We don’t generally publish slide decks from talks, as they are frequently ongoing works in progress. Here is where you can find older talks and other exceptions.
Jonathan Ham on the web
This new “Resources” page is very much a work in progress. It is where you can find links to various things we’ve promised students and colleagues, and are still working to publish.
If there’s something we’ve said we’d post and you don’t see it here, check back, or feel free to email or tweet @jhamcorp!mailto:info@jhamcorp.com?subject=jhamcorp.com%20web%20referral:https://twitter.com/jhamcorpshapeimage_7_link_0shapeimage_7_link_1
Resources Things like recommended reading lists, etc., coming soon here! Quick Links Resources from my Favorite Talks (where available)
 jham corp.
twitter: @jhamcorpmailto:info@jhamcorp.com?subject=jhamcorp.com%20web%20referral:https://twitter.com/jhamcorpshapeimage_14_link_0shapeimage_14_link_1
How to Hack the GIAC

At SANS, we teach how to hack all the things. Hacking fundamentally entails an ethic of figuring out how a system works, and then leveling up to find a way to best it. The GIAC exams you face are another such system that can be approached with the hacker mind.
In this talk, Jonathan unpacks his lengthy experience with preparing for certification exams, with everything you need to consider from the time you leave class on Day 6, until the day you successfully pass your exam: when to study, how to do it, and why. All the tactics, techniques, and procedures (TTPs) it takes to ensure success, in the most efficient way.
No guessing, no worrying, no cheating. Just winning.
Seriously, I Really Can Still See Youhttps://www.youtube.com/watch?v=tvrF0TKPAdQshapeimage_17_link_0
* Note: The Bro Zeek LLMNR/WPAD detection script from the talk is now available here, as promised. I may post the actual slides in the near future as well. *

Talk Abstract:
EVIL is running amok in the hotel (network) at Wild West Hackin’ Fest in Deadwood, SD! Last year, some yahoo broke into a room, and then began pivoting through the doors to adjoining rooms. It was noisy as all hell... and who uses the side doors anyhow?!?!
So we ran that to ground in a few minutes. Lateral movement is easy to see.

This year EVIL got smarter! They just slid notices under each door, which simply said:
They thought it would work, and it did as usual. But I watched them do it, and you can too! (Imagine their surprise when I crashed the party in room #666 while it was still going on…)
So then what?
Same as last year: all analysis done quick and dirty.
No inspection beyond what’s easily instrumented:
Network flow data, traffic analysis, correlated transactions
Snort/Bro Zeek, default configs/rules/scripts only (mostly)
Command-line inspection of whatever was captured
Nothing that can’t be scripted for instant alerting!
No full content inspection:
No wireshark/tshark!
No session reconstruction for L7 content (much)
2018’s focus: Exploiting LLMNR and WPADhttps://jhamcorp.com/Downloads/LLMNR_WPAD_download.bro.txthttps://www.wildwesthackinfest.com/https://www.youtube.com/watch?v=A4mYzfNCXSshttps://www.youtube.com/watch?v=A4mYzfNCXSsshapeimage_18_link_0shapeimage_18_link_1shapeimage_18_link_2shapeimage_18_link_3
* Note: This talk was originally developed for Wild West Hackin’, Fest 2017. You can see the original on YouTube here. When available, click the links above for the slide deck.*
Talk Abstract:
Everything leaves footprints on the network, whether it’s a frontal assault on an Internet-facing SMB, or a lateral move living off the land with harvested creds. The Red Team only has the advantage up until the window breaks (I heard that!). Once you are in my house, I have the advantage (I know that squeaky floorboard!). Here’s what it looks like when you think you can steal my stuff.
Obfuscate your Powershell 10x. Drop PEs via DDE and Word macros. DLL inject mimikatz. Evade AV. Fine. But to MitM you have to mess with L2/L3, and to move laterally you have to do things on L3/L4 that shouldn’t be.
And when you do, I can still see you!https://www.wildwesthackinfest.com/wwhf17/https://www.youtube.com/watch?v=A4mYzfNCXSsshapeimage_21_link_0shapeimage_21_link_1
Do you C2? If you do, ICU.https://www.youtube.com/watch?v=P7LQXJOzHtoshapeimage_24_link_0
* Note: This talk was originally developed for Wild West Hackin’, Fest 2019. You can see the original on YouTube here. When available, click the links above for the slide deck.*

Talk Abstract:
Wherein an Evil Agent does what an Evil Agent has to. We will run it down once more...
Yayyyy Deadwood again! So many new scary things to learn about! Wicked Wizards and 0days! Almost certain @HackingDave and @DeviantOllam and @MalwareJake and so many others are going to shift how you think about everything!
Meanwhile, back at the office, Steve Secretary clicks a link. Then a browser goes pop. A new Evil thread emerges in the world. It doesn’t know what to do! Halp! It needs a meeting! It needs to call Mom. And when it does…
When it does, I will see it. Without spectacularly expensive tools. Without dark skills. I will see it just by looking.

But it gets real when I’m trying to find bespoke C2 traffic crafted by notorious nation-state hacker (former NSA/TAO operator) @MalwareJake...
2019’s focus: Hunting Jake Wlliamshttps://www.wildwesthackinfest.com/wwhf19https://www.youtube.com/watch?v=P7LQXJOzHtohttps://twitter.com/MalwareJakeshapeimage_25_link_0shapeimage_25_link_1shapeimage_25_link_2
Google Jonathan
Jonathan on LinkedIn
Jonathan on Amazon
@jhamcorp on Twitter
The SANS Institute