Listen to this Post

Introduction:
The cybersecurity landscape is perpetually evolving, demanding constant skill refinement and knowledge expansion. The recent Security BSides Sydney 2025 conference served as a critical hub for this very purpose, featuring a lineup of hands-on workshops designed to equip professionals with cutting-edge defensive and offensive techniques. From the depths of memory forensics to the sprawling attack surface of IoT devices, these sessions provided actionable insights into modern security challenges.
Learning Objectives:
- Understand the practical application of memory forensics for advanced malware detection and threat hunting.
- Learn to leverage Windows Event Logs and Kerberos protocol analysis to identify and mitigate Active Directory attacks.
- Develop strategies for securing IoT ecosystems and applying machine learning to traditional security data analysis.
You Should Know:
1. Hunting the Unseen: Mastering Memory Forensics
Memory forensics is the art of analyzing a computer’s volatile memory (RAM) to uncover stealthy malware, rootkits, and unauthorized user activity that traditional disk-based forensics often misses. It allows investigators to see what was actually running on a system at the time of acquisition.
Step‑by‑step guide explaining what this does and how to use it.
Step 1: Acquire Memory. The first step is to capture the physical memory of a suspect system. On a Windows machine, this can be done using tools like `WinPmem` or DumpIt.
Command: `winpmem_minimal_x64_rc2.exe –output memory.raw`
Step 2: Analyze with Volatility. The industry-standard tool for memory analysis is Volatility. You need to identify the correct profile (OS version) for the memory dump.
Command: `volatility -f memory.raw imageinfo`
Step 3: Hunt for Malware. Once the profile is identified, you can list processes, scan for hidden or injected code, and extract network connections.
Commands:
`volatility -f memory.raw –profile=Win10x64_19041 pslist` (List processes)
`volatility -f memory.raw –profile=Win10x64_19041 malfind` (Find hidden/injected code)
`volatility -f memory.raw –profile=Win10x64_19041 netscan` (List network connections)
2. Malware Detection through Windows Event Logs
Windows Event Logs are a goldmine for detecting malicious activity, offering a detailed audit trail of system, security, and application events. Properly configured and analyzed, they can reveal everything from brute-force attacks to lateral movement.
Step‑by‑step guide explaining what this does and how to use it.
Step 1: Centralize Log Collection. Use Windows Event Forwarding (WEF) or a SIEM to aggregate logs from multiple endpoints for centralized analysis.
Step 2: Identify Key Event IDs. Focus on high-value security events.
Event ID 4625: Failed logon attempt (potential brute-force attack).
Event ID 4688: A new process was created (tracking execution).
Event ID 4672: Special privileges assigned to a new logon (indicates admin activity).
Step 3: Proactive Hunting with PowerShell. Use PowerShell to query event logs for specific indicators.
Command: `Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4625 -and $_.Message -like “%%2313”}` (This searches for specific logon failure reasons).
- Active Directory Security – Taming the Hound of Hades
Active Directory (AD) is the cornerstone of most corporate networks and a primary target for attackers. “Taming the Hound of Hades” refers to defending against advanced Kerberos-based attacks like Golden Ticket and Silver Ticket attacks that grant attackers persistent, elevated access.
Step‑by‑step guide explaining what this does and how to use it.
Step 1: Harden Kerberos. Implement strong Kerberos policies, including using AES encryption instead of RC4 and setting a short maximum ticket lifetime.
Step 2: Monitor for Anomalies. Use tools like Microsoft’s Advanced Threat Analytics (ATA) or Azure Sentinel to detect suspicious Kerberos traffic, such as encryption downgrade attacks or abnormal ticket request times.
Step 3: Implement Least Privilege. Strictly control membership in privileged groups like Domain Admins, Enterprise Admins, and Schema Admins. Use tiered administration models to limit lateral movement.
4. The Invisible Threat: Securing Everyday IoT Devices
The proliferation of IoT devices has created a vast and often overlooked attack surface. These devices, from smart cameras to sensors, are frequently shipped with default credentials, unpatched firmware, and insecure network services.
Step‑by‑step guide explaining what this does and how to use it.
Step 1: Network Segmentation. Isolate IoT devices on a separate VLAN from your main corporate network to contain potential breaches.
Step 2: Vulnerability Scanning. Use tools like `Nmap` to discover devices and scan for open ports and services.
Command: `nmap -sV -p- 192.168.2.0/24` (Scans all ports and attempts service version detection on the IoT subnet).
Step 3: Firmware Analysis and Hardening. Where possible, download the latest firmware from the vendor. For deeper analysis, tools like `Binwalk` can extract filesystems from firmware images to check for hardcoded secrets.
Command: `binwalk -e firmware.bin` (Extracts embedded files and filesystems).
- I Want to Force Piles of Text into Traditional ML Models
Applying Machine Learning (ML) to security often involves processing unstructured text data, such as log files, threat intelligence reports, or code. This involves converting text into a numerical format that traditional ML models can understand.
Step‑by‑step guide explaining what this does and how to use it.
Step 1: Data Preprocessing. Clean the text data by removing punctuation, converting to lowercase, and removing common stop-words.
Step 2: Feature Extraction. Use techniques like TF-IDF (Term Frequency-Inverse Document Frequency) or Word2Vec to convert text into feature vectors.
Step 3: Model Training and Classification. Use a Python library like Scikit-learn to train a classifier (e.g., Naive Bayes or Support Vector Machine) to categorize the text (e.g., “malicious” vs. “benign” log entry).
Python Snippet:
from sklearn.feature_extraction.text import TfidfVectorizer from sklearn.naive_bayes import MultinomialNB Sample: logs and their labels (1=malicious, 0=benign) logs = ['failed password for root', 'user admin logged in', ...] labels = [1, 0, ...] vectorizer = TfidfVectorizer() X = vectorizer.fit_transform(logs) model = MultinomialNB() model.fit(X, labels) Predict a new log entry new_log = vectorizer.transform(['password failed for administrator']) prediction = model.predict(new_log) print(prediction)
What Undercode Say:
- The democratization of advanced security techniques is critical. Workshops that turn complex concepts like memory forensics and Kerberos attacks into hands-on, actionable skills are no longer a luxury but a necessity for building a resilient security posture.
- The focus on IoT and ML signifies a strategic pivot. The industry is moving beyond traditional perimeter defense to address the massive, data-rich, and soft targets presented by the Internet of Things and is beginning to weaponize data science for proactive defense.
Analysis:
The BSides Sydney 2025 workshop lineup reveals a clear industry trajectory towards deep technical specialization and the convergence of IT and security domains. The emphasis on memory forensics and AD Kerberos attacks shows a mature understanding of modern adversary Tradecraft, acknowledging that attacks are now “living off the land” and hiding in plain sight. Simultaneously, the inclusion of IoT and ML workshops highlights the front-line of emerging threats and defenses. This isn’t just about building stronger walls; it’s about creating smarter, more adaptive sentinels that can analyze vast amounts of data and secure an exponentially growing attack surface. The community’s hunger for these hands-on, technical deep-dives proves that theoretical knowledge is no longer sufficient to combat the sophisticated threats of today and tomorrow.
Prediction:
The techniques showcased at BSides Sydney 2025, particularly in IoT security and ML-powered defense, will become mainstream within the next 2-3 years. We will see a surge in automated penetration testing tools tailored for IoT ecosystems and the widespread integration of lightweight ML models into EDR (Endpoint Detection and Response) and SIEM platforms for real-time, behavioral anomaly detection. Furthermore, as Kerberos-relaying defenses improve, attackers will pivot towards exploiting other authentication protocols and identity federation systems like SAML and OAuth, making “Identity Threat Detection and Response” a mandatory layer of enterprise security.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Bsides Sydney – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


