44CON2022 has ended
*Track 1* [clear filter]
Thursday, September 15

9:50am BST

44CON 2022 Opening

Thursday September 15, 2022 9:50am - 10:00am BST
*Track 1*

10:00am BST

James Forshaw - Tooling up for Kerberos
Kerberos is the primary network authentication protocol for on-premise Windows enterprise networks. As it’s so crucial for enterprise security a lot of research has focused on exploiting it for remote access and lateral movement such as the well known Golden/Silver ticket attacks. Comparatively little research has been undertaken on the implications of Kerberos for security on the local machine especially for privilege escalation.

One of the difficulties of dealing with Kerberos to find interesting vulnerabilities is its complex nature. There’s existing tools such as Kekeo and Rubeus but they don’t lend themselves well to playing around with Kerberos artifacts. Therefore I have my own tool set as part of the NtObjectManager PowerShell module which exposes the majority of Kerberos to scripts.

This presentation is an overview of the tooling that I’ve written to play with Kerberos and a deep dive into some bugs that I’ve discovered using them.

avatar for James Forshaw

James Forshaw

James is a security researcher in Google’s Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he’s been listed as the #1... Read More →

Thursday September 15, 2022 10:00am - 11:00am BST
*Track 1*

11:00am BST

Kev Sheldrake - What is eBPF and why should you care?
eBPF is relatively new and “a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel.” You can achieve similar results to writing a kernel module, but in a (supposedly – we’ll come to that) safe manner. eBPF code runs in a virtual machine and, depending on the program type, can access all sorts of kernel internals, with programs being launched when specified code points get hit.

I will talk about the basics and how to get up and running, the challenges and pitfalls to overcome, a library I wrote when working at Sysinternals to take away some of the pain, the Sysmon For Linux tool I wrote for Sysinternals that logs events to Syslog, and Cilium/Tetragon (and Cilium/ebpf library) that makes accessing eBPF for system observability easier. I will discuss technical details and explain the different use cases that might benefit you, from blue team using Sysmon and Cilium/Tetragon to achieve super powerful abilities, to researchers building custom program tracers, to red team exploiting kernel vulns, to sysadmins seeking performance issues.

It is a truly exciting thing that everyone is talking about.

avatar for Kev Sheldrake

Kev Sheldrake

Kev Sheldrake is a security software engineer and researcher who started working in the technical security field in 1997. Over the years, Kev has been a developer and systems administrator of ‘secure’ systems, an infosec policy consultant, a penetration tester, a reverse engineer... Read More →

Thursday September 15, 2022 11:00am - 12:00pm BST
*Track 1*

12:00pm BST

Jake Roberts - The Tale Of Phineas Fisher
What do two titans of the surveillance industry, a bitcoin broker, A Spanish police union, a national bank and a leading political party all have in common?

This talk takes you through the Tale Of Phineas Fisher from Phineas’ own words from their manifestos and e-zines.

avatar for Jake Roberts

Jake Roberts

Member of the ORG (@OpenRightsGroup) supporter Council.Co-Founder of @DC44121.Organiser for ORG Birmingham (@OpenRightsBrum).Club 2077.Twitter: @CyberPunkJake

Thursday September 15, 2022 12:00pm - 1:00pm BST
*Track 1*

2:00pm BST

Peter Allwright - Lord of War - Investigating the theft of a gambling platform and outsmarting the thieves
The presentation focuses on a forensic investigation into the theft of a gaming platform in the Ukraine during February 2020. The talk is a real-life forensic investigation and uses original audio and video evidence gathered during the investigation.

The talk is a fascinating insight into our work and the criminal underworld.

avatar for Peter Allwright

Peter Allwright

Peter is Head of Suntera Forensics and leads the forensic practice of Suntera Global and Amber Gaming.He is a Certified Cryptocurrency Investigator, a Certified Blockchain Expert, a Certified Open-Source Intelligence Analyst, a Certified Social Engineering Expert and a Lean Six Sigma... Read More →

Thursday September 15, 2022 2:00pm - 3:00pm BST
*Track 1*

3:00pm BST

Erlend Andreas Gjære - The Need For a Human Touch In Cyber Security

In a technical world of cyber, crypto and cloud, it is easy to forget that in the end, we are all humans. While social engineering has always been a craft of its own on the attacker side, our efforts as human defenders are scattered between various technical measures and not always very effective awareness training - sometimes even counterproductive ones.

Regardless of cyber specialization, however, some people skills are needed to maximize impact. This goes all the way from building alliances, communication and "selling" your ideas, to building more resilient processes, organizations and software through empathy for both our technical and non-technical colleagues. Heck, we can even apply certain people skills to understand our adversaries better, profile their motivations and predict their next actions. 

Therefore, this talk will explore a variety of techniques freely available to anyone looking to boost their output from efforts to stop cybercriminals.

Thursday September 15, 2022 3:00pm - 4:00pm BST
*Track 1*

4:00pm BST

Klaus Schmeh - Ciphers and Crime
This talk is about encrypted messages related to crimes.

avatar for Klaus Schmeh

Klaus Schmeh

Klaus Schmeh has published 19 books, 300 articles, 1,500 blog posts, and 30 research papers about encryption technology, which makes him the most-published cryptology author in the world. While most of his publications are in German, his 2020 book “Codebreaking: A Practical Guide... Read More →

Thursday September 15, 2022 4:00pm - 5:00pm BST
*Track 1*

5:00pm BST

Cybergibbons - I'm the Captain Now!
When I first watched Hackers in 1998, the idea of being able to remotely control ships seemed rather fanciful. After working on container ships as an engineer in the mid-2000s, it seemed every more unlikely. We didn’t have a full-time Internet connection and all the vital systems were truly air-gapped. But things have changed – ships are becoming more and more connected and complex.

As a result, 15 years later, I found myself sat in my pants on the sofa with the ability to control the steering on one of the world’s largest cruise ships. We’ve been able to brick every PLC across tens of oil rigs, pay for food as the captain, and write rude words on the side of the ship.

To get to this point, we had to go on a learning voyage across tens of different vessels, including offshore support tugs, super yachts, oil rigs and container ships. Join me on a whistle stop tour of what’s on a ship, how it’s all connected together, what threats there are and how we find the vulnerabilities. Lots of little tips and tricks that can help anyone examine industrial control systems, understand how they work, and then have a lot of fun with them!


Thursday September 15, 2022 5:00pm - 6:00pm BST
*Track 1*

7:00pm BST

Threat Condition - the security communications wargame
THREAT CONDITION is a cyber security wargame that highlights the internal and external communication aspects of a reputationally damaging cyber attack. This interactive environment simulates the problems and issues of cyber security and the consequent organisational and communication challenges.
The wargame is played by teams of players interacting dynamically as they collectively consider what to do about an emerging crisis based on an amalgam of real-world case studies.

Stone Paper Scissors designed the game for us. They are a manual games design company, who develops and facilitates bespoke games for government, corporate, organisational and recreational audiences in order to generate insights, educate and entertain.
Over the last ten years they have delivered a wide range of serious games, such as in support of academic research on social issues, geopolitical games for the UK government, and wargames for the UK Defence community.

Thursday September 15, 2022 7:00pm - 10:00pm BST
*Track 1*

10:15pm BST

YTCracker is a rapper, former cracker, and Internet entrepreneur. YTCracker began producing rap music in 1998 in the genre that has since become known as nerdcore hip hop. YTCracker is a self-proclaimed "jack of all trades", also making a name for himself as a professional disc jockey, computer programmer, graphics designer and webmaster.

The AV has been uprated for this show - particularly because the lyrics are the key thing.

Thursday September 15, 2022 10:15pm - 11:59pm BST
*Track 1*
Friday, September 16

9:30am BST

Guy Barnhart-Magen - The Log4J Rollercoaster - from an incident response perspective
Log4J was a merry Christmas call for many teams around the world. This talk will share our story of how we were among the first to respond to in-the-wild attacks, helping the community manage and understand how to prepare for such an incident.

Log4J did not catch us unaware, but we did not connect the dots at first. Who would have guessed that chatter of a new vulnerability in Minecraft is related to a wave of coinminer incidents we responded to?

This talk will cover the line between threat intelligence, responding to cyber incidents, releasing open-source tools, and helping our customers and the community!

We will not focus on the technical analysis of the vulnerability (there are plenty of talks like that already). Instead, our focus is on how an organization prepares for such incidents ahead of time. For example, laying the pieces in place to be ready for the unknown (e.g., being aware of vulnerabilities in vendor appliances before they are!)

avatar for Guy Barnhart-Magen

Guy Barnhart-Magen

With nearly 25 years of experience in the cyber-security industry, Guy held various positions in both corporates and startups.As the CTO for the Cyber crisis management firm Profero, he focuses on making incident response fast and scalable, harnessing the latest technologies and a cloud-native approach.He recently led Intel’s Predictive Threat Analysis group, which focused on the security of machine learning systems and trusted execution environments. At Intel... Read More →

Friday September 16, 2022 9:30am - 10:30am BST
*Track 1*

10:30am BST

Melissa Goldsmith - Threat Hunting: From Bodging to Efficiency in 7 Steps
Many people feel that threat hunting is a special skill reserved for only the select few that get through the Battle Royale of Incident Response and/or Red Teaming. While admittedly experience helps, really all that’s needed is a good dose of curiosity and understanding of some basic concepts to get started. This talk is for aspiring threat hunters or anyone who got told by their manager “Hey– I heard about threat hunting; can you do some of that in your spare time?”

avatar for Melissa Goldsmith

Melissa Goldsmith

Melissa has been working in the cybersecurity realm for so long, she remembers when memory forensics was running strings against it. She got her feet wet working for the Department of Defense back in the United States — focusing initially on Forensics and Incident Response. She... Read More →

Friday September 16, 2022 10:30am - 11:30am BST
*Track 1*

11:30am BST

Pavel Tsakalidis - Codecepticon - Building an obfuscator to bypass Modern EDR and AV
During Purple and sometimes even Red Team engagements, in order to provide more value for your client it is critical to execute as many techniques as possible without relying solely on a SOCKS proxy. This also allows to evaluate the EDR and AV technologies the client relies on while also making the point that detection is more important than prevention. With all the open sourced offensive security tooling being fingerprinted to infinity and beyond, how can we achieve our goal without rewriting all of them from scratch?

This is how Codecepticon was born, an offensive security obfuscator that works with C#, PowerShell, and VBA (macros) – and no, this one isn’t a python script that runs “replace” a bunch of times.

This presentation will introduce you to the process and technologies used to develop Codecepticon, and how effective it is against modern EDR and AV technologies while being battle-tested for the last 1.5 year. And the cherry on top, it’s open sourced!

avatar for Pavel Tsakalidis

Pavel Tsakalidis

Pavel is a Security Delivery Manager for Accenture Security based in London, UK. He has more than 16 years of experience in the industry, 10 in software/web development and the last 6 in cyber security. He has developed and open sourced tools such as CrackerJack – a Hashcat Web... Read More →

Friday September 16, 2022 11:30am - 12:30pm BST
*Track 1*

1:30pm BST

Andrew Ruddick - Exploring a New Class of Kernel Exploit Primitive
Microsoft Security Response Center receives and examines many interesting bug classes. Often, the exploitability of those bugs is apparent, but this is not always the case. One interesting outlier is an arbitrary kernel pointer read primitive where the attacker cannot retrieve the content of the memory read. Traditionally, these would have an impact of Denial of Service (DoS) or in some cases a second-order Kernel Memory Information Disclosure (where side channels or indirect probing are possible) but could such a limited primitive actually be exploited for code execution / privilege escalation?

In this talk we will discuss how new exploitation primitives may be possible by targeting Memory Mapped I/O (MMIO) ranges of peripheral device drivers with an arbitrary read primitive. We’ll give examples of such primitives submitted to MSRC and then discuss a new avenue of attack against both the kernel and the hypervisor. We’ll discuss how to identify drivers of interest for further vulnerability research, including using WinDbg to instrument allocators. We’ll discuss some patterns we consider dangerous and the internals of some reliant devices that could be targeted with these observations.

avatar for Andrew Ruddick

Andrew Ruddick

Andrew is a Security Researcher on the Vulnerabilities & Mitigations team at the Microsoft Security Response Centre (MSRC). He has worked in computer software and hardware security for 8 years, with prior experience in software development. Andrew has particular expertise in low-level... Read More →

Friday September 16, 2022 1:30pm - 2:30pm BST
*Track 1*

2:30pm BST

Phil Eveleigh - The Office of Danger: a choose your own adventure story!
This session will put the audience in the driving seat of a real-life social engineering engagement against a high security office building in central London.
Each slide will present the audience with a choice, that must be made quickly to avoid detection and reach their target. The choices the audience make leads the story in various directions, unlocking new areas of the office and achieving different objectives. 
So, what will you do?
  • Head for the stairs or the elevator?
  • Sweet talk the receptionist, or try and blend in with the crowd?
  • Run as quickly as you can from Security, or hide in the toilet?
Each slide presents the audience with 2 options to take each adventure in a unique direction, with over 30 different choices to be made over a 2-day engagement, resulting in a different and unique presentation each time! 
This is the first of its kind talk, which puts you in the driving seat and shows the level of quick thinking that is needed to avoid detection and reach your targets!


Friday September 16, 2022 2:30pm - 3:00pm BST
*Track 1*

3:00pm BST

Closing Keynote by Haroon Meer
Haroon opened the first 44CON in 2011, he will close the 10th physical event in 2022.


Friday September 16, 2022 3:00pm - 4:00pm BST
*Track 1*

4:00pm BST

44CON 2022 Closing

Friday September 16, 2022 4:00pm - 4:30pm BST
*Track 1*
Filter sessions
Apply filters to sessions.