44CON 2022 Talks and Workshops

The full list of talks is below, including speaker bios.

44CON Talks

44CON Workshops

Opening Keynote

We were due to open 44CON 2022 with a keynote by a senior speaker from the NCSC but they have had to cancel.


Return to top

Tooling up for Kerberos

Kerberos is the primary network authentication protocol for on-premise Windows enterprise networks. As it’s so crucial for enterprise security a lot of research has focused on exploiting it for remote access and lateral movement such as the well known Golden/Silver ticket attacks. Comparatively little research has been undertaken on the implications of Kerberos for security on the local machine especially for privilege escalation.

One of the difficulties of dealing with Kerberos to find interesting vulnerabilities is its complex nature. There’s existing tools such as Kekeo and Rubeus but they don’t lend themselves well to playing around with Kerberos artifacts. Therefore I have my own tool set as part of the NtObjectManager PowerShell module which exposes the majority of Kerberos to scripts.

This presentation is an overview of the tooling that I’ve written to play with Kerberos and a deep dive into some bugs that I’ve discovered using them.

James Forshaw

James is a security researcher in Google’s Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he’s been listed as the #1 researcher for MSRC, as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, Bluehat, HITB, and Infiltrate. He’s also the author of the book “Attacking Network Protocols” available from NoStarch Press.

Twitter: @tiraniddo

Return to top

What is eBPF and why should you care?

eBPF is relatively new and “a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel.” You can achieve similar results to writing a kernel module, but in a (supposedly – we’ll come to that) safe manner. eBPF code runs in a virtual machine and, depending on the program type, can access all sorts of kernel internals, with programs being launched when specified code points get hit.

I will talk about the basics and how to get up and running, the challenges and pitfalls to overcome, a library I wrote when working at Sysinternals to take away some of the pain, the Sysmon For Linux tool I wrote for Sysinternals that logs events to Syslog, and Cilium/Tetragon (and Cilium/ebpf library) that makes accessing eBPF for system observability easier. I will discuss technical details and explain the different use cases that might benefit you, from blue team using Sysmon and Cilium/Tetragon to achieve super powerful abilities, to researchers building custom program tracers, to red team exploiting kernel vulns, to sysadmins seeking performance issues.

It is a truly exciting thing that everyone is talking about.

Kev SheldrakeKev Sheldrake

Kev Sheldrake is a security software engineer and researcher who started working in the technical security field in 1997. Over the years, Kev has been a developer and systems administrator of ‘secure’ systems, an infosec policy consultant, a penetration tester, a reverse engineer and an entrepreneur who founded and ran his own security consulting company. He currently works at Isovalent on the open source and enterprise versions of the system observability tool Tetragon, and in the past he specialised in IoT, crypto, and tool development for a number of years.

Twitter: @kevsecurity

Return to top

Exploring a New Class of Kernel Exploit Primitive

Microsoft Security Response Center receives and examines many interesting bug classes. Often, the exploitability of those bugs is apparent, but this is not always the case. One interesting outlier is an arbitrary kernel pointer read primitive where the attacker cannot retrieve the content of the memory read. Traditionally, these would have an impact of Denial of Service (DoS) or in some cases a second-order Kernel Memory Information Disclosure (where side channels or indirect probing are possible) but could such a limited primitive actually be exploited for code execution / privilege escalation?

In this talk we will discuss how new exploitation primitives may be possible by targeting Memory Mapped I/O (MMIO) ranges of peripheral device drivers with an arbitrary read primitive. We’ll give examples of such primitives submitted to MSRC and then discuss a new avenue of attack against both the kernel and the hypervisor. We’ll discuss how to identify drivers of interest for further vulnerability research, including using WinDbg to instrument allocators. We’ll discuss some patterns we consider dangerous and the internals of some reliant devices that could be targeted with these observations.

Andrew RuddickAndrew Ruddick

Andrew is a Security Researcher on the Vulnerabilities & Mitigations team at the Microsoft Security Response Centre (MSRC). He has worked in computer software and hardware security for 8 years, with prior experience in software development. Andrew has particular expertise in low-level Windows OS internals, kernel development, vulnerability research, exploit development and mitigation techniques. He has previously presented at the USENIX Workshop on Offensive Technologies (WOOT) on the optimization of cryptographic primitives for hardware-accelerated password cracking.

Twitter: @arudd1ck

Return to top

I’m the Captain Now!

When I first watched Hackers in 1998, the idea of being able to remotely control ships seemed rather fanciful. After working on container ships as an engineer in the mid-2000s, it seemed every more unlikely. We didn’t have a full-time Internet connection and all the vital systems were truly air-gapped. But things have changed – ships are becoming more and more connected and complex.

As a result, 15 years later, I found myself sat in my pants on the sofa with the ability to control the steering on one of the world’s largest cruise ships. We’ve been able to brick every PLC across tens of oil rigs, pay for food as the captain, and write rude words on the side of the ship.

To get to this point, we had to go on a learning voyage across tens of different vessels, including offshore support tugs, super yachts, oil rigs and container ships. Join me on a whistle stop tour of what’s on a ship, how it’s all connected together, what threats there are and how we find the vulnerabilities. Lots of little tips and tricks that can help anyone examine industrial control systems, understand how they work, and then have a lot of fun with them!

Andrew TierneyCybergibbons

Head of hardware team at Pen Test Partners – tester of all things that that are not normal computers – IoT, industrial control, medical, cars, planes and, of course, ships!

Twitter: @cybergibbons


Return to top

Codecepticon – Building an obfuscator to bypass Modern EDR and AV

During Purple and sometimes even Red Team engagements, in order to provide more value for your client it is critical to execute as many techniques as possible without relying solely on a SOCKS proxy. This also allows to evaluate the EDR and AV technologies the client relies on while also making the point that detection is more important than prevention. With all the open sourced offensive security tooling being fingerprinted to infinity and beyond, how can we achieve our goal without rewriting all of them from scratch?

This is how Codecepticon was born, an offensive security obfuscator that works with C#, PowerShell, and VBA (macros) – and no, this one isn’t a python script that runs “replace” a bunch of times.

This presentation will introduce you to the process and technologies used to develop Codecepticon, and how effective it is against modern EDR and AV technologies while being battle-tested for the last 1.5 year. And the cherry on top, it’s open sourced!

Pavel TsakalidisPavel Tsakalidis

Pavel is a Security Delivery Manager for Accenture Security based in London, UK. He has more than 16 years of experience in the industry, 10 in software/web development and the last 6 in cyber security. He has developed and open sourced tools such as CrackerJack – a Hashcat Web UI and SnitchDNS, a database driven DNS server developed with offensive security in mind. He specialises in Red and Purple Teaming, while implementing solutions and automating challenging processes. Because it’s always fun spending 2 days trying to automate something that takes 2 hours to do by hand.

Twitter: @sadreck

Return to top

Lord of War – Investigating the theft of a gambling platform and outsmarting the thieves

The presentation focuses on a forensic investigation into the theft of a gaming platform in the Ukraine during February 2020. The talk is a real-life forensic investigation and uses original audio and video evidence gathered during the investigation.

The talk is a fascinating insight into our work and the criminal underworld.

Peter AllwrightPeter Allwright

Peter is Head of Suntera Forensics and leads the forensic practice of Suntera Global and Amber Gaming.

He is a Certified Cryptocurrency Investigator, a Certified Blockchain Expert, a Certified Open-Source Intelligence Analyst, a Certified Social Engineering Expert and a Lean Six Sigma Green Belt.

He specialises in investigating high-value customer data breaches and hunting down hackers in hostile jurisdictions to retain the stolen data. He works closely with local and international law enforcement agencies to detain hackers and to support their successful extradition and prosecution.

He has successfully led local and international search and seizure operations of private residences, business premises and internet service providers, in order to retain stolen data and secure evidence that hackers leave behind. He often has to deal with the complexities of foreign jurisdictions and the impact of data protection legislation.

He has wide experience of dealing with crisis management situations and together with specialised professionals takes care of coordinating the key aspects of resolving the crisis and protecting the client’s position at all times.

Peter has investigated hacking of data centres, data breaches, advanced persistent threats, domain name hijacking, man-in-the-middle attacks, phishing and spear phishing attacks, counterfeit trademarks, copyright violations, prohibited/illegal content, identity theft, malvertising, ransomware, cyberstalking, cyberbullying, online scams, fraudulent invoices/change of bank account scams, sextortion, defamatory blogs, hacking and reprogramming of master slave devices, and software piracy.

He uses conventional and unconventional techniques to investigate cybercrime. His conventional methods include a proprietary threat intelligence and investigation platform together with custom-built threat hunting workstations and advanced forensic tools to access information that is out of the public domain. His unconventional methods include system thinking tools that analyse the situation to reveal unknown or hidden associations.

Twitter: @pallwright

Return to top

Threat Hunting: From Bodging to Efficiency in 7 Steps

Many people feel that threat hunting is a special skill reserved for only the select few that get through the Battle Royale of Incident Response and/or Red Teaming. While admittedly experience helps, really all that’s needed is a good dose of curiosity and understanding of some basic concepts to get started. This talk is for aspiring threat hunters or anyone who got told by their manager “Hey– I heard about threat hunting; can you do some of that in your spare time?”

Melissa Goldsmith

Melissa has been working in the cybersecurity realm for so long, she remembers when memory forensics was running strings against it. She got her feet wet working for the Department of Defense back in the United States — focusing initially on Forensics and Incident Response. She then moved to consulting, as part of a fly-away team for McAfee/Foundstone in the EMEA region. Eventually, while working at a large financial institution in London, she made the quasi jump to hunting and then moved to full time at her current role at NBCUniversal.

Twitter: @sk3tchymoos3

Return to top

The Tale Of Phineas Fisher

What do two titans of the surveillance industry, a bitcoin broker, A Spanish police union, a national bank and a leading political party all have in common?

This talk takes you through the Tale Of Phineas Fisher from Phineas’ own words from their manifestos and e-zines.

CyberPunkJakeJake Roberts

✨Member of the ORG (@OpenRightsGroup) supporter Council.
✨Co-Founder of @DC44121.
✨Organiser for ORG Birmingham (@OpenRightsBrum).
✨Club 2077.

Twitter: @CyberPunkJake

Return to top

The Log4J Rollercoaster – from an incident response perspective

Log4J was a merry Christmas call for many teams around the world. This talk will share our story of how we were among the first to respond to in-the-wild attacks, helping the community manage and understand how to prepare for such an incident.

Log4J did not catch us unaware, but we did not connect the dots at first. Who would have guessed that chatter of a new vulnerability in Minecraft is related to a wave of coinminer incidents we responded to?

This talk will cover the line between threat intelligence, responding to cyber incidents, releasing open-source tools, and helping our customers and the community!

We will not focus on the technical analysis of the vulnerability (there are plenty of talks like that already). Instead, our focus is on how an organization prepares for such incidents ahead of time. For example, laying the pieces in place to be ready for the unknown (e.g., being aware of vulnerabilities in vendor appliances before they are!)

Guy Barnhart-MagenGuy Barnhart-Magen

With nearly 25 years of experience in the cyber-security industry, Guy held various positions in both corporates and startups.

As the CTO for the Cyber crisis management firm Profero, he focuses on making incident response fast and scalable, harnessing the latest technologies and a cloud-native approach.

He recently led Intel’s Predictive Threat Analysis group, which focused on the security of machine learning systems and trusted execution environments. At Intel, he defined the global AI security strategy and roadmap. He spoke at dozens of events on the research he and the group have done on Security for AI systems and published several whitepapers on the subject.

Guy is the BSidesTLV chairman and CTF lead, a Public speaker in well-known global security events (SAS, t2, 44CON, BSidesLV, and several DefCon villages, to name a few), and the recipient of the Cisco “black belt” security ninja honor – Cisco’s highest cybersecurity advocate rank.

He started as a software developer for several security startups and spent eight years in the IDF. After completing his Electrical Engineering and Applied Mathematics degrees, he focused on security research in real-world applications.

He joined NDS (later acquired by Cisco). He led the *Anti-Hacking, Cryptography, and Supply Chain Security* Groups (~25 people in USA and Israel).

Twitter: @barnhartguy

Return to top

Hey, I’m throwing the party: Hacking Electronic Tickets

When it comes to security, e-ticketing platforms in the entertainment industry are not a notable victim. E-ticketing online portals store a large amount of personal information about users, making them a possible target for malicious actors. Companies also hack their rival firm’s systems to choke off their business and increase their revenue like we have seen in the case of Ticketmaster, as they had hacked their rival business. In this presentation, we will demonstrate how we were able to compromise a popular e-ticketing platform using different techniques, which could have allowed malicious actors to access a large amount of personal data, steal money and generate and print tickets through kiosk systems installed in movie theatres and event venues. Finally, we’ll see how a cyber-attack on such a ticketing system could have resulted in a war between two countries.

Etizaz MohsinEtizaz Mohsin

Etizaz Mohsin, a Pakistani cyber security researcher who is the first to demonstrate the remote compromise of luxury hotels around the world putting millions of guests at risk demystifying the DarkHotel APT. His work has been featured by local and international media like Al Jazeera Wired and TechCrunch. He has presented his research at multiple top-tier international cyber security conferences in United States, Canada, Europe, Middle East and East Asia including Defcon, Hitcon, Athack, Hacktivity, DeepSec, Sector, GreHack, HackFest, Arab Security Conference, Texas Cyber Summit, BSides etc. He has achieved industry certifications, the prominent of which are OSEE, OSWE, OSCE, OSCP, OSWP, CREST CRT, CPSA, EWPTX.

Twitter: @aitezazmohsin

Return to top

Closing Keynote

Haroon opened the first 44CON in 2011, he will close the 10th physical event in 2022.

Haroon Meer






Return to top

44CON 2022 Workshops

All workshops are one to three hours long. Some of these workshops require you to bring items to get the most out of them.


Using SliverC2 for Red Team Operations (2hr50)

Whilst Cobalt Strike is still arguably the most popular red teaming toolkit as a commercial offering, several open source frameworks have emerged in the last few years that have comparable feature sets, reduce the cost barrier to entry and provide stable platforms to develop, customise and extend red teaming tradecraft and approach. SliverC2 is an open source adversary emulation red teaming framework created by BishopFox and is written in Golang. The framework has gained popularity with red teamers and Russian Foreign Intelligence Services alike .

In this workshop I will take you through the deployment, configuration, and usage of SliverC2 against a fictious company. The goal of the workshop is to provide hands-on experience of the SliverC2 toolset.


The environment will be provided and participants will need to have a laptop that has a functional Linux component either as a virtual machine or native operating system. The ability to run Golang will also be needed. An internet connection will be needed to install armoury packages, so a laptop with an ethernet connection that is used to be part of the environment and a secondary connection such as a wireless device is required for that section.

Matt LorentzenMatt Lorentzen

Matt has worked in the IT industry for 25 years. From a sysadmin through to running his own company before spending the last 10 years focusing on a dedicated testing role. Matt has gained a wealth of experience in many sectors delivering pentesting and red teaming services. He is passionate about knowledge sharing and has developed projects focused on testing trade craft development.

Twitter: @lorentzenman

Return to top

Build Your Own AWS Security Scanner (1hr50)

In this session you’ll learn to how to use AWS APIs to not just discover infrastructure, but discover insecure or badly configured AWS infrastructure. Starting nearly from scratch, you’ll build a shell-script or python-based tool that can invoke AWS APIs, interrogate and understand the responses, and use that to guide your exploration of AWS infrastructure.


In order to get value from this workshop, you need to bring the following. There will not be time to open an AWS account, install the AWS CLI, and set up your environment during the workshop. You need to do that in advance.  You can use a personal AWS account: the techniques in this workshop can be executed with literally 0 cost. Creating (empty) buckets, security groups, NACL rules and IAM policies are all free actions, as are the discovery APIs that we will call.

Before the workshop you need:

  1. Access to an AWS account
  2. You need some king of identity:
    • create an IAM user and give it some privileges
    • use an existing identity and use it at the command line
  3. A laptop where you can write code and run commands at the command line
    • install a recent version of bash. Any Linux will do. (Windows Subsystem for Linux works fine) or Python 3.8 or later
    • install the AWS CLI
    • install jq (for parsing JSON)
    • if you are using Python, you need to install Boto3 (pip install boto3)
  4. A code editor that you know how to use. We use VSCodium, but it’s up to you.

If you can run the following comment and get sensible output, you have met the prerequisites:

aws sts get-caller-identity

Sensible output looks like:



"Account": "111122223333",

"Arn": "arn:aws:iam::111122223333:user/paco"


Paco Hope

Paco Hope

Paco Hope has 20 years experience securing software and systems. Key competencies in cloud security, application security, and infrastructure security.

Today Paco consults with the biggest enterprises to secure their cloud workloads on AWS. He helps customers with data encryption at rest and in transit, identity and access management, reliability, scalability, cloud forensics, and cloud incident response. He is a subject matter expert on the AWS Certified Security – Specialty certification and a named contributor to the AWS Incident Response white paper.

His experience covers web applications, mobile software, and business-to-business transaction systems. He has assessed systems for small startups with thousands of lines of code, and massive enterprises with thousands of applications and millions of lines of code. He has worked in financial services, online retail, and the online gaming industry.
Twitter: @pacohope

Return to top

Forensic Codebreaking (1hr50)

The purpose of this workshop is to give a hands-on introduction to forensic codebreaking – something that is usually not taught in public lessons. The lecturer will introduce the most important pencil-and-paper solving techniques along with links to free codebreaking software.

In the main part of the workshop, the attendees will have the chance to break authentic crime-related ciphertexts themselves. For this purpose, the lecturer will choose the most suitable messages from his large collection. Different difficulty levels, based on the participants’ skills, will be provided. Whenever necessary, the lecturer will assist and give hints. At the end of the session, detailed solution descriptions will be provided.

For this workshop, a laptop is helpful, but not required.

Klaus SchmehKlaus Schmeh

Klaus Schmeh has published 19 books, 300 articles, 1,500 blog posts, and 30 research papers about encryption technology, which makes him the most-published cryptology author in the world. While most of his publications are in German, his 2020 book “Codebreaking: A Practical Guide” is in English. Klaus is the world’s leading blogger in the field of crypto history (cipherbrain.net).

As his main profession of security consultant at a German IT company, Klaus utilizes his special skill in explaining complex technical topics, often using self-drawn cartoons and Lego brick models for visualization. He is an excellent speaker and frequent lecturer, having hosted presentations at more than 250 conferences in Europe, Asia, and the USA. His presentations at DEFCON, RSA Conference (U.S. edition), TrusTech, NSA Crypto History Symposium, Dragon Con, HistoCrypt, and other major events were enthusiastically received because of their clarity and because of Klaus’ engaging presentation style.

Klaus gave successful presentations at 44CON in 2017, 2018, and 2019.

Twitter: @KlausSchmeh

Return to top

Q&A with James (1h50)

This workshop is different. You’ve listened to James’ talk, you have many questions and there isn’t enough time during the Q&A to ask them all. Now is the time to ask them.

James will be happy to discuss his research and any topic of mutual interest.

Prepare your questions and reserve your place on this workshop when you arrive. Time with this awesome member of Google’s project Zero is time well spent.

James ForshawJames Forshaw

James is a security researcher in Google’s Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he’s been listed as the #1 researcher for MSRC, as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, Bluehat, HITB, and Infiltrate. He’s also the author of the book “Attacking Network Protocols” available from NoStarch Press.
Twitter: @tiraniddo

Return to top

NetflOSINT: taking an often-overlooked data source and operationalizing it (0h50)

When we think Network Forensics, we often immediately gravitate toward packet captures (PCAPs) and logs from routing devices. There is no disputing the importance and value in either, but this leaves another source frequently overlooked – enter Netflow. Many devices natively generate Netflow or IPFIX, but do we really analyze the data?
Many may be aware, but what if you were told that there are tools to extract Netflow data FROM PCAPs? This provides a means of more efficient statistic and in-depth analysis using a variety of methods with smaller files to help gain context in what to query or follow in PCAP streams.
This presentation will include demonstrations in Microsoft Excel, ELK, and Jupyter notebooks to allow a simple jumping point for integration into other aspects of an investigation using OSINT vectors.

OSINT Primer Using Search Engines (2h50)

The course begins with explaining search engines and algorithms – how they work for Intelligence operations. From here, students are exposed to a variety of search engines (beyond Google, Yandex, and Bing). Various search engines are surveyed for use cases and regions used. From this point, students are introduced to concepts and techniques to alter or improve their search engine results and efficiency. The remainder of the class is used to refine and re-enforce students’ comprehension of advanced search operators, providing students with a whole new area of the internet to use for Intelligence collection and analysis.
In brief, this course covers the following via lectures, labs, and demonstrations:
• Algorithms behind the search engines
• Non-Google Search Engines
• Regional
• Specialized Focus
• Techniques for more effective searching abroad
• Considerations and use of each search engine
• Advanced operators for conducting searches for Intelligence operations

This is an advanced course that assumes some knowledge, comprehension, and experience with Intelligence or OSINT. No accounts are explicitly needed, although having social media accounts (they do not have to be your real account nor do they need to be fake [Sock] accounts) to follow along with will not hurt.

Joe GrayJoe Gray

Joe Gray, a veteran of the U.S. Navy Submarine Force, is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe is the Founder and Principal Instructor at The OSINTion. By day, Joe is a Security Threat Hunting and Intelligence Engineer at Mercari.

As a member of the Password Inspection Agency, Joe has consistently performed well in Capture the Flag events, specifically those involving OSINT. Examples include 2nd Place in the HackFest Quebec Missing Persons CTF and Winning the TraceLabs OSINT Search Party during DEFCON 28 (as a member of The Password Inspection Agency) and DEFCON 29 (as a member of The Federal Bureau of OH-SHINT). Independently, Joe placed 4th in the DerbyCon OSINT CTF and 3rd in the National Child Protection Task Force Missing Persons CTF and 2nd Place in Hacker Jeopardy at Hack in Paris.

Joe has contributed material for a variety of platforms such as Forbes and Dark Reading in addition to his platforms. Joe has authored the OSINT tools DECEPTICON Bot and WikiLeaker in addition to the book, Practical Social Engineering, available via NoStarch Press.

Twitter: @C_3PJoe

Return to top