Talk Tracks: SHHC20
Talk Tracks

From the Talks Lobby are seven rooms; one for each of the presenters.

Welcome and Tips by Ed Skoudis

In this presentation, Ed welcomes you to the 2020 SANS Holiday Hack Challenge, orienting you to the environment, the characters, the storyline, and the super useful KringleCon 3 snowflake badge. He gives tips for navigating Santa’s castle and its interface, as well as ways to chat with other participants and get hints. In 18 short minutes, Ed provides you all the information you need to get rolling in this year's super exciting Holiday Hack extravaganza!

Track 1: CAN Bus Can-Can by Chris Elgee

Riddle: what connects your steering wheel to your door locks and your radio? It's the CAN bus! Let's examine what this low-level network does and finally find out what our cars are thinking!

Track 2: Open S3 Buckets: Still a Problem in 2020 by Josh Wright

SANS Senior Instructor Joshua Wright delivers a lightning talk about what you need to know about insecure cloud storage discovery, enumeration, and the opportunities to make money through creative assessment of cloud resources.

Track 3: Advesary Emulation and Automation by Dave Herrald

Learn a quick, easy, and free way to emulate adversary techniques selected from MITRE ATT&CK® and the Atomic Red Team project. We'll show how the resulting telemetry can be collected for analysis and detection engineering using Splunk

Track 4: HID Card Hacking by Larry Pesce

The HID ProxCard II RFID cards are arguably the most deployed physical access control systems. In this talk we'll give you the quick technical run down on the technology and how we can interact with them for shenanigans with a Proxmark 3.

Track 4: Rudolph the Red-Nosed Raptor: Aquiring Triage Images with EDR by Dan Banker

Velocidex has created a fantastic (free!) tool called Velociraptor; in their own words, it "...provides the next generation in endpoint monitoring, digital forensic investigations and cyber incident response." One capability is that the user can specify an array of forensic artifacts to be collected, and Velociraptor will produce an executable. The executable is run on the target machine, and the artifacts are collected and a report is generated. This is a quick way of generating a triage image, i.e. grabbing the juicy system artifacts without copying an entire drive. I will explore the deployment of velociraptor.exe with the live response capability of EDR (specifically Carbon Black). I will demonstrate how this is done and point out a couple of pitfalls. I will also talk about how to automate this process.

Track 5: Give Yourself a Blog for Christmas by Jack Rhysider

Everyone in IT has notes they've written for things they should remember. Commands that are hard to remember, tips for how to configure something, or troubleshooting techniques. The best place to put those notes is into a blog. This talk will cover the reasons why everyone in IT should be writing a blog, and what to put in it. Even if you're just starting your career or haven't yet started it. The beginners mind is a beautiful thing and can sometimes explain things better than expert can.

Track 5: Red Teaming: Why Organizations Hack Themselves by David Tomaschik

Penetration testing and red teaming are popular, high-visibility specialties in the information security space, but why do organizations do these, and how are they executed? We'll discuss the phases and execution of a Red Team exercise and how the results help the organization's overall security posture.

Track 6: Attacking and Hardening Kubernetes by Jay Beale

Come see a Kubernetes attack demonstration, where a hostile developer must escalate privilege to steal data from a GKE Kubernetes cluster and its cloud environment. Whether you're completely new to Kubernetes or you've used it, but not yet attacked it, you'll enjoy and learn something useful from this talk. Afterwards, download the slides from and learn about using admission controllers to block the attack!

Track 6: IOMs and IOAs in AWS by Spencer Gietzen

There is a lot of buzz in the public cloud industry around indicators of misconfigurations, detecting them, and responding to them, but there is one important area that is lacking the same support, indicators of attack. It is important to know when there is a potential for a breach in your cloud environment, but you also need to know what malicious activity may look like after a breach. This talk will cover what Indicators of Misconfigurations (IOMs) and Indicators of Attack (IOAs) are, why they are important to differentiate, and the differences between them using Amazon Web Services (AWS) as an example.

Track 7: Offensive Security Tools: Providing Value with the C2 Matrix by Jorge Orchilles

Offensive Security has always been about providing value. This talk goes through the history of ethical hacking through red team, purple team, and adversary emulation. Choosing the correct tools for the job has always been an important preparation step; with the C2 Matrix, you can quickly choose the best one for your needs. Lastly, we release an update for the SANS Slingshot C2 Matrix Edition virtual machine which includes multiple C2s preinstalled to get you up and running quickly. It also includes VECTR to measure, track, and show the progress made in your Red Team and Purple Team programs.

Track 7: Random Facts about Mersenne Twisters by Tom Liston

An introduction to the properties and pitfalls of one of the most widely deployed pseudo-random number generators (PRNGs), the Mersenne Twister, MT19937. Along with this presentation, Tom is releasing some Python code, demonstrating how to clone the PRNG used by the Random module in both Python 2 and Python 3. (

An overview of all people, places, and events can be learned in the Introduction.