SHELLSHOCK @ SINCON 2025

Last Thursday, counterShell conducted a SHELLSHOCK workshop at SINCON 2025, intended to cover some simple aspects of adversary simulation. As mentioned in the workshop, the reason for the name "SHELLSHOCK" was not about the actual shellshock vulnerability, but the shock you get when you realise these simple tricks can get you shell. The tricks covered in the workshop are not rocket science nor are they the product of any deep research: we believe that they can be applied by entry-level cybersecurity practitioners.

What are the takeaways from this session? At counterShell, we believe that the key ingredient is some level of creativity and the willingness to put in some engineering effort to test and validate what potential threat actors may employ. 

From a red team perspective, we hope that the workshop provided some ideas and additional tricks to a red teamer's toolkit.

And from a blue team perspective, we hope to have demonstrated that tools and security solutions are somewhat easily evaded by applying some simple tricks.

It is up to the practitioner to further develop and build upon these tricks to become more sophisticated and aware of the actual cyber threats out there.

Speaking of further developing upon the workshop material, counterShell will be including this material in the Adversary Simulation, Detection and Counteraction (ASDC) course, and adding other aspects of the "adversary simulation" portion. For example, we didn't cover things like persistency in the workshop. Also, we didn't cover some of the "detection" aspects as well. Stay tuned for updates, as we work on these aspects of our upcoming course :)