Deadwood 2021 (Virtual)

In 2021, everyone was still in lockdown due to the pandemic, so WWHF Deadwood went virtual, with courses, workshops, and presentations all being given online.

Pre-Conference Training

Start DateEnd DateClass TitleInstructor(s)Location
2021/09/212021/09/22Modern WebApp PentestingBB KingVirtual
2021/09/212021/09/22Advanced Endpoint InvestigationsAlissa TorresVirtual
2021/09/212021/09/22Securing the Cloud: FoundationsAndrew KrugVirtual
2021/09/212021/09/22Windows Post ExploitationKyle AveryVirtual
2021/09/212021/09/22Red Team: Getting AccessMichael AllenVirtual
2021/09/212021/09/22Advanced Network Threat HuntingChris BrentonVirtual
2021/09/212021/09/22Attack Emulation Tools: Atomic Red Team, CALDERA and MoreDarin and Carrie RobertsVirtual
2021/09/212021/09/22Enterprise Attacker Emulation and C2 Implant DevelopmentJoff ThyerVirtual
2021/09/212021/09/22Breaching the CloudBeau BullockVirtual
2021/09/212021/09/22Network Forensics and Incident ResponseTroy WojewodaVirtual


Counterfit /w Will Pearce

Counterfit is a generic attack management framework for attacking ML models. It focuses on abstracting the nuts and bolts of attack algorithms and allows users to focus on their target. Rather than searching for a tool that has the data type your target model uses, Counterfit wraps several existing projects that bring multiple datatypes under a single framework. There are 4 primary use cases for Counterfit:

  • Vulnerability scanning. Scanning models with known and publicly available attack algorithms. Useful for auditing, creating baselines, and measuring on-going improvements.
  • Penetration Testing and Red Teaming. Using the extensible interface to customize attacks and connect with target. Hook into Counterfit from existing offensive tools or use Counterfit as a standalone tool. No model is out of reach.
  • Auditing logging and alerting for machine learning systems. Ensure that detections and alerts are working by scanning production models.
  • Security Research. Use the built-in automation to iterate quickly through new or existing attacks with fine-grain control over parameter settings.

  • Open Source: Yes
  • Project License: MIT
  • Project Link:
  • Intended Audience: Red Teamers, Penetration Testers

Presenter Bio:
Will Pearce is the Red Team Lead for Azure Trustworthy ML at Microsoft. In his current role, he is responsible for running and supporting offensive engagements against AI systems at Microsoft and with partners. This includes building assessment methodologies, developing tools, and creating research. Previously, he was a Senior Security Consultant and Network Operator at Silent Break Security, where he performed network operations, security research, and was an instructor for the popular Darkside Ops courses given at industry conferences and to private/public sector groups. His work on the use of machine learning for offensive security has appeared at industry conferences including DerbyCon, BSidesLV/SLC, and Defcon AI Village as well an academic appearance at the SAI Conference on Computing. Will maintains his OSCP and is credited with the first machine learning CVE.
DomainStats /w Mark Baggett
We all know how powerful logging DNS host names can be. Domain stats automates the analysis of host names to identity automated processes in your environment and kick start your threat hunting process.
Open Source: Yes
Project License: GPLv3
Project Link:
Intended Audience: Blue Teamers
Presenter Bio:
Mark is the author of SANS Automating Information Security with Python course. Mark has a master’s degree in information security engineering and is GSE #15. An active participant in the information security community, Mark is the founding president of The Greater Augusta ISSA chapter. He’s also co-founder of the BSidesAugusta Information Security Conference, and has developed a number of popular tools and techniques.
iLEAPP /w Jesse Spangenberger
Alexis Brignoni (@Brigs) created several tools aLEAPP (android) and iLEAPP (ios) and others have taken his tool creating other tools: cLEAPP (chromebook) and vLEAPP (vehicle). This project created from Alexis’s iLEAPP works towards a framework to merge these tools into a single unified way to add and extend his already great tool. The code base has been reworked nearly from the ground up to support the modularity required to support each different artifact across each tool.
Open Source: Yes
Project License: MIT
Project Link:
Intended Audience: Blue Teamers
Presenter Bio:
I currently work as a Sr. Network Engineer for AT&T installing and configuring Cisco Collaboration systems. I study and contribute in my spare time to the InfoSec community. I have several certifications over the years along with a Master’s in Digital Forensics from Champlain College. I will work for coffee.
OWASP Amass and Paradigm /w Jered Bare and Jordan Johnson
Amass is an open source tool founded by Jeff Foley (@caffix) and distributed by the OWASP Foundation. Amass is used to perform network mapping and generating an attack surface of organizations by scraping DNS information across the web. Amass is a very powerful tool for all teams; whether attacking or defending, Amass can help organizations see just how visible their attack surface is to the outside world. Jered and Jordan are heavy users of Amass and decided to write a web interface to analyze the JSON data that Amass enumerated. By combining the enumeration data from Amass, Paradigm will go through the discovered domains and see if they are open to the outside world. Paradigm will also score the analyzed file by looking at the number of domains that were discovered and seeing how many of those are open to the world. Combining Amass and Paradigm can provide both attackers and defenders the data they need to execute their plan of attack.
Open Source: Yes
Project License: MIT
Project Links:
Intended Audience: Penetration Testers, Attackers, Defenders, Network Engineers, SOC Teams
Presenter Bios:
Jered Bare is a Cyber Security Engineer with over 13 years of experience in the Information Security and Information Technology industry. He is one of the creators of the open source tool Paradigm and a heavy user of open source security tools. Jered has experience with all realms if information security from web application pen testing to coordinating incident response teams. His first taste of the hacker world was when he and his friend, in rural Missouri, cracked his dad’s 56k dial up username and password to access the internet. Since then he has been obsessed with attacking and defending methodologies, hacker subcultures, and the philosophy of being a chaotic good for the best of society. In his spare time you can find him in the Iron temple studying the Book of Brodin and The Swoley Trinity. He also loves to spend time with his family and contributing to open source projects.
Jordan Johnson is a Cyber Security Engineer with over 7 years of experience in Software Engineering and recently made the switch to Information Security. Jordan is one of the creators of the open source tool Paradigm and contributes to multiple open source projects. Jordan’s experience with software engineering has put an emphasis on shifting development teams left and automating web application assessments using open source security tools. In his spare time Jordan volunteers as a first responder and is currently in grad school obtaining his masters degree in Software Engineering.
RITA /w Hannah Cartier
RITA is an open source framework for network traffic analysis.
The framework ingests Zeek Logs in TSV format, and currently supports the following major features:
Beaconing Detection: Search for signs of beaconing behavior in and out of your network
DNS Tunneling Detection Search for signs of DNS based covert channels
Blacklist Checking: Query blacklists to search for suspicious domains and hosts
Open Source: Yes
Project License: GPLv3
Project Link:
Intended Audience: Threat Hunters, Blue Teamers
Presenter Bio:
Hannah joined Active Countermeasures as an intern in 2020. She is currently a graduate student at the university of Utah. When she’s not working or in school, she enjoys hiking, rock climbing, and spending time with friends.
SEPparser /w Brian Maloney
SEPparser was created because I could not find anything to parse Symantec’s Endpoint Protection data into a human readable form. I was fairly successful with MS Logparser but it couldn’t parse all the logs correctly. It did not make sense to me to have to go into SEPMC to query logs when they were right on the endpoint. This data contains a wealth of untapped information that can be used during an investigation. SEPparser is a command line tool for parsing Symantec Endpoint Protection data. You can either feed it a single file or an entire directory. This even works remotely. SEPparser will figure out what file it is and parse it correctly.
Parse settings for log files
Parse the following log files:
Security log
System log
Firewall Traffic log
Firewall Packet log
Application and Device Control log
AV Management plugin log
Daily AV logs
Extract packets from Firewall Packet log
Parse ccSubSDK data into csv reports
Extract potential binary blobs from ccSubSDK
Parse VBN files into csv reports
Extract quarantine data to file or hex dump
Preform hex dump of VBN for research
Open Source: Yes
Project License: MIT
Project Link:
Intended Audience: Blue Teamers
Presenter Bio:
Brian Maloney is a Digital Forensics Analysist at Thrivent Financial. Brian is the author of SEPparser and the ProcDOT plugin pcap_tools. Brian can also be accredited with contributions to DeXRAY, improving its ability to extract McAfee and Symantec quarantine files. Brian holds a Bachelors degree in Information Systems and Cybersecurity.
Sliver w/ Joe DeMesy
Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. Sliver’s implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS. Implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate authority generated when you first run the binary. The server and client support MacOS, Windows, and Linux. Implants are supported on MacOS, Windows, and Linux (and possibly every Golang compiler target but we’ve not tested them all).
Open Source: Yes
Project License: GPLv3
Project Link:
Intended Audience: Read Teamers, Blue Teamers, Penetration Testers
Presenter Bio:
Joe DeMesy is a Principal Consultant at Bishop Fox, a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on network penetration testing, web application security, source code review, mobile application assessments, and red team engagements.
Threat Hunting Toolkit /w Ethan Robish
The Threat Hunting Toolkit (THT) is a Swiss Army knife for threat hunting, log processing, and security-focused data science. Deploy the pre-configured container image onto any system rather than struggling with installation, configuration, or environment differences. You can be cleaning, filtering, sorting, data stacking, and more in no time.
Open Source: Yes
Project License: MIT
Project Link:
Intended Audience: Threat Hunters, Blue Teamers, Data Scientists
Presenter Bio:
Ethan Robish has worked with Black Hills Information Security since 2008. At first, he was an intern and then took on a full-time role in 2012 as a Penetration Tester. In his current role as a Threat Hunter, Ethan is involved with customer engagement, research, working with ACM’s AC-Hunter, as well as improving BHIS HTOC and SOC offerings. Previously, he implemented defensive security solutions for the Exchange Online security team as a Microsoft intern. While in college, he competed in the International Collegiate Programming Competition (ICPC) World Finals. Since his time at BHIS, Ethan has come to enjoy learning from his co-workers’ expertise and skillsets to help better his own. In his time off, he enjoys cooking, playing the piano, and reading fantasy novels.