The Diana Initiative 2024 took place in the Westin on the 5th of August, followed by BlackHat USA 2024 in the Mandalay Bay on the 7th and 8th and DEFCON 32 in the Las Vegas Convention Center on the 9th, 10th and 11th of August. This year, I gave workshops at The Diana Initiative, BlackHat USA, and DEFCON, as well as a talk at DEFCON’s main stage. I represented Trellix during the conferences.

Table of contents

• The Diana Initiative
• BlackHat USA
• DEFCON

The Diana Initiative

The Diana Initiative is a one day conference with a mission to create a more inclusive information security industry. The focus of the conference is to help underrepresented people in information security. The conference itself felt wholesome in every aspect, and the responsive and accommodating organisers pulled of an incredibly well organised and put-together conference. The goal of the conference is one I wholly support, and I am glad to have been able to contribute to, even if only slightly.

My DotNet malware analysis workshop lasted from 0800 through 1200. Even though the early start, the queue for the badge pickup was lengthy, and the workshop attendees were enthusiastic and eager to get started. The workshop’s focus to help people get started with the analysis of DotNet malware. I gave workshops on DotNet related topics before at Botconf 2024 and DEFCON 31. The feedback from the attendees was overwhelmingly positive, which I am more than happy with.

After the conference, Bea and Alex gave their BlackHoodie workshop for women, and I chatted with the folks from the ICS Village. Bea gave me a 3D printed cookie stamp to make “Lockbite” cookies with the Lockbit 3.0 logo in them.

BlackHat USA

BlackHat’s conference lasts two days, but the trainings start prior to the conference. On Tuesday, the day prior to the conference, I came to to the briefing hall to prepare the 12 Arsenal Labs laptops. The lab’s set-up, as well as the whole conference’s organisation went without a hitch. The two days of talks and networking flew by way too quickly.

I’d like to thank Lisa Hatley-Nasr, Tony, and Dr. Bramwell Brizendine from BlackHat, and NJ and Rachid from ToolsWatch once again for creating such an experience. Alas, Faisal from ToolsWatch could not make it to BlackHat this time around.

My Arsenal lab, a 90 minute workshop, dove into the WhisperGate wiper with Ghidra. The attendees could follow along as long as they desired during the 90 minutes. Leaving the lab would open up a laptop for someone else to start working on the exercises.

This set-up warranted a bit of a change with regards to the workshops I am used to, where the audience does not change over the course of the four hour runtime. Tony gave some great feedback about one-third into the workshop, which I feel greatly improved my handling of the lab. Additionally, I’d like to thank Logan for his feedback regarding a previous workshop of mine, which I feel also helped me improve. The attendees were positive about the workshop and some even stayed until after the lab had finished. The change-up in style and the enthusiastic attendees make me look forward to applying for another lab another time.

The talks from Nicole and JAGS about reverse engineering Rust binaries, as well as the talk about hacking electric vehicle chargers by Thijs and Khaled were well structured and provided insight into the respective research areas.

DEFCON

During my stay for DEFCON I stayed in the Rio hotel. Previous editions of DEFCON were hosted in the meeting rooms of several casino’s as well as Caesar’s Forum. Contrary to those previous editions, this year’s edition was held at the Las Vegas Convention Center (LVCC).

The convention center does not have as much hotel rooms in close proximity as the previous location does. As such, the commute to and from the conference itself is further, especially when staying at the Rio, as the monorail isn’t close to it either. To resolve this, DEFCON provide shuttle busses between the Rio and the convention center on a nearly 24 hour schedule.

While the convention center had a food court, there is no better burger place than the In-N-Out, where I got more burgers throughout the week than I am willing to admit.

On Friday, DEFCON’s first conference day, I gave my workshop and my talk. In the early morning, before the first talk, I came over the track where I would talk later that day. To respect the privacy of DEFCON attendees, I took a picture of the empty track room, which goes to show the point of view when giving the talk.

The talk itself, covered in detail in this blog, went great! Sharing a nearly 10 000 word blog in 20 minutes required me to be selective about what (not) to include. I wanted the talk’s story to be clear for everybody, allowing people to dig into details on their own when so desired with the help of the blog. I specifically opted for a 20 minute talk, as I figured that having 45 minutes to share this story wouldn’t suffice, and would not add value over a 20 minute talk.

The workshop, covering Ghidra and automating tasks, was also filled with enthusiastic and eager attendees. With a variety of questions coming from the attendees, it made four hours fly by. Based on the positive feedback and messages I received, I can safely say that this workshop was also a success!

As was usual in other DEFCON venues, the often photographed and yearly changing DEFCON mural was present at the main entrance, showcasing this year’s theme: engage.

I’ve thoroughly enjoyed presenting and visiting Las Vegas’ summercamp this year, and I hope to return in 2025.

To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], or DM me on Twitter @Libranalysis.