Toolshed

Looking to add to your information security toolbox? Look no further! At the Deadwood Toolshed our presenters will be sharing their favorite open source tools/projects. The table below contains more details on the presenters and their tools/projects. With the conference being virtual, be sure to join the conference Discord server where we have dedicated Toolshed channels.

  • Counterfit /w Will Pearce

    Counterfit is a generic attack management framework for attacking ML models. It focuses on abstracting the nuts and bolts of attack algorithms and allows users to focus on their target. Rather than searching for a tool that has the data type your target model uses, Counterfit wraps several existing projects that bring multiple datatypes under a single framework. There are 4 primary use cases for Counterfit,

    1. Vulnerability scanning. Scanning models with known and publicly available attack algorithms. Useful for auditing, creating baselines, and measuring on-going improvements.
    2. Penetration Testing and Red Teaming. Using the extensible interface to customize attacks and connect with target. Hook into Counterfit from existing offensive tools or use Counterfit as a standalone tool. No model is out of reach.
    3. Auditing logging and alerting for machine learning systems. Ensure that detections and alerts are working by scanning production models.
    4. Security Research. Use the built-in automation to iterate quickly through new or existing attacks with fine-grain control over parameter settings.

    Open Source: Yes

    Project License: MIT

    Project Link: https://github.com/Azure/counterfit

    Intended Audience: Red Teamers, Penetration Testers

    Presenter Bio:

    Will Pearce is the Red Team Lead for Azure Trustworthy ML at Microsoft. In his current role, he is responsible for running and supporting offensive engagements against AI systems at Microsoft and with partners. This includes building assessment methodologies, developing tools, and creating research. Previously, he was a Senior Security Consultant and Network Operator at Silent Break Security, where he performed network operations, security research, and was an instructor for the popular Darkside Ops courses given at industry conferences and to private/public sector groups. His work on the use of machine learning for offensive security has appeared at industry conferences including DerbyCon, BSidesLV/SLC, and Defcon AI Village as well an academic appearance at the SAI Conference on Computing. Will maintains his OSCP and is credited with the first machine learning CVE.

  • DomainStats /w Mark Baggett

    We all know how powerful logging DNS host names can be. Domain stats automates the analysis of host names to identity automated processes in your environment and kick start your threat hunting process.

    Open Source: Yes

    Project License: GPLv3

    Project Link: https://github.com/MarkBaggett/domain_stats

    Intended Audience: Blue Teamers

    Presenter Bio:

    Mark is the author of SANS Automating Information Security with Python course. Mark has a master’s degree in information security engineering and is GSE #15. An active participant in the information security community, Mark is the founding president of The Greater Augusta ISSA chapter. He’s also co-founder of the BSidesAugusta Information Security Conference, and has developed a number of popular tools and techniques.

  • iLEAPP /w Jesse Spangenberger

    Alexis Brignoni (@Brigs) created several tools aLEAPP (android) and iLEAPP (ios) and others have taken his tool creating other tools: cLEAPP (chromebook) and vLEAPP (vehicle). This project created from Alexis’s iLEAPP works towards a framework to merge these tools into a single unified way to add and extend his already great tool. The code base has been reworked nearly from the ground up to support the modularity required to support each different artifact across each tool.

    Open Source: Yes

    Project License: MIT

    Project Link: https://gitlab.com/flamusdiu/iLEAPP

    Intended Audience: Blue Teamers

    Presenter Bio:

    I currently work as a Sr. Network Engineer for AT&T installing and configuring Cisco Collaboration systems. I study and contribute in my spare time to the InfoSec community. I have several certifications over the years along with a Master’s in Digital Forensics from Champlain College. I will work for coffee.

  • OWASP Amass and Paradigm /w Jered Bare and Jordan Johnson

    Amass is an open source tool founded by Jeff Foley (@caffix) and distributed by the OWASP Foundation. Amass is used to perform network mapping and generating an attack surface of organizations by scraping DNS information across the web. Amass is a very powerful tool for all teams; whether attacking or defending, Amass can help organizations see just how visible their attack surface is to the outside world. Jered and Jordan are heavy users of Amass and decided to write a web interface to analyze the JSON data that Amass enumerated. By combining the enumeration data from Amass, Paradigm will go through the discovered domains and see if they are open to the outside world. Paradigm will also score the analyzed file by looking at the number of domains that were discovered and seeing how many of those are open to the world. Combining Amass and Paradigm can provide both attackers and defenders the data they need to execute their plan of attack.

    Open Source: Yes

    Project License: MIT

    Project Links: https://github.com/owasp/amass
    https://github.com/jeredbare/paradigm

    Intended Audience: Penetration Testers, Attackers, Defenders, Network Engineers, SOC Teams

    Presenter Bios:

    Jered Bare is a Cyber Security Engineer with over 13 years of experience in the Information Security and Information Technology industry. He is one of the creators of the open source tool Paradigm and a heavy user of open source security tools. Jered has experience with all realms if information security from web application pen testing to coordinating incident response teams. His first taste of the hacker world was when he and his friend, in rural Missouri, cracked his dad’s 56k dial up username and password to access the internet. Since then he has been obsessed with attacking and defending methodologies, hacker subcultures, and the philosophy of being a chaotic good for the best of society. In his spare time you can find him in the Iron temple studying the Book of Brodin and The Swoley Trinity. He also loves to spend time with his family and contributing to open source projects.


    Jordan Johnson is a Cyber Security Engineer with over 7 years of experience in Software Engineering and recently made the switch to Information Security. Jordan is one of the creators of the open source tool Paradigm and contributes to multiple open source projects. Jordan’s experience with software engineering has put an emphasis on shifting development teams left and automating web application assessments using open source security tools. In his spare time Jordan volunteers as a first responder and is currently in grad school obtaining his masters degree in Software Engineering.

  • RITA /w Hannah Cartier

    RITA is an open source framework for network traffic analysis.

    The framework ingests Zeek Logs in TSV format, and currently supports the following major features:

    • Beaconing Detection: Search for signs of beaconing behavior in and out of your network
    • DNS Tunneling Detection Search for signs of DNS based covert channels
    • Blacklist Checking: Query blacklists to search for suspicious domains and hosts

    Open Source: Yes

    Project License: GPLv3

    Project Link: https://github.com/activecm/rita

    Intended Audience: Threat Hunters, Blue Teamers

    Presenter Bio:

    Hannah joined Active Countermeasures as an intern in 2020. She is currently a graduate student at the university of Utah. When she’s not working or in school, she enjoys hiking, rock climbing, and spending time with friends.
     

  • SEPparser /w Brian Maloney

    SEPparser was created because I could not find anything to parse Symantec’s Endpoint Protection data into a human readable form. I was fairly successful with MS Logparser but it couldn’t parse all the logs correctly. It did not make sense to me to have to go into SEPMC to query logs when they were right on the endpoint. This data contains a wealth of untapped information that can be used during an investigation. SEPparser is a command line tool for parsing Symantec Endpoint Protection data. You can either feed it a single file or an entire directory. This even works remotely. SEPparser will figure out what file it is and parse it correctly.

    Capabilities

    • Parse settings for log files
    • Parse the following log files:
      • Security log
      • System log
      • Firewall Traffic log
      • Firewall Packet log
      • Application and Device Control log
      • AV Management plugin log
      • Daily AV logs
    • Extract packets from Firewall Packet log
    • Parse ccSubSDK data into csv reports
    • Extract potential binary blobs from ccSubSDK
    • Parse VBN files into csv reports
    • Extract quarantine data to file or hex dump
    • Preform hex dump of VBN for research

    Open Source: Yes

    Project License: MIT

    Project Link: https://github.com/Beercow/SEPparser

    Intended Audience: Blue Teamers

    Presenter Bio:

    Brian Maloney is a Digital Forensics Analysist at Thrivent Financial. Brian is the author of SEPparser and the ProcDOT plugin pcap_tools. Brian can also be accredited with contributions to DeXRAY, improving its ability to extract McAfee and Symantec quarantine files. Brian holds a Bachelors degree in Information Systems and Cybersecurity.

  • Sliver w/ Joe DeMesy

    Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. Sliver’s implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS. Implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate authority generated when you first run the binary. The server and client support MacOS, Windows, and Linux. Implants are supported on MacOS, Windows, and Linux (and possibly every Golang compiler target but we’ve not tested them all).

    Open Source: Yes

    Project License: GPLv3

    Project Link: https://github.com/BishopFox/sliver

    Intended Audience: Read Teamers, Blue Teamers, Penetration Testers

    Presenter Bio:
    Joe DeMesy is a Principal Consultant at Bishop Fox, a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on network penetration testing, web application security, source code review, mobile application assessments, and red team engagements.

  • Threat Hunting Toolkit /w Ethan Robish

    The Threat Hunting Toolkit (THT) is a Swiss Army knife for threat hunting, log processing, and security-focused data science. Deploy the pre-configured container image onto any system rather than struggling with installation, configuration, or environment differences. You can be cleaning, filtering, sorting, data stacking, and more in no time.

    Open Source: Yes

    Project License: MIT

    Project Link: https://github.com/ethack/tht

    Intended Audience: Threat Hunters, Blue Teamers, Data Scientists

    Presenter Bio:

    Ethan Robish has worked with Black Hills Information Security since 2008. At first, he was an intern and then took on a full-time role in 2012 as a Penetration Tester. In his current role as a Threat Hunter, Ethan is involved with customer engagement, research, working with ACM’s AC-Hunter, as well as improving BHIS HTOC and SOC offerings. Previously, he implemented defensive security solutions for the Exchange Online security team as a Microsoft intern. While in college, he competed in the International Collegiate Programming Competition (ICPC) World Finals. Since his time at BHIS, Ethan has come to enjoy learning from his co-workers’ expertise and skillsets to help better his own. In his time off, he enjoys cooking, playing the piano, and reading fantasy novels.


Please keep an eye on this page for more updates on the Toolshed at Deadwood 2021.