First Talks of TROOPERS19 Accepted!

TROOPERS18 was the best year ever (did you check our archives?) and it will be challenging to do better… However, we accept the challenge!

The trainings and talks were from high quality and choices were difficult to make… We hope you will enjoy reading these little teasers!

Follow us on Twitter (@WEareTROOPERS) for more information and do not hesitate to use our hashtag #TR19 when you have questions or remarks about TROOPERS19!

With that being said, we are excited to introduce the first official five talks of TROOPERS19!




Old New Things: An examination of the Philips TriMedia architecture by Nahuel Cayetano Riva

Presenting at Next Generation Internet


In today’s Intel/AMD and ARM controlled world, it’s always interesting, for a reverse engineer, to find new or uncommon CPU architectures to learn and play with. It’s always a challenge to deal with uncommon/unknown firmware files and weird file formats and try to unravel what’s behind. This allows us to continuously improve and expand our knowledge. If you are willing to learn new stuff, this talk is for you.

In this presentation, by inspecting an IoT device, you will see an examination of the architectural and functional aspects of the Philips TriMedia architecture, an ‘obscure’ CPU that makes you think you are in the darkest corner of the reverse engineering (RE) world. You’ll see some characteristics of the architecture itself and the inner workings of the CPU, its assembly language (instruction set, encoding and decoding), and the toolset available at the moment to work with this architecture.

Also, you’ll learn some general aspects related to the RE methods used to deal with an unknown/uncommon architecture like Philips TriMedia.


I’m very passionate about everything that has to do with the information security world. I love reverse engineering and subjects as exploiting, malware, kernel, programming, electronics, embedded devices, hardware, etc. When I was young, I loved to write tutorials about copy protections mechanisms for the CracksLatinoS community. Now, I’m bold, fat, have two kids (and one more coming), got married, got a job and I don’t have too much time to do it. Anyway, I spent 10 years developing exploits at Core Security and now I’m in the embedded team at Quarkslab.

When I’m not working, I spent time with my family, play football once a week with some friends and do some weight lifting (although my wife tells me I need to stop drinking beer because the only muscle that has grown me is the belly). I also spent time with my dogs: Rambo, Rocky and Raul (I have a toy poodle, but it doesn’t count). Oh, by the way, I’m from General Pico, the ex-capital city of Asado.

Dark Clouds ahead: Attacking a Cloud Foundry Implementation by Nahuel D. Sánchez, Pablo Artuso

Presenting at Defense & Management


During the last years, companies decided to opt for cloud technologies and their advantages. This presentation will analyze a proprietary implementation based on Cloud Foundry, developed by SAP. It will not only describe the vulnerabilities found, but also the techniques and tools that led us find them. Live demos of simple information disclosures up to blind sql injections exploits will be shown.


Nahuel D. Sanchez is as a security researcher at Onapsis. Being a member of Onapsis Research Labs, his work focuses on performing extensive research of SAP products and components, identifying and reporting security vulnerabilities, attack vectors and advanced exploitation techniques that are applicable to different platforms. Nahuel is one of the most frequent reporter of vulnerabilities in SAP products and is a frequent author of the publication “SAP Security In-Depth”. He previously worked as a security consultant, evaluating the security of Web applications and participating of Penetration Testing projects. His areas of interest include Web security, reverse engineering, and the security of Business-Critical applications.

Pablo Artuso is a security researcher at the Onapsis Research Labs. He is most of the time involved in projects of vulnerability research and penetration testing of SAP products. In his spare time, he enjoys playing CTF’s which include web exploitation, reverse engineering and crypto challenges.

Microsoft IT (secure) journey to IPv6-only by Veronika McKillop

Presenting at Next Generation Internet IPv6 track


Microsoft IT Network team is going IPv6-only, it has to happen quickly and securely. Foreseeable private IPv4 runout, addressing conflicts during M&A and the ultimate goal of running a simpler network is what drives these efforts.


Veronika McKillop works as a Network Architect in Microsoft IT. She leads the Enterprise IPv6 efforts with the long-term goal of moving all corporate network services to IPv6-only. Prior to joining Microsoft, Veronika worked in Cisco as a Consulting Systems Engineer in the Global Service Provider team. Veronika chairs the UK IPv6 Council which she founded in order to bring the technical, business and government community together and to progress the IPv6 deployments in the UK.

VXLAN Security or Injection, and protection by Henrik Lund Kramshøj

Presenting at Attack & Research track


This talk is about VXLAN encapsulation protocol and problems if not protected. The talk will use scapy examples as well as modifications to existing tools to allow and present attack scenarios – spoofed Layer 3 IP packets being decapsulated into Layer 2 switched VLAN packets and resulting problems.


Computer science master from 47 years old, white hat, lives in CPH. Experienced security consultant specialized in network security and IPv6. Has done trainings since 2003. Also see LinkedIn 😀

From Workstation to Domain Admin: Why Secure Administration Isn’t Secure and How to Fix It by Sean Metcalf

Presenting at Active Directory Security


Organizations have been forced to adapt to the new reality: Anyone can be targeted, and many can be compromised. This has been the catalyst for many to tighten up operations and revamp ancient security practices. They bought boxes that blink and software that floods the SOC with alerts. Is it enough?

The overwhelming answer is: No. The security controls that matter most are the ones that best protect those with the keys to the enterprise, the Active Directory administrators. With this access, an attacker can do anything they want in the environment: access all sensitive data, change access controls and security settings, embed to persist (for years), and often fully manage and control routers, switches, the virtualization platform (VMWare or Microsoft Hyper-V), and increasingly, the cloud platform.

Administrators are being dragged into a new paradigm where they have to more securely administer the environment. This involves protecting privileged credentials and limiting access. Again, the question is: Are the new ways to securely administer Active Directory enough to protect against attackers? Join me in this session to find out.


Sean Metcalf is founder and principal consultant at Trimarc ( a professional services company which focuses on improving enterprise security. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory attack and defense at Black Hat, BSides, DEF CON, DerbyCon, Microsoft BlueHat, Shakacon and Walmart Sp4rkCon security conferences. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog,