--[ Workshops

----[ Introduction to Ghidra and Reverse Engineering

$ getent passwd sdeaton
├─ name: Sean Deaton
└── org: Blue Star Cyber

Sean is an alumnus of the United States Military Academy (B.S. 2017) and Georgia Tech (M.S. 2021), where he studied Computer Science. After commissioning as a Cyber Officer in the U.S. Army, Sean served as a developer with the 780th MI BDE. He now works as a vulnerability researcher for Blue Star and Bogart Associates, with particular interests in fuzzing, data flow analysis, and decompilation theory. When he’s not finding bugs or working on training material, he spends his time at the dog park trying to burn off his corgi’s seemingly unlimited energy.


We found that most other courses focus solely on the tool. So we set out to build a course that also provides a great introduction to software reverse engineering. This six-hour course will get you up to speed on the latest reverse engineering techniques and how to use the open-source software, Ghidra, to find bugs. We updated our course in 2022 to support Ghidra 10.2.

Terminal Learning Objectives

At the end of this course, students will be able to:

  • Describe the Executable and Linkable Format (ELF).
  • Install Ghidra on their platform of choice (Linux, Windows, or Mac).
  • Create a non-shared project and load an executable into Ghidra.
  • Understand blocks of x86 and amd64 assembly.
  • Describe the function prologue and function epilogue.
  • Describe how stack space is allocated.
  • Manipulate variables with the stack editor.
  • Understand the difference between calling conventions on both x86 and amd64, to include stdcall, fastcall, cdecl, thiscall, Microsoft x64, and System V amd64.
  • Understand the relationship between caller and callee-saved registers.
  • Write custom Ghidra scripts in Python to find symbols of interest.
  • Describe the difference between linear sweep and recursive descent disassembly algorithms.
  • Understand imported and exported symbols.
  • Know where to start reversing when given an ELF for x86 or amd64.
  • Navigate the Ghidra API documentation.
Our Methods

We believe that knowledge should be accessible. To break down physical barriers, all of our courses take place on Discord. We’ve made a custom server where students can follow along and interact with instructors in high definition. Virtual breakout rooms allow students to collaborate and work on labs and quickly get the attention of instructors when assistance is needed. When the class is over, you’ll have access to all the recordings to ensure you never forget the experience.


Hardware and software:

  • Dual-core CPU or better.
  • 4 GB RAM or better.
  • 25 GB+ of free hard drive space for installation and materials.
  • 25 Mbs+ of reliable Internet download speed or better.
  • Windows, Linux, or macOS.
  • A Discord account.
  • Java Runtime Environment.
  • Can I use an Apple Silicon device to take this course?

    We’ve designed our course to work on both amd64 and arm64 architectures for Linux and Mac. So you won’t have any issues.

  • Can I use a Windows arm64 device, like a Surface Pro, to take this course?

    While we have tested our course on Linux and macOS devices on arm64, we have not tried it on arm64 Windows. So while we don’t expect any issues, don’t hesitate to contact us if you plan to use one of these devices.

  • Do I need a microphone or a webcam?

    We would love to see your smiling face, but a webcam is not required. A microphone would help when asking questions or interacting with the instructors, but you can always write questions or comments in the text channel.

----[ Developing Containerized Webapps in Python

$ getent passwd mstone
├─── name: MAJ Brent Stone
├──── org: ARCYBER TWC
└─ social:
   └─ github: brent-stone

ARCYBER Capability Developer site lead, habitual DEFCON and AVENGERCON speaker, and co-founder of Stoneguard Software LLC specializing in AI/ML and video game R&D.


Brent walks students through the elements necessary to deploy a robust Python based web application using Docker-Compose, FastAPI, Postgres accessed via SQLAlchemy and versioned using Alembic, Redis accessed via Celery and observed via Flower, and RESTful testing using Swagger, Pydantic, and Pytest.

This class is for advanced python programmers with access to computers running docker and docker compose. UNIX experience is a big plus.


Student will need to bring their own computers that can run Python, Docker, and Docker Compose in order to follow along. We'll need internet access so students can pull down images and python dependencies.

----[ Intro to Reverse Engineering

$ getent passwd jblackthorne
├─── name: Jeremy Blackthorne
├──── org: Boston Cybernetics Institute
└─ social:
   └─ twitter: @0xJeremy

Jeremy Blackthorne is the lead instructor for the Boston Cybernetics Institute (BCI) where he develops training for the U.S. military. Before BCI, he was a researcher at Lincoln Laboratory focusing on CNO tactics. Jeremy has published research on various topics, including covert channels, environmental keying, and evading security products. From 2002 – 2006, he served in the U.S. Marine Corps as a rifleman and scout sniper. He is a proud alumnus of RPISEC.


Reverse engineering is an essential skill for many tasks in cybersecurity such as malware analysis, vulnerability discovery, and exploitation. In this 6-hour course, we teach students how to use IDA and Ghidra on x86/x64 binaries in Linux as applied to these various tasks.

This is a majority hands-on course with theory and lecture as needed. Exercises balance fundamentals with modern applications. After completing this course, students will have the practical skills to apply reverse engineering in their day-to-day work.


We provide a virtual machine, bundled with all necessary software, exercises, and educational materials. Just have VMWare or VirtualBox. We'll send out the VM before the workshop.

----[ Using Containers to Analyze Malware at Scale

$ getent passwd jfernandez
├─── name: Jose Fernandez
├──── org: CompSec Direct LLC
└─ social:
   └─ twitter: @jfersec

José Fernández is the President and owner of CompSec Direct. He is an InfoSec researcher with over 20 years of experience in the IT field. Jose specializes in InfoSec research by applying offensive methodologies towards practical defensive measures. Jose’s background in CNO, CND, and engineering has allowed him to work in some of the most technically demanding environments throughout his career in both private and public sector. Mr. Fernandez is a Veteran, and serves as a recruitment lead for AUSCF.


This workshop will focus on teaching participants how to handle malware and analyze samples using both Windows and Linux containers. The workshop will focus on leveraging open-source tools, and techniques to build out a simple analysis queue pipeline to allow students to analyze multiple samples at scale within a controlled environment. The workshop will give students experience in creating repeatable workflows to not only perform malware analysis, but also how to leverage automation for similar tasks using boilerplate workflows.

----[ Cyber Data Science for DCO

$ getent passwd jbaxter
├─── name: Jacob Baxter
├──── org: Orang Labs
└─ social:
   └─ twitter: @BenevOrang

A Former Army Officer, Jacob is a technologist who has always followed his curiosity and interest in technology, having a core belief in its ability to make the world a better place. He has a background in Applied Mathematics and got into Cybersecurity as an Army Officer, working a defensive mission set on traditional large enterprise networks, while based in Augusta, GA. He's been in the field now for about 6 years, and then has spent time doing a lot of research at DARPA and in the DOD on using programming, data science, and machine learning to try to help improve Cybersecurity. Presently he spends a majority of his time working on tough research questions as a Research Fellow in the United States Military Academy's Cyber Research Center and trying to make cool tech at Orang Labs. He's been a practicing Cyber Data Scientist for over 5 years, with experience utilizing Data Science for Cyber Problems in DOD DCO, at DARPA, and in his current roles. If he wasn't working the 9 to 5, all of his friends know he'd be found on a side-street in Bali, speaking Indonesian with the local Ayam Goreng (fried chicken) or Sate cart, waiting for his next Ultimate Frisbee game to start.


This workshop will teach the basics of performing Data Science and Machine Learning in Python for Cyber Security Applications. We'll cover statistical, graph, unsupervised, and supervised approaches to analytics. Attendees will walk away with the ability to use Python to answer questions about Cyber Data, such as projecting and grouping similar IPs based on their network flows, predicting unlabeled admin accounts from account behavior, and visualizing these types of problems to help communicate to other analysts and stakeholders.


Students need to come prepared with the following:

  • Knowledge: Students should have a basic familiarity with Python, as well as familiarity with how Networked Systems work and the types of data traditionally observed from a defensive perspective, such as Flow, Zeek, Authentication logs, etc.

    If you’re a bit rusty at Python and/or have never touched Pandas, I would highly recommend checking out something like https://www.codecademy.com/learn/paths/data-science, specifically focusing on their pandas and matplotlib tutorials. We’re going to be doing a lot with pandas DataFrames, which is kind of like having a little in-memory database or excel file. It’ll be your mini Data Science SIEM for the work we do. So if you already work in Splunk or ELK a bunch, a lot of what you might pick up in this course is other ways to do some of the same kinds of queries you already do.

    If you’d like to brush up on some math that can be helpful, I love: https://www.youtube.com/watch?v=kjBOesZCoqc&list=PL0-GT3co4r2y2YErbmuJw2L5tW4Ew2O5B — ultimately, Linear Algebra can often be though of as just a type of data structure that allows us to do things very efficiently, take advantage of how we can encode most data into geometric spaces, and then leverage nice math to find cool insights. Grant’s videos are highly visual and aim for an intuition, rather than what you might see (and dread) in a college course.

    From a Cyber perspective, I plan for us to primarily go over some anonymized flow records and windows event logs; if you haven’t seen much of these, I’d definitely read about them. Flow is very similar to the Zeek conn table.

  • Infrastructure: Students should have a data science capable laptop with ~16 GB of memory. They are also encouraged to have Jupyter Lab installed, be familiar with the process of installing python packages, and calling them from a Jupyter Notebook.

----[ Provenance Tracking With Attack Graphs Using SysFlow

$ getent passwd tjaeger
├─ name: Trent Jaeger
└── org: Penn State University

Prof. Trent Jaeger (Penn State) and his co-instructors, Dr. Fred Araujo and Dr. Teryl Taylor (IBM Research), explore problems in systems and software security. Prof. Jaeger has over 25 years of experience in industrial and academic research, and has made many contributions to Linux kernel security. Dr. Araujo and Dr. Taylor are Research Scientists at IBM Research, where they co-lead the team's efforts on cloud-native security. They are active contributors to open source and maintainers of the SysFlow and CNCF Falco projects.


In this workshop, students will learn skills to detect complex, stealthy attacks by leveraging attack graphs built from known threats. We will provide students with hands-on experience of analyzing possible attacks using system provenance augmented by attack graphs using the SysFlow system. We will first introduce the students to SysFlow provenance tracking and analysis of attacks on hosts. We will then provide students with the experience of diagnosing more complex attacks using attack graphs to annotate provenance state with critical runtime information in SysFlow. Lastly, students will then learn how to analyze interprocess SysFlow provenance using attack graphs to detect stealthier attacks that span multiple processes.

----[ Rapid Prototyping of Machine Learning Solutions

$ getent passwd mcruickshank
├─── name: Major Iain J. Cruickshank
├──── org: ACI
└─ social:
   └─ linkedin: linkedin

Major Iain Cruickshank is a research scientist at the Army Cyber Institute, where he researches computational social science methodologies and machine learning techniques. He has previous assignments at the 780th MI BDE and the Army's Artificial Intelligence Integration Center. He is also an active competitive data scientist with notable wins in tabular, computer vision, and text-based competitions.


Have you ever come across a task where you think a machine learning (ML) model might help automate or even do the task better and faster than you can? Have you ever wanted to experiment with implementing your own ML solutions, but aren’t sure where to start? In this tutorial, I will be showing you how to implement quick machine learning solutions, from open source and freely available tools, for a variety of real-world problems. As part of the tutorial, we will explore the methodology for implementing quick, real-world ML solutions across a variety of data scenarios (i.e. text, tabular, image). We will then get hands-on with the actual code and processes for implementing these solutions. Finally, we conclude the tutorial by doing a timed competition to implement a machine learning model on real data. At the conclusion of the tutorial, participants will have gained hands-on experience with implementing state-of-the-art machine learning solutions to real-world problems with various types of data.


For the tutorial, students will need to have at least a basic level of proficiency with Python; understand functions, objects, loops, control flows, and variables. Knowledge of data-centric Python (i.e. Pandas, file I/O, etc.) is preferable.

----[ Making Your Pocket Spook Less Spooky: Upgrading the Privacy of Android Smartphones

$ getent passwd mmilchak
├─ name: MAJ Neil Milchak
└── org: 780th MI BDE

Neil is a software developer with the 780th MI BDE, a longtime AvengerCon volunteer, and is an OSINT, online privacy, and Android OS enthusiast. He holds a bachelor's of science in electrical engineering from the United States Military Academy and a masters of computer science from the Georgia Institute of Technology.


Today, the privacy and security risks and consequences of using smartphones are numerous1 2 3. Many smartphone users are either unaware of the privacy risks inherent to using smartphones with default settings and common applications, or have resigned themselves to the apparent unavoidable compromise of privacy in exchange for the convenience of a modern lifestyle and the ability to seamlessly communicate with friends and family. But is that loss of privacy really unavoidable? In this workshop, I will provide an overview of the Android operating system, the common ways that smartphone activity can be tracked, how you can analyze Android applications for privacy and security risks, and how you can configure Android devices to better respect your privacy without sacrificing all of the conveniences of the smartphone.

This podcast episode provides a excellent primer for some of the topics that we will be talking about and implementing in the workshop: https://soundcloud.com/user-98066669/176-privacy-crash-course-03-mobile-devices

  • Part 0: Android Operating System Crash Course
    • Android Runtime (ART)
    • Boot process and boot security features
    • File system
    • Android apps and permissions model
  • Part 0 Lab A: Setup and interacting with your Android VM or phone
    • Genymotion or AVD Android virtual machines
    • Using the Android Debug Bridge (ADB) interface _ Part 0 Lab B: Android Hello World
    • Intro to Android Studio
    • Building and installing custom applications on your phone
  • Part 1: Threat landscape and privacy risks
    • Online Advertising and Data Economy
    • Advertising and Telemetry SDKs
    • Preinstalled system applications
    • Google Services Framework and Play Services
    • Location and Geolocation Services
    • Privacy risks of common apps
    • Cellular network and cellular provider privacy risks
  • Part 1 Lab: Analyzing and modifying Android apps (Android RE crash course)
    • Automated scanning apps and tools
    • Analyzing app network traffic
    • Decompiling APKs
    • Modifying and recompiling APKs
    • Creating a trojaned APK
  • Part 2: Setting up and using your privacy-improved Android phone
    • App store alternatives (F-Droid, Aurora)
    • Screening and verifying non-Play Store apps
    • Phone and SMS service through VoIP and XMPP
    • Privacy-focused messaging applications
    • Disabling nosy preinstalled system applications
    • VPNs
    • Cloud storage/ file syncronization
    • Multiple User Profiles
    • Other privacy-enhancing user behaviors and OPSEC tips
  • Part 2 Exercises
    • Installing and configuring F-Droid and Aurora store
    • ProtonVPN setup
    • Disabling/reenabling applications over ADB
    • Setting up/using multiple user profiles
  • Part 3: Android Open Source Project / Custom "ROMs"
    • AOSP Overview
    • Lineage OS Features and Drawbacks
    • CalyxOS Features and Drawbacks
    • GrapheneOS Features and Drawbacks
    • Backing up device contacts, messages, photos, and other files
  • Part 3 Exercises (hardware required)
    • Backing up device contacts, messages, photos, and other files
    • Unlocking device bootloader
    • Running custom recovery
    • Install AOSP image (Lineage OS/Calyx OS/Graphene OS) to system partition
    • Boot phone into AOSP image (Lineage OS/Calyx OS/Graphene OS)

Depending on student interest and possession of compatible Android phones, I plan to stick around after the end of the workshop to help students who want to install an AOSP-based image. Feel free to reach out during the main event as well!

  1. https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html
  2. https://www.cnet.com/news/geofence-warrants-how-police-can-use-protesters-phones-against-them/
  3. https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html
  • Student knowledge prerequisites

    No prior technoical experience with Android is required; prior user experience with Android is highly recommended.

    Basic Linux command line knowledge and experience using virtual machines with Oracle Virtualbox is highly recommended.

  • Student resources requirements

    • Laptop computer (required)

      Students must bring a laptop that is capable of running at least two virtual machines. A system with least 8 GB of RAM will be required; 16+ GB RAM is recommended. Using a Linux or Windows host operating system is recommended if available, but Macs are also fine (just know that the instructor won't be able to troubleshoot issues on Mac hosts as effectively).

    • Required software:

      • Oracle Virtualbox 6.1. Virtualbox is required for using Genymotion.
      • Genymotion Personal Edition (you will need to create a free account).

      Prior to the workshop, the instructor will send setup instructions for student systems and provide a link to download the course VM.

    • Android phone (optional)

      Students are also highly encouraged but not required to to bring a hardware Android device that they are willing to experiment on (make sure to back up any data you want to save!). Devices that are compatible with LineageOS, CalyxOS, or GrapheneOS are ideal. Feel free to ask the instructor about your device and how to back up your data before the workshop!