“Reversing WebAssembly Module 101” Patrick Ventuzelo · Workshop (90 minutes)

WebAssembly (WASM) is a new binary format currently supported by all major web-browsers (Firefox, Chrome, Safari and Edge). WebAssembly module are most commonly compiled from C/C++/Rust source code, loaded and executed inside JS scripts. It is known for being used for malicious purposes like crypto…

“CTF Prizes” Hack.lu · CTF (15 minutes)

Winners of the CTF

“Hacktivism as a defense technique in a cyberwar. #FRD Lessons for Ukraine” Kostiantyn Korsun · Talk (45 minutes)

Since 2014 Ukraine is under cyberwar.
Energy grid attack BlackEnergy switched off electricity for 230,000 people for 6 hours. NotPetya attack effected ~30% of Ukrainian economy. Airports, railways, banking system, media, critical infrastructure had been attacked by Russian cyber groups (Telebots, …

“Repacking the unpacker: Applying Time Travel Debugging to malware analysis” Benoit Sevens · Workshop (90 minutes)

In this workshop we will apply the Time Travel Debugging feature of WinDbg, one of the most powerful Windows debuggers, to the field of malware analysis. We will show with concrete examples how this technology can be very effective in reversing complex samples in a timely manner.

“Who contains the containers” Ioana Andrada, Emilien · Talk (45 minutes)

Who contain the containers ?


Today it is extremely easy to deploy micro-services using containers technologies. And as usual for every easy-to-deploy technologies, people have tendencies to not using common sense before using them: You are one-click away from being easily compromised !…

“Leveraging KVM as a debugging platform” Mathieu · Short Talk (20 minutes)

Virtual Machine Introspection keeps opening new possibilities to interact with
Virtual Machines, from sandboxing (VMRay), to cloud monitoring solutions
(BitDefender HVI).

Our debuggers needs to benefit from this approach too, and so far we have seen
multiple open source projects trying to leverage …

“Practical Incident Response, With Automation and Collaboration Inside” Saad Kadhi · Long Workshop (3 hours)

Investigating cyberattacks is now the norm, instead of the exception. The threat landscape keeps changing at a worrying pace while security analysts have to deal with growing complexity, learn new technologies and continuously adapt to rapidly evolving IT environments.

To ease up their burden and e…

“Java Web Application Secure Coding Workshop” Eva Szilagyi · Long Workshop (3 hours)

Context-dependent output encoding? Prepared statement with bind variables? Disable external entity resolution? Storing passwords in salted hash format? If you are involved in Java development, come to my workshop and we will see together, why these are important from a security perspective!

“Kill MD5 - demystifying hash collisions” Ange Albertini · Short Talk (20 minutes)

Understanding the impact of hash collisions without a PhD in crypto.
Showing how vulnerable MD5 can be.

“Defeating Bluetooth Low Energy 5 PRNG for fun and jamming” Damien Cauquil · Talk (45 minutes)

Bluetooth Low energy version 5 has been published in late 2016, but we still have
no sniffer supporting this specific version (and not that much compatible devices
as well). The problem is this new version introduces a new channel hopping algorithm
that renders previous sniffing tools useless…

“Call for Failure (CfF 0x0)” Hack.lu · Other (60 minutes)

Over Fail the untold truth behind the magic of cybersecurity

“Fileless Malware Infection and Linux Process Injection in Linux OS” アドリアン ヘンドリック - Hendrik Adrian - @MalwareMustDie · Keynote (45 minutes)

Recent development of the exploitation with file-less method is also affecting the Linux platform too. The process injection and file-less methods used for malicious code execution on some post exploitation tools for Linux are supported to perform those operations. This trend may affect many intern…

“Disturbance: on the Sorry State of Cybersecurity and Potential Cures” Saad Kadhi · Short Talk (20 minutes)

Infosec research, good and bad, abounds, like almost everything else in this ‘infobese’ era. Cybersecurity conferences are filled with presentations exposing new vulnerabilities, as if we didn’t have enough of those already, describing best practices or showcasing tools and techniques. That is fine…

“Open the safe and get cured.” Stijn Tomme · Workshop (90 minutes)

Open the safe and get cured.
From manufacturing your network cable to determining the code… and getting the anti-virus

“Jobfair” Hack.lu · Long Workshop (3 hours)

As Hack.lu is the biggest and most established technical information security conference in the Benelux region, it attracts a lot of highly technical attendees and some of them are looking for new challenges.

This is why we decided to give the opportunity to companies looking for such profiles to g…

“Open the safe and get cured.” Stijn Tomme · Workshop (90 minutes)

Open the safe and get cured.
From manufacturing your network cable to determining the code… and getting the anti-virus

“Intro to Dark Arts: Getting Started with CTFs” Sowmya, Shruti Dixit, Geethna T K · Long Workshop (3 hours)

This workshop will introduce the participants to the world of CTF contests as a way to learn real-world security skills. Providing them with the basic knowledge for playing CTF and how to get started with solving hands-on challenges in the domains of Cryptography, Reverse Engineering and Binary Exp…

“Beyond Windows Forensics with Built-in Microsoft Tooling” Thomas Fischer · Talk (45 minutes)

Microsoft has slowly been introducing tools to help organisations better manage and troubleshoot Windows performance and issues; these are now entirely integrated into Windows. To improve performance and troubleshooting capabilities, Microsoft introduced System Resource Usage Monitor (SRUM) in Wind…

“Cinema” Hack.lu · Other (60 minutes)

Your choice

“Sigma Workshop” Thomas Patzke · Long Workshop (3 hours)

How to create Sigma rules and hunt evil in logs.

“Malicious RTF Document Analysis” Didier Stevens · Long Workshop (3 hours)

Rich Text Format (RTF) documents are consumed by many applications, like Microsoft Word.

Malicious RTF documents contain exploits or embedded objects/links: in this workshop, we go through 20+ exercises to learn how to analyze these documents with Didier's tool rtfdump.py.

“Faup workshop, parse and investigate URLs!” Sebastien Tricaud · Workshop (90 minutes)

Faup is an opensource tool which allows to work with URLs. Mainly parsing, but also, browser emulation and investigation. This workshop will teach the audience how to use Faup, its library, and write modules to do nifty hacks with URLs.

“IOCs are dead, long live the IOCs!” Celine Massompierre · Workshop (90 minutes)

Finding information is not a problem, what you do with it is up to you!

Nowadays sharing Indicator of compromise (IOCs) are common, look at the Misp project for example.

At the big data era, having just an indicator like and IP address is not enough and in many cases as useful as a key of a treasu…

“Piercing the Veil: Server Side Request Forgery attacks on Internal Networks.” Alyssa Herrera · Talk (45 minutes)

I demonstrate a successful attack on a cloud-based US Defense website, gaining access to a sensitive internal network, enumeration of internal services, out of bands data leakage and attack vectors unique to cloud architecture. Additionally I will discuss mitigation points for server side request f…

“Fingerpointing False Positives: How to better integrate Continuous Improvement into Security Monitoring” Desiree Sacher · Short Talk (20 minutes)

This talk is about how you can make your Security Operation Center more efficient and give your bored-out analysts more purpose, by making a small change to your security monitoring process. With a potential huge change in your workflow, and improved results.

“DeTT&CT: Mapping your Blue Team to MITRE ATT&CK” Ruben Bouman, Marcus Bakker · Short Talk (20 minutes)

Within blue teams, it is crucial to have sufficient and adequate information on several aspects to prioritise your defence efforts. Important aspects are: visibility (indicate if you have sufficient data sources to be able to see traces of attack techniques), detection (how good are you in detectin…

“Hash collisions exploitations” Ange Albertini · Long Workshop (3 hours)

To understand the extend of MD5 and SHA1 collision without the maths,
to come up with your own collisions tricks to actually prove that MD5 shouldn't be used.

“oscd.community” Daniil Yugoslavskiy · Long Workshop (3 hours)


“The regulation (EU) 2019/796 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States” Eve Matringe · Talk (45 minutes)

The Article 215 of the Treaty on the Functioning of the European Union allows the Council to adopt restrictive measures against natural or legal persons and groups or non-State entities in some specific cases. This Regulation applies to cyber-attacks with a significant effect, including attempted c…

“Junior CTF Install Party” Axelle Apvrille · Workshop (90 minutes)

Learn how to install Junior CTF for your kids to test their hacking skills.

“AppSec 101: Understanding and exploiting buffer overflows” Antonin Beaujeant · Long Workshop (3 hours)

This workshop will explain one of the most known application security vulnerability: the buffer overflow. We will start from the very beginning explaining what a CPU is, how does it executes operations and coordinate with the memory and inputs/outputs in order to run applications. We will then have…

“Open the safe and get cured.” Stijn Tomme · Workshop (90 minutes)

Open the safe and get cured.
From manufacturing your network cable to determining the code… and getting the anti-virus

“Introduction to Osquery” David Szili · Long Workshop (3 hours)

This workshop will introduce osquery to the participants, starting with the capabilities of the tool, how to configure it and use extensions and how to perform fleet management to scale the solution for enterprise environments.

“Introduction to WHIDS an Open Source Endpoint Detection System for Windows” Quentin JEROME · Long Workshop (3 hours)

WHIDS is one of the first open source endpoint detection solution for windows designed with fast Incident Response in mind. It comes with a powerful rule definition format known as Gene allowing one to achieve complex detection primitives. One of its strengths compared to other approaches is that i…

“New Tales of Wireless Input Devices” Gerhard Klostermeier, Matthias Deeg · Talk (45 minutes)

In our talk, we will present new security tales and vulnerabilities of wireless mice, keyboards, and presenters using 2.4 GHz radio communication that we have collected over the last two years.

In 2016, we published the results of our research project "Of Mice and Keyboards: On the Security of Mode…

“The Red Square - Mapping the connections inside Russia's APT Ecosystem” Ari Eitan, Itay Cohen · Short Talk (20 minutes)

If the names Turla, Sofacy, and APT29 strike fear into your heart, you are not alone. These are known to be some of the most advanced, sophisticated and notorious APT groups out there -- and not in vain. These Russian-attributed actors are part of a bigger picture in which Russia is one of the stro…

“What the log?! So many events, so little time…” Miriam Wiesner · Talk (45 minutes)

Detecting adversaries is not always easy. Especially when it comes to correlating Windows Event Logs to real-world attack patterns and techniques.

Join me to find out how to match Windows Event Log IDs with the MITRE ATT&CK framework and methods to simplify the detection in your environment.

“Open the safe and get cured.” Stijn Tomme · Workshop (90 minutes)

Open the safe and get cured.
From manufacturing your network cable to determining the code… and getting the anti-virus

“Learn to use ONYPHE to have a view on your Internet exposed devices” Patrice Auffret · Workshop (90 minutes)

When a company grows, it becomes difficult to track every Internet exposed assets. Especially nowadays, with the prevalence of shadow IT and shadow Cloud services. Bad guys know it too well, they have tools and do monitor your exposed infrasctructure. You should be the first to uncover a vulnerabil…

“Memory forensics analysis of Cisco IOS XR 32 bits routers with 'Amnesic-Sherpa'” Solal jacob · Short Talk (20 minutes)

Nowadays attackers are targeting not only computers but also core network equipment like routers by using memory-only attacks that are difficult to detect as the firmware image is not modified. In order to determine if a router was compromised by a memory-only attack, we need to be able to perform …

“Sensor & Logic Attack Surface of Driverless Vehicles” Zoz · Talk (45 minutes)

Networked and connected vehicles have the same network attack surface as other IoT devices, but are also heavily reliant on sensor inputs and the need for split second decision making under uncertain conditions, making them suffer a unique set of vulnerabilities even when network attacks are discou…

“Cinema” Hack.lu · Other (60 minutes)

Your choice

“Open the safe and get cured.” Stijn Tomme · Workshop (90 minutes)

Open the safe and get cured.
From manufacturing your network cable to determining the code… and getting the anti-virus

“Effectiveness in simplicity: The Taskmasters APT” Elmar Nabigaev · Short Talk (20 minutes)

It is often thought that APT attacks is complex and involve 0-day exploits, stealthy lateral movement and hidden exfiltration path.
While this can be true, it is rarely the case. Even APT actors follow "it if works - don't broke it" rule and use tried and true tactics. If they can get away with it …

“DNS On Fire” Warren Mercer, Rascagneres Paul · Talk (45 minutes)

Cisco Talos identified malicious actors targeting the DNS protocol successfully for the past several years. In the presentation, we will present 2 threat actors we have been tracking.

The first one developed a piece of malware, named DNSpionage, targeting several government agencies in the Middle E…

“Snarf it! Firmware extraction and analysis with open source tools.” Pauline · Workshop (90 minutes)

At the core of every IoT device is its firmware. Detailed security assessment of devices starts with obtaining a copy of the firmware. The firmware can then be statically analysed or dynamically. Several techniques exist for firmware extraction.
This workshop takes participants through a low level…

“DOS Software Security: Is there Anyone Left to Patch a 25-year old Vulnerability?” Alexandre Bartel · Talk (45 minutes)

Abstract. DOS (Disk Operating System) systems were developed in the
1970s and are still used today, for example in some embedded systems,
management applications or by the gaming community. In this article
we will study the impact of the (lack of) security of DOS applications
on modern systems. We …

“Power Point Karaoke” Hack.lu · Other (60 minutes)


“The Road to Hell is Paved with Bad Passwords” Chris Kubecka · Talk (45 minutes)

Ever wonder what incident management is like when an embassy gets hacked, by ISIS? Come on a journey of surprisingly weak security, insider threats, a 50 million dollar extortion attempt, diplomatic immunity, city wide security lock down, all while >400 dignitary’s lives dangle in the negotiatio…

“Say Cheese - How I Ransomwared your DSLR Camera” Eyal Itkin · Talk (45 minutes)

It's a nice sunny day on your vacation, the views are stunning, and like on any other day you take out your DSLR camera and start taking pictures. Sounds magical right? But when you get back to your hotel the real shock hits you: someone infected your camera with ransomware! All your images are enc…

“Open the safe and get cured.” Stijn Tomme · Workshop (90 minutes)

Open the safe and get cured.
From manufacturing your network cable to determining the code… and getting the anti-virus

“Open the safe and get cured.” Stijn Tomme · Workshop (90 minutes)

Open the safe and get cured.
From manufacturing your network cable to determining the code… and getting the anti-virus

“Hacking Bluetooth Low Energy devices with Btlejack” Damien Cauquil · Workshop (90 minutes)

This workshop will dive in the Bluetooth Low Energy specifications and teach you how to use Btlejack and its features to hack various BLE devices.

You will learn about the various versions of Bluetooth Low Energy (from 4.0 to 5.1), how to effectively perform reconnaissance, how to sniff and analyze…

“Defeating APT10 Compiler-level Obfuscations” Takahiro Haruyama · Short Talk (20 minutes)

Compiler-level obfuscations like opaque predicates and control flow flattening are starting to be observed in the wild and will be a challenge for malware analysts and researchers. Opaque predicates and control flow flattening are obfuscation methods used to limit malware analysis by defining unuse…

“The Glitch In The Matrix” Marion · Talk (45 minutes)

Compared to the hordes of code reviewers and review tools that skim through pristine source code with every release cycle, the attention binary output gets from security engineers is limited. And why would security folks bother, bugs are all human-made; or, are they? Honestly, in reality, most are.…

“Open the safe and get cured.” Stijn Tomme · Workshop (90 minutes)

Open the safe and get cured.
From manufacturing your network cable to determining the code… and getting the anti-virus

“spispy: opensource SPI flash emulation” Trammell Hudson · Talk (45 minutes)

spispy is an open source hardware tool for emulating SPI flash chips that makes firmware development and boot security research easier. In this talk we'll discuss the challenges of interfacing on the SPI bus and emulating SPI devices, as well as demonstrate how to use it quickly debug issues with c…

“Tiplines Today” harlo · Keynote (45 minutes)

Nowadays, the majority of US-based newsrooms rely on primarily consumer-facing applications to facilitate secure communications with sources. Usage of tools like Signal, WhatsApp, Threema, and others, have spiked in usage as the most state-of-the-art way to ensure confidential conversations with at…

“Smartphone apps: let's talk about privacy” Axelle Apvrille · Short Talk (20 minutes)

Smartphone applications do not respect your privacy.
If you are at Hack.Lu, you probably more or less already know this.
In the best cases, you found a few solutions to minimize the issue.
Or you surrendered (what can we do about it, huh?).

But are you really aware of the extent of the problem? Is …

“Exploiting bug report systems in the game industry” Andreia Gaita · Talk (45 minutes)

In the world of development, what do you do when you run into a bug in the library, framework, or middleware you're using? You submit a bug report and describe the steps. The companies providing you with the software expect and encourage you to send in repro code, but the bigger the system, the mor…