BlackHat USA 2023 took place on the 9th and 10th of August 2023 in the Mandalay Bay in Las Vegas. Consequtively, DEFCON 31 took place from the 10th through the 13th of August, in Ceasar’s Forum, the LINQ, Harrah’s, and the Flamingo. After visiting BlackHat USA 2022 and DEFCON 30, I had some time to reflect on it, and compare it to this year’s edition.
This year, I gave a joint talk at BlackHat’s ToolsWatch’s Arsenal talk, a DEFCON workshop, and a joint DEFCON main stage talk. I represented Trellix during all my talks, as well as my stay during the conference.
Table of contents
Upon my arrival on the Sunday afternoon prior to the start of the week filled with conferences, often referred to as summer camp, I was lucky to have arrive without any obstacles along the way. Bea, who gave a joint BlackHoodie workshop on the 7th at The Diana Initiative. Suweera, who I met at BotConf 2023, connected Bea and me to meet-up at BlackHat, since she knows both of us.
Contrary to my flight, her travel experience was not without any hiccups. Her late evening flight on the 7th got cancelled last minute, and she only arrived for her joint workshop later the next day. Luckily, her co-speaker was able to fill in until Bea arrived. From what I’ve heard, the workshop was received very well.
After her workshop was over, we met up, together with a friend of Bea, Pam. The three of us had dinner at the place I ate at for most of my stay: the In-N-Out Burger next to the LINQ. Even though we couldn’t find a seat indoors, we sat on the bench near the water feature. It was warm, about 30 degrees Celcius, but bearable since the sun had set. As luck would have it, this was only one of the two outside meals I had.
As I was given additional badges by DEFCON for my speaking activities, two of which I handed out to people from underrepresented groups. The two recipients of the badges were Flaminia and Kinley, as shown in the pictures below. I’d like to thank my employer, Trellix, for supporting activities such as this.
While the conference itself usually lasts two days, I was only able to attend one and a half day, since my DEFCON workshop took place on the 10th as well. The conference was set-up superbly, and the communication prior, during, and after the conference was clear and welcoming. I’d like to thank Lisa Hatley-Nasr and Tony from BlackHat, and NJ and Rachid from ToolsWatch for once again creating such an experience. Alas, Faisal from ToolsWatch could not make it to BlackHat this time around.
The business hall was the same size as last year, making it a daunting task to visit all the booths, if one desires so. The lunch was great, with BBQ brisket, chicken, salad, and apple crumble pie to top it off. The size of the Arsenal was easily twice as big as it was last year, meaning there was more room for an audience to form in front of each booth, while simultaneously also decreasing the noise from other presentations that happened at the same time.
At the speaker drinks, I also met David, an old student of Bramwell, who presented his Scanhanced tool. Since my joint Arsenal talk and his Arsenal talk were scheduled at the same time, neither of us could attend the other’s talk, but from what I could see from a distance, he gathered an interesting crowd.
On the 9th, I gave a joint talk with Dr. Bramwell Brizendine and Jake Hince about Windows shellcode, analysis with SHAREM, and the Ghidra script I created. This collaboration warrants a back story, since I met Bramwell at BlackHat Middle East and Africa last year. Currently, he is a professor at the University of Alabama-Huntsville.
Technically, we were both at atHack in 2021 (which was organised by BlackHat/Informa as a trial run for the BlackHat there in 2022), as we found out since Bramwell took a few pictures of my presentation to share with his students. Unfortunately, we didn’t connect back then. When we first met in 2022, I was interested in his shellcode analysis tool SHAREM. We spoke about it, exchanged contact details, and stayed in touch.
In December 2022, we met again at BlackHat Europe in London, where I discussed the Ghidra script idea I had, to ingest SHAREM’s output in Ghidra. Since SHAREM is specialised in shellcode analysis, its output tends to be better than Ghidra’s default analysis, especially since SHAREM emulates the code. While Ghidra can also emulate code, it’s easier and better to utilise SHAREM for this purpose, since it was specifically designed for such tasks.
As time progressed, we wanted to submit it to the BlackHat Arsenal by ToolsWatch, since that’s where we our collaboration started, which is exactly what we did. While I’ve had the pleasure to meet many like-minded people at past events, this has been my first collaboration which originates from the Arsenal. Jake is an old student of Bramwell, who has contributed to SHAREM. The three of us also gave a joint DEFCON talk, more on which below. I am really happy how our presentation turned out. The Arsenal’s format is rather open and allows for more in-person contact with the audience, as well as more live demos.
Aside from meeting David and Jake, I also met Micah and Logan. The former is an old student of Bramwell, whereas the latter attends the same university as a PhD student. The lot of us met up during the week to enjoy the conferences and several meals as a group. During some of our time together, I got a any% speedrun course about the American school system and how the credit score works and is maintained.
On the 10th, I gave my workshop about DotNet malware analysis at 14:00. I brought stroopwafels for all attendees, to share something Dutch with people abroad. Both the workshop and the stroopwafels were met with great enthusiasm.
The attendees of the workshop were well prepared and participated eagerly. The content I had prepared came, with adaptations during the workshop, to an end after exactly four hours, down to the minute. I am more than happy with the content, the delivery, the audience’s eagerness,and the timing. All-in all, I’m hoping and planning to give more workshops in the future.
The joint talk with Bramwell and Jake on the main stage covered the same tools as our Arsenal presentation, but from a different angle: not so much the tools themselves, but rather the theory behind them. The DEFCON room was nearly full during our talk, which was a great experience. According to my rough estimate, about 850 people were seated in the room, along with a few people who were standing in the back.
Since we filled the complete time slot with our talk, we had a brief Q&A moment just off stage, where we had several people who were interested in the content and tooling. Some had questions, while some where kind enough to just stop by and thank us for the presentation.
One evening during the week, Micah, Logan, David, Jake, Bramwell, and I went to Capo’s Restaurant and Speakeasy, per Bramwell’s recommendation. The ciabatta as a starter was good, as was the meatball we split. The lasagna was too much, since my appetite is accustomed to European portions, albeit tasty. The fusion between the American and Italian food was noticeable, leading to a different experience than one would have in Italy, but it certainly not in a negative way.
All in all, at the end of the week, it was time to say goodbye to everybody again. While I’m sure I’ll meet people again somewhere sometime, it’s always the ending which is the hardest. Even if it is only temporarily. Until we meet again!