presentation.json
|
{ "title": "Jakoby.exe: How I Break Systems (and Why Most Defenses Fail)", "author": "Jakoby", "event": "Zero Trust World 2026", "duration": 45, "slides": [ { "file": "slides/08-attendee-sync.html", "title": "Follow Along", "section": "Introduction", "duration": 1.5, "notes": "First thing out of your mouth: 'Pull out your phones.' Get them connected before anything else. Give 30 seconds. Once you see connections, move on." }, { "file": "slides/10-warmap.html", "title": "WarMap", "section": "Introduction", "duration": 3, "notes": "Now they're watching on their phones AND the screen. Let it run 20 seconds in silence. Swarm lights up. THEN: 'My name is Jakoby. That's what I do. Let me show you how.'" }, { "file": "slides/01-title.html", "title": "Title", "section": "Introduction", "duration": 1, "notes": "Title card lands right after the warmap. The audience is already hooked. Let it breathe." }, { "file": "slides/02-whoami.html", "title": "whoami", "section": "Introduction", "duration": 2, "notes": "Keep this tight. Don't read the cards — just hit the highlights. The audience is here for the breaking, not the bio. Mention ThreatLocker sponsorship. Tease powershellforhackers.com at the end." }, { "file": "slides/03-agenda.html", "title": "What's Coming", "section": "Introduction", "duration": 1.5, "notes": "Set expectations. This is a LIVE talk — everything runs for real. Tell them: 'If something breaks during this talk, that's not a bug. That's the demo working.'" }, { "file": "slides/04-live-code.html", "title": "Live Code Execution", "section": "PoshPresenter Demo", "duration": 2, "notes": "First wow moment — hit Run on whoami, output appears inline. Then: 'Let's try something spicy.' Run invoke-mimikatz — AV blocks it live, red error on screen. Pause. Then: 'Same function, different name.' Run invoke-notMimikatz — works clean. Let the room react. 'That's it. Renaming the function was enough. It matched the NAME, not the BEHAVIOR. Keep that in the back of your mind — it comes back later.'" }, { "file": "slides/06-app-integration.html", "title": "App Integration", "section": "PoshPresenter Demo", "duration": 2, "notes": "Click PoshConsole first — it's the most dramatic. A full terminal pops up. The point: the presentation isn't a sandbox. It's connected to the entire PoshDE desktop." }, { "file": "slides/05-animation.html", "title": "Pixel Encoding", "section": "PoshPresenter Demo", "duration": 3, "notes": "Click through each step. Let each stage breathe. Don't explain every detail — let the visual sell itself. The punchline: 'Every pixel's least significant bits carry your script. The image looks identical. The decoder reads them back and executes.'" }, { "file": "slides/07-presenter-mode.html", "title": "Why PowerShell?", "section": "PoshPresenter Demo", "duration": 2, "notes": "This bridges the tool demo into the security content. Walk the stats quickly — every Windows box has it, full .NET, signed by Microsoft, LOLBin. Hit the four reasons. The punchline ties it back: 'You just watched this presentation execute PowerShell live. Everything from here uses the same access.'" }, { "file": "slides/09-dashboard.html", "title": "Live Dashboard", "section": "PoshPresenter Demo", "duration": 2, "notes": "Don't explain it. Just let them see it. Live data from your machine — CPU, memory, processes, network connections — all real, all updating. 'This isn't a screenshot. This IS the monitoring tool.'" }, { "file": "slides/11-recon-break.html", "title": "The Recon", "section": "Recon", "duration": 0.5, "notes": "Quick section break. Let it land. 'Now that you've seen what my tools can do — let me show you what I actually do with them. Starting with something your browser is doing right now that you don't know about.'" }, { "file": "slides/12-image-timing.html", "title": "Image Timing Side-Channel", "section": "Recon", "duration": 3, "notes": "Walk through the code on the left — it's dead simple. Point an img tag at a service, measure onerror timing. Three distinct signatures. Hit the Simulate Probe button — let them watch the bars fill at different rates. That difference IS the side-channel." }, { "file": "slides/13-localrecon-demo.html", "title": "LocalRecon Live", "section": "Recon", "duration": 4, "notes": "Walk through the four capabilities. Then the attack chain: visit a webpage → JS calibrates → network mapped → services exploited. Hit Launch LocalRecon and do a live scan. Let the room watch your actual network get mapped in real time." }, { "file": "slides/14-attack-break.html", "title": "Breaking Patterns", "section": "Attack", "duration": 0.5, "notes": "Quick section break. 'We found the targets. Now let's talk about getting past the things designed to stop us. Three techniques — each one breaks a different assumption your security tools rely on.'" }, { "file": "slides/15-obfuscation.html", "title": "Obfuscation Engine", "section": "Attack", "duration": 3, "notes": "Step through each layer. Watch the detection meter drop. Point out: every transformation is trivial. Backticks, variable renames, string splits. Nothing clever. But the AV detection falls from 95% to 3%. That's the fickleness." }, { "file": "slides/16-emoji-encoding.html", "title": "Emoji Steganography", "section": "Attack", "duration": 2.5, "notes": "Step through the encoding. The punchline: a smiley face in a Teams message carries your entire payload. Copy-paste transfers the data. Logs show an emoji. Security tools see text. 'Your DLP policy just let a reverse shell through because it looked like a smiley face.'" }, { "file": "slides/17-payload-pipeline.html", "title": "The Payload Pipeline", "section": "Attack", "duration": 2, "notes": "Tie all three together. Obfuscate → Encode → Smuggle. Walk through the defender comparison at the bottom. Left: zero threats, all clear. Right: the reality. 'Same attack. One side sees nothing. The other side owns you.'" }, { "file": "slides/18-analyze-break.html", "title": "Why Defenses Fail", "section": "Analyze", "duration": 0.5, "notes": "Let the subtitle land: 'It's not that they're weak. They're fickle.' This is the intellectual core of the talk." }, { "file": "slides/19-fickleness-thesis.html", "title": "The Fickleness Problem", "section": "Analyze", "duration": 3, "notes": "This is the most important slide. Each card maps a demo to a type of fragility: signature fragility, trust assumption fragility, infrastructure assumption fragility. Read the bottom restatement — it's the thesis of the entire talk." }, { "file": "slides/20-detection-gap.html", "title": "The Detection Gap", "section": "Analyze", "duration": 2, "notes": "Let them read both columns. Same timestamps, same attack. The defender sees all green. The attacker sees total compromise. The visibility bar at the bottom: ~20% seen, ~80% missed. 'The defender's tools reported zero anomalies. The attack was already complete.'" }, { "file": "slides/21-detection-principles.html", "title": "What Actually Works", "section": "Build", "duration": 2.5, "notes": "Four principles — behavior over signatures, assume breach, log the right things, control the runtime. Emphasize the bottom callout: every demo had a detection point. The obfuscated shell still calls TCPClient at runtime. You just have to watch the right layer." }, { "file": "slides/22-resources.html", "title": "Take It Home", "section": "Share", "duration": 1.5, "notes": "Quick hits on each resource. Everything's open source. Point them to powershellforhackers.com and GitHub. 'If you want to learn this — or teach your team to defend against it — everything's there.'" }, { "file": "slides/23-close.html", "title": "Questions", "section": "Share", "duration": 1, "notes": "Let it breathe. 'Thanks for watching. Now go break something.' Open for Q&A." } ] } |