is to make it possible to practise with EMFI attacks on a budget, the target audience varies from students to enthusiasts and professionals who don’t want to invest in a standard EMFI equipment. These kinds of attacks are known for having a high entry barrier, due to their price and their availability to the general public. He presented during his talk a solution that is open source and affordable along with a plan for building a lab, the resources he published can be found in this GitHub repo.
Test Your Cryptographic Primitives With Crypto-Condor (Angèle Bossuat, Julio Loayza Meneses and Dahmun Goudarzi)
Julio starts by reminding us of the definition of a primitive, which is a low-level cryptographic algorithm that can be used in other constructs, as an example AES is a primitive used in TLS. Crypto Condor can help us test an implementation thanks to a variety of test vectors, it includes both a cli and Python API. It can look if the implementation is compliant to its specification, follows ANSSI recommendations and is resilient to common attacks. This tool’s documentation and install guides can be found on this link.