MCTTP – Munich Cyber Tactics Techniques and Procedures

Fabian Mosch, Head of Offensive Services @r-tec IT Security , @ShitSecure

Alessandro Magnosi, SpecterOps - Senior Security Consultant - Adversary Simulation, @klezVirus

Fabian Mosch is teamleader for the Pentesting/Red-Team at r-tec IT Security GmbH. At work he likes to break into company networks and escalate privileges to make those environments a safer place afterwards. Evading AV/EDR systems was always of special interest for him. In the recent years and his spare time he created and shared tools/techniques/knowledge with the community under the handle S3cur3Th1sSh1t.

He is founder of the company MSec Operations UG which sells Offensive Security tools to Pentesters and Red-Teams.

Alessandro Magnosi is a Senior Cyber Security Consultant and Researcher, currently working on the Adversary Simulation Team at SpecterOps. His focus is on red teaming, detection bypass, and low-level Windows internals. He's shared his research at conferences like DEF CON and TROOPERS, and enjoys contributing to open-source tools and learning from the community.

talks & Q&A

All Aboard the USB Bus: When Plug-and-Play Turns Into Privilege Escalation

Description

This talk explores a surprisingly under-examined Windows attack surface: privilege escalation through USB device installation paths. We begin by examining the attack surface exposed when new USB hardware is attached, showing how large numbers of devices can be enumerated and how vendor-provided co-installer components can be automatically identified and analyzed.

We then move deeper into the driver layer, demonstrating practical methods for discovering vulnerabilities in drivers that are silently introduced during the device installation process. Our research uncovered multiple previously unknown vulnerabilities across both co-installer software and device drivers.

Finally, we present a workflow for confirming and exploiting these vulnerabilities at scale using modular analysis and exploitation frameworks. We also show how large language models can assist in accelerating parts of the research pipeline, including driver triage, vulnerability pattern identification, and rapid prototyping during analysis.