We don’t generally publish slide decks from talks, as they are frequently ongoing works in progress. Here is where you can find older talks and other exceptions.
 
Jonathan Ham on the web
The SANS Institute
Google Jonathan
Jonathan on Amazon
@jhamcorp on Twitterhttps://www.sans.org/instructors/jonathan-hamhttps://www.google.com/search?q=%22Jonathan+Ham%22++securityhttps://www.amazon.com/default/e/B008GW018Ahttps://twitter.com/jhamcorpshapeimage_6_link_0shapeimage_6_link_1shapeimage_6_link_2shapeimage_6_link_3
This new “Resources” page is very much a work in progress. It is where you can find links to various things we’ve promised students and colleagues, and are still working to publish.
If there’s something we’ve said we’d post and you don’t see it here, check back, or feel free to email or tweet at jham!
Resources Things like recommended reading lists, etc., coming soon here! Quick Links Resources from Talks (where available)
 jham corp.
126 East Broadway, Ste 25
Missoula, MT 59802
406-360-0396
info@jhamcorp.com
twitter: @jhamcorpmailto:info@jhamcorp.com?subject=jhamcorp.com%20web%20referral:https://twitter.com/jhamcorpshapeimage_15_link_0shapeimage_15_link_1
How to Hack the GIAC


At SANS, we teach how to hack all the things. Hacking fundamentally entails an ethic of figuring out how a system works, and then leveling up to find a way to best it. The GIAC exams you face are another such system that can be approached with the hacker mind.
In this talk, Jonathan unpacks his lengthy experience with preparing for certification exams, with everything you need to consider from the time you leave class on Day 6, until the day you successfully pass your exam: when to study, how to do it, and why. All the tactics, techniques, and procedures (TTPs) it takes to ensure success, in the most efficient way.
No guessing, no worrying, no cheating. Just winning.
https://jhamcorp.com/Downloads/How_to_Hack_the_GIAC.pdfshapeimage_16_link_0
Seriously, I Really Can Still See You
* Note: The Bro Zeek LLMNR/WPAD detection script from the talk is now available here, as promised. I may post the actual slides in the near future as well. *
Talk Abstract:
EVIL is running amok in the hotel (network) at Wild West Hackin’ Fest in Deadwood, SD! Last year, some yahoo broke into a room, and then began pivoting through the doors to adjoining rooms. It was noisy as all hell... and who uses the side doors anyhow?!?!
So we ran that to ground in a few minutes. Lateral movement is easy to see.

This year EVIL got smarter! They just slid notices under each door, which simply said:
They thought it would work, and it did as usual. But I watched them do it, and you can too! (Imagine their surprise when I crashed the party in room #666 while it was still going on…)
So then what?
Same as last year: all analysis done quick and dirty.
No inspection beyond what’s easily instrumented:
Network flow data, traffic analysis, correlated transactions
Snort/Bro Zeek, default configs/rules/scripts only (mostly)
Command-line inspection of whatever was captured
Nothing that can’t be scripted for instant alerting!
No full content inspection:
No wireshark/tshark!
No session reconstruction for L7 content (much)
This year’s focus: Exploiting LLMNR and WPADhttps://jhamcorp.com/Downloads/LLMNR_WPAD_download.bro.txthttps://www.wildwesthackinfest.com/https://www.youtube.com/watch?v=A4mYzfNCXSshttps://www.youtube.com/watch?v=A4mYzfNCXSsshapeimage_19_link_0shapeimage_19_link_1shapeimage_19_link_2shapeimage_19_link_3
492063616E207374696C6C2073656520796F7521https://jhamcorp.com/Downloads/I_Can_Still_See_You.pdfshapeimage_21_link_0
* Note: This talk was originally developed for Wild West Hackin’, Fest 2017. You can see the original on YouTube here. When available, click the links above for the slide deck.*
Talk Abstract:
Everything leaves footprints on the network, whether it’s a frontal assault on an Internet-facing SMB, or a lateral move living off the land with harvested creds. The Red Team only has the advantage up until the window breaks (I heard that!). Once you are in my house, I have the advantage (I know that squeaky floorboard!). Here’s what it looks like when you think you can steal my stuff.
Obfuscate your Powershell 10x. Drop PEs via DDE and Word macros. DLL inject mimikatz. Evade AV. Fine. But to MitM you have to mess with L2/L3, and to move laterally you have to do things on L3/L4 that shouldn’t be.
And when you do, I can still see you!https://www.wildwesthackinfest.com/wwhf17/https://www.youtube.com/watch?v=A4mYzfNCXSsshapeimage_22_link_0shapeimage_22_link_1