Security BSides Prague 2026

Modern malware increasingly relies on autonomous execution logic rather than immediate payload execution. This workshop demonstrates how they perform inspection and delayed activation to evade dynamic analysis and endpoint protection (practical learning for offensive + defensive security engineers).

Overview
As endpoint detection, sandboxing, and behavioral monitoring mature, malware has increasingly shifted toward autonomous execution models. Rather than immediately performing network communication or malicious actions, many implants now embed logic that inspects the execution environment and defers activity until specific conditions are met.

This workshop examines the technical mechanisms behind dormant and conditionally executed malware behavior, focusing on how execution flow is gated by environmental signals rather than external commands.


Technical focus areas
Participants will work with controlled samples that demonstrate:

• Environment inspection using operating system APIs (network availability, adapter state, DNS resolution, system uptime)

• Conditional execution paths implemented through state machines and decision treesDelayed activation logic based on runtime conditions rather than timers alone

• Why standard tools such as process monitors, network captures, and sandbox environments frequently observe no actionable behavior

• How conditional execution impacts both red team validation and blue team detection strategies

Hands-on approach
The workshop is structured around practical analysis rather than exploitation. Attendees will trace execution paths, identify dormant branches, and observe how small environmental changes alter program behavior. All demonstrations are non-destructive and run in isolated lab environments.


Outcome
By the end of the session, participants will be able to recognize environment-aware execution patterns, understand why dormant malware often evades detection, and reason about how such behavior affects modern security testing and monitoring.

This is a technical, hands-on workshop focused on execution logic and control flow analysis.No ransomware, destructive payloads, or live command-and-control infrastructure are involved.All examples are self-contained and executed in isolated virtual environments.The workshop emphasizes system-level behavior, API usage, and execution gating rather than payload development.Attendees will need a laptop capable of running a preconfigured virtual machine (instructions provided in advance).Content is derived from real-world offensive security research and experience analyzing advanced execution-evasion techniques.

Are you tired of JupyterLab notebooks with single-threaded, unoptimized, PoC code that does not scale in real-world scenarios? Do you have a C2 beaconing problem on your network? Well, look no further! This workshop can fit so much data science for C2 detection! *slaps roof of a pile of code*

If you always wanted to know how tools like Flare or RITA work, how to do C2 detection with frequency analysis, or how to use probability theory to spot beaconing traffic, then this is the workshop for you!We are going to be obsessing over the nitty-gritty details of spotting beaconing traffic using data science methods. However, this time, we will not use JupyterLab notebooks! We want to show you how to do these detections in real network environments, and at scale. We will use solutions that can ingest network data and then provide meaningful outputs in a reasonable amount of time. The main goal of this workshop is to give you the understanding you need to apply these techniques the next day at work.

You can just attend this workshop and get your hands dirty with bits and bytes, but if you want to have a better understanding of the underlying theories, concepts, and technical considerations, then you should also come to our talk! Yes, we are sort of cheating here, hoping that you will attend both! :P So, are you coming to the talk?


Requirements for the workshop:

• A laptop with at least 16 GB of RAM and more than 50 GB of free disk space (VT-x support must be enabled on the host system).

• Application to run Virtual Images (type-2 hypervisor): VMWare Workstation Pro (recommended), VMWare Workstation Player, VMWare Fusion, or VirtualBox.

• Only 64-bit Intel-compatible (Intel or AMD) processors are supported.

WARNING: ARM-based devices (such as Apple Silicon, Qualcomm Snapdragon, and some Microsoft Surface laptops) cannot perform the necessary virtualization and therefore cannot be used for the workshop.

DescriptionEnjoy the Lunch Break as an opportunity to step out, recharge, and grab something good to eat at one of the many nearby restaurants and cafés. Please note that lunch is not provided by the conference, so we encourage you to explore the local options around the venue. You can find a curated list of recommended restaurants in your attendee booklet, making it easy to choose a spot that fits your taste and schedule. Use this time not only to refuel, but also to continue conversations with fellow attendees before the afternoon sessions begin.

BECOME A BLOODHOUND OPERATOR
You hear some of the Red teamers talk about Attack Paths, OpenGraph, and Cypher queries but you are not sure what it’s all about? No worries, we’ve got you covered. We’ll take you from new BloodHound user to power-level-over-9000-BloodHound-Ninja. During this workshop, we start from the basics and guide you from setup all the way to becoming a capable, hands-on BloodHound operator.

This workshop is aimed at new to intermediate BloodHound users. Besides a laptop and limited technical knowledge, there are no special requirements for joining. Join us and learn to understand Attack Paths like adversaries do.

Abstract
This one-day workshop introduces the core concepts and terminology associated with BloodHound, details the basics BloodHound usage, and discusses possible BloodHound extensions. The workshop alternates lectures and hand-on lab exercises (~50/50). Trainees will learn how to install, configure, and operate BloodHound Community Edition. The goal is to get everyone familiar with all aspects of BloodHound, so that it will hold no secrets for them after this workshop.

Workshop outline
During the workshop, we will cover the following topics:
Module 1 - Concepts & Components

• Thinking in Graphs
• Graph Theory & Graph Terminology
• BloodHound Evolution
• BloodHound Data Model
• BloodHound Application Components
• BloodHound Code & Documentation
• BloodHound Slack

Module 2 – Installation & Discovery

• Installing BloodHound
• Initial Login
• UI Discovery
• Basic Docker Commands

Module 3 - Data Collection & Ingestion

• Downloading Collectors
• SharpHound Data Collection
• AzureHound Data Collection
• Ingesting Data & Data Quality
• Ingestion Under the Hood
• Deleting Data

Module 4 - Data Exploration & Cypher Basics

• Retrieving Nodes & Properties
• Retrieving Edges & Paths
• Built-In Queries
• Intro to Cypher
• Custom Queries
• Cypher Tips & Tricks

Module 5 - BloodHound Administration

• User Management
• SSO Configuration
• Config & Early Feature Access

Module 6 - BloodHound API & Automation

• API Explorer
• API Tokens
• Request Signature
• API Call
• Running Cypher Queries

Module 7 - Advanced BloodHound Usage

• Direct DB Access
• Mutating Queries
• OpenGraph
• Integration Concepts
• BloodHound Related Tooling
• BHOperator Demo

Extra Info
This is not an Active Directory training, but we will talk about it a lot.
This is not an Offensive tradecraft course, but we will talk about it a lot.
And of course, we are happy to discuss any questions that come up during the workshop.



What to expect?
The workshop takes 4 to 6 hours in classes up to 20 people. We aim for an open and intimate setting, where everyone is free to share and ask questions.
Basic Active Directory, Azure and InfoSec knowledge is required. Offensive security knowledge is not required.
Bring a laptop capable of running BloodHound Community Edition in Docker, as this is a hands-on workshop. Make sure Docker Desktop is installed before the Workshop.

In this hands-on workshop you will learn how to obfuscate your payloads with a custom VM. This will help to evade signature detections and make reverse engineering more difficult. Participants will walk away with new tooling they can try out in the field right away!

In this workshop we will leverage the RISC-V architecture and the LLVM ecosystem to build a simple obfuscation pipeline. The VM interpreter code is small and once it is loaded, you do not need to allocate additional executable pages to execute arbitrary payloads.

Covered topics:

• Introduction to VM-based obfuscation 

• Basics of the RISC-V architecture 

• Compiling payloads for the RISC-V architecture 

• Obfuscating the VM interpreter for evasion - VM Hardening to complicate reversing the payloads - Building a basic C2 framework (as time allows)

The bulk of the work will be done in a GitHub Codespace (Linux), which makes it easy for participants to get started. However, the final payloads need to be executed in a Windows VM (which you have to prepare beforehand).


Note: You need basic C programming and Linux command line experience to follow along with the workshop. Reverse engineering experience is definitely a plus!


The start of the workshop is a hands-on version of a blog post I was the main author of: RISC-Y Business: Raging against the reduced machine, specifically tailored for red teamers. The second half will contain currently-unpublished research, discussing obfuscation and evasion techniques which should be interesting to conference participants.