44CON 2023 Talks and Workshops


What does a snooker player, yoga enthusiast, beach bum and crochet queen have in common?

  1. Driving forces of crime
  2. Measuring perceptions
  3. Perception versus reality
  4. Weaknesses with current investigative methods
  5. Challenges solving complex problems
  6. Unconventional approach to investigating cybercrime
  7. Diagnostic toolbox
  8. Case study: hack of a data centre and the monetisation of the stolen IP
    a. Industry practices and characteristics
    b. Data centre and connected data sources
    c. Sequence of events
    d. Investigating the hack, the breach of data and the monetisation of the stolen IP
    e. Forensic profiling and open-source intelligence
    f. Identifying and targeting the weak links
    g. Social engineering the individuals
    h. Working with local and international law enforcement
    i. Search and seizure operations of houses, businesses, and ISPs
    j. The snatch and run
    k. Lessons learnt

The investigation will cover our investigation in Africa, the Middle East, Europe, and Asia.

Peter Allwright

Peter is Head of Suntera Forensics and leads a forensic team specialising in the Gaming sector. He has 14 years of experience providing forensic services to some of the biggest online gaming platforms, casino software developers, casino operators and casino back-office operations. 

He specialises in investigating cloned gaming infrastructures and games, high-value data breaches and hunting down perpetrators in hostile jurisdictions to retain the stolen intellectual property. He works closely with local and international law enforcement agencies to detain perpetrators and to support their successful extradition and prosecution.

He has successfully led local and international search and seizure operations of private residences, business premises and internet service providers, in order to retain stolen intellectual property and secure evidence that perpetrators leave behind. He often has to deal with the complexities of foreign jurisdictions and the impact of data protection legislation.

Why use carpet bomb DDoS when a targeted strike consistent a few well crafted requests can cripple a service?

As an added bonus, precision strikes make it that much easier to avoid WAF countermeasures.

And where to find this amazing cyber weapon? Why in a seemingly unimportant CVSS score 7.5.

For the longest of time I have been a developer working with large and not so large institutions in the UK. Over the last few years, I’ve focussed on AppSec where I’ve developed an AppSec program that focusses on pragmatism and making security agile by shifting left. My LinkedIn describes me as an AppSec snooper and agile fundamentalist but my 25-year career contains interests and skills span everything from middle-tier service development, functional, databases and security and I blog and talk about these subjects.

The offensive industry is about exploring what’s possible. Part of this is observing and taking lessons from other disciplines that have already solved a myriad of related challenges, from proper software engineering practices to using graph theory for offensive problems. But despite various leaps forward over the last several years, the offensive post-exploitation community has yet to fully embrace data analysis and enrichment pipelines beyond basic log aggregation and searching. If offensive tools were structured for automated processing instead of solely human consumption, we could unify post-ex data to exploit the known (and unknown) relationships within the data our offensive tools emit. Imagine a system that could ingest data from any C2 framework or post-ex tool, and could not just automate common operator tasks like binary analysis for known vulnerabilities and hash extraction and cracking of encrypted documents, but could perform complex offline analysis like host privilege escalation. If we could unify all post-exploitation data from offensive engagements we could improve operator workflows, provide tradecraft assistance, facilitate automation of onerous tasks, and uncover new data-driven research opportunities. A year ago, our team embarked on the development of just such a system, and we are excited to introduce the result of our effort: Nemesis. This presentation will start by detailing the various red team challenges regarding data, leading into how this influenced Nemesis’ architectural decisions and design. Along the way we’ll cover various time-saving automations Nemesis can perform along with offensive data enrichments and analytics the engine can produce. This is the start of a true universal operator assistance platform, with operator guidance contextualized by data as it comes into command and control platforms. Beyond this, Nemesis will enable the emerging discipline of offensive data analysis, which we hope will unlock possibilities we can’t even imagine.

Lee Christensen is a member of the R&D team at SpecterOps, where he helps research and develop new offensive techniques and capabilities. He has an extensive background in offensive security, particularly enjoying research of Windows, Active Directory, and the components commonly found inside them. His research has resulted in several CVEs and new offensive tradecraft used throughout the industry. In addition, Lee has contributed to many open-source tools including GhostPack, BloodHound, SpoolSample, UnmanagedPowerShell, and KeeThief.

Max Harley is an operator and red team tool developer at SpecterOps. His passion for cybersecurity and software development has motivated him to release open source tools, mostly focused on safe payload delivery and JA3. Max has given presentations at multiple security conferences including CarolinaCon and BSides Charleston. He is a Clemson University alumni and former president of their cybersecurity club, CU Cyber.

We discovered a set of memory corruption vulnerabilities in ncurses, identified as CVE-2023-29491 and fixed in ncurses v.6.4 commit 20230408. These vulnerabilities can range from memory leak or denial-of-service (DoS) to elevating privileges and executing arbitrary code. An example of possible (privileged) target is “top” on macOS, which is a suid binary.

Ncurses is a library to develop text-based user interface (TUI) programs for terminal emulators, available for various operating systems such as Linux, BSDs and macOS. First released in 1993, 30 years ago, ncurses is still widely used and actively maintained.

In this talk we will present our journey on how we selected ncurses for scrutiny, its history, what are terminal databases and terminfo format and how we triggered the vulnerabilities starting from a single environment variable.

Emanuele is a Security Researcher in Microsoft Defender focusing on Linux and Linux malware. Prior to joining Microsoft, Emanuele obtained a PhD on binary analysis for Linux and IoT malware at the Software and System Security group of Eurecom (France). Emanuele loves to play with both defense and attack and his research interests are on exploring new static and dynamic analysis techniques for binary analysis, OS internals and reversing unfriendly binaries.

Jen will present the opening keynote on Wednesday evening.

Jen Ellis is working to reduce cyber risk for all digital citizens. As founder of NextJenSecurity, she partners with security experts, technology providers and operators, civil society, and governments, to create greater understanding of cybersecurity challenges and solutions. Jen promotes better collaboration among these communities, more effective cybersecurity advocacy, and broader adoption of security best practices. Jen serves on the UK Cabinet Office’s Government Cyber Advisory Board and the UK Department for Science, Innovation, and Technology’s Cyber Resilience Expert Advisory Group. She is an associate fellow of the Royal United Services Institute’s (RUSI) and a co-chair of IST’s Ransomware Task Force, sits on the boards of the Center for Cybersecurity Policy and Law, and the Rapid7 Cybersecurity Foundation, and is a member of the board of advisors for the CyberPeace Institute and RUSI’s Ransomware Harms investigation. She has testified before U.S. Congress and spoken at numerous security or business conferences.

The pathway to initial access in 2023 is far from an easy one. This talk will lift the lid on all the recent techniques, tactics and procedures (TTPs) we have both been using to gain access and seeing clients targeted with.
The days of initial access being a case of sending a basic phishing email and get creds are long gone. With email filters so much more effective, end user training more frequent, corporate procedures enhanced, phishing is hard. We need to think differently, we need to be creative. That is what this talk is all about. Showing you the TTPs we have developed over the years to evade or even bypass corporate controls and trick staff into giving us access. We will reveal the TTPs that we have seen our clients targeted with in recent months and we have developed ourselves over time. This is much more than phishing, this is full scope social engineering initial access, showing the many ways of getting in and gaining initial access in 2023 and beyond.

Tony Gee, Social Engineer, OSINT & Intelligence Analyst, Pen Test Partners
For 15 years, Tony’s job has been either trying to break technology or defend it from attack. This he has done everywhere from banks to mass transport systems. He specialises in open source intelligence and social engineering, providing intelligence and understanding, helping clients understand their exposure and providing insight and access for red and purple teams. He also speaks the world over at technology and cybersecurity events about how anything from children’s toys to cars, planes and ships can be hacked. He has spoken at PCI events in Europe and Asia, at the ISC2 Congress, ISACA CSX Europe, SANS Awareness Conference, WIRED Smarter, technical conferences such as 44Con and BSides. Most notably, he has spoken to US Congress and the European Central Bank about how the underlying digital theories and systems which modern life relies on, are vulnerable to attack. 

Artificial Intelligence (AI), together with the underlying technology called Machine Learning (ML), is increasingly prevalent in our lives. It’s already integrated into our personal devices, financial systems, medical equipment and critical infrastructure – and it’s on course to be the main driver behind every modern solution across all sectors. Like any other ubiquitous technology, AI/ML based systems can be abused by attackers, causing disruption, financial loss, reputational harm, or – in extreme cases – even posing a risk to human health and life.

In this talk, we briefly introduce core machine learning concepts before taking a more in-depth look at the taxonomy of adversarial attacks against ML. We describe each type of attack in detail, but at a fairly high level, without diving into mathematical concepts. Instead, we focus on real world applications, examples, possible consequences of an attack, and mitigation strategies.

Marta is a Principal Researcher at HiddenLayer, where she focuses on investigating adversarial machine learning attacks and the overall security of AI-based solutions. Before joining HiddenLayer, Marta spent over a decade working as a researcher for leading anti-virus vendors. She has extensive experience in cyber security, threat intelligence, malware analysis, and reverse engineering. Throughout her career, Marta has produced more than three dozen publications between HiddenLayer, BlackBerry, Cylance, Securelist, and DARKReading. She also presented at industry conferences such as REcon Montreal, SEC-T and BSidesSF.

Eoin Wickens is a Senior Researcher at HiddenLayer, where he researches security for artificial intelligence and machine learning. He has previously worked in threat research, threat intelligence & malware reverse engineering and has been published over a dozen times, including co-authoring a book on defense against Cobalt Strike. Eoin earned a BSc with Honors in Computer Science from Cork Institute of Technology and proudly supports the Irish cybersecurity community as a south chapter member lead of Cyber Ireland.

Once upon a time, we thought of cyber attacks in terms of recon, port scanning, enumeration, vulnerability identification and exploitation and we had various approaches we would use to frustrate attackers at every phase. As the cat and mouse game of security continued, this eventually morphed into an endpoint compromise- focused process involving initial access, exploitation, persistence, command and control and lateral movement inside a complex internal network. But with the remote working and SaaS revolution, the way organisations work has changed radically – so what does the cyber kill chain look like now?

This talk will consider what a new SaaS cyber kill chain looks like for modern organisations that are fully SaaS native without any concept of an internal network, and the surprising number of attacks that are possible without touching company owned endpoints or infrastructure We will consider topics like how the initial access stage is changing due to the availability of so many potential beachheads, what lateral movement looks like in a world with no internal infrastructure to migrate to and how persistence methods have changed and are much more resilient to common containment measures such as password resets and secure device wipes.

Luke Jennings is a security researcher from the UK. He spent most of his early career focused on red teaming and offensive security research at MWR, before moving on to developing new detection and response techniques and designing EDR software as the Chief Research Officer for Countercept. He has now pivoted away from the endpoint to focusing on the emerging threats in SaaS security at Push Security.

MS-RPC is Microsoft’s implementation of the Remote Procedure Calls protocol. The protocol is highly integral to the operation of Windows and serves as the basis for nearly all Windows services on both managed and unmanaged networks. As such, it is also the behind-the-scenes driving force for many lateral movement techniques and exploits, such as PSExec, PetitPotam, DCSync and more.

While much focus is given to attacks over RPC, there are also built-in mechanisms that defenders can utilize to mitigate some of the threats and attacks that RPC can carry. These include the RPC ETW provider and the RPC filters in the Windows firewall.

Monitoring RPC traffic is a difficult task, since most of the traffic is legitimate, and it is hard to distinguish between benign and malicious requests. In order to aid network defenders, we will share a tool that we built, that eases interaction with the RPC ETW provider, enriches event data and helps in visualizing it. We’ll present some inherent shortcomings in the ETW provider (such as missing data in some events or troublesome event correlation) and how we overcame them.

In this talk, we will present how defenders and analysts can utilize these features in Windows to track and defend against RPC-based attacks. We will also demonstrate their effectiveness in analyzing RPC data and detecting malicious traffic. Finally, we will share signatures that we wrote to detect many common lateral movement techniques and one-days.

Stiv Kupchik is a senior security researcher at Akamai, whose research projects revolve around OS internals, vulnerability research and malware analysis. Last year, he presented at Hexacon, where he demonstrated a CVE in a common Windows service that he found and exploited. Besides cyber security, Stiv is also a physics student, and likes to read and game on his PC in his spare time.

Digital identities have evolved from the proverbial audible challenge that was called from the castle gates, “Who goes there?” There was little to be able to discern the validity of the identities provided. Jumping through time to 1962 we saw the advent of the password protected system. We were still in a state of being unable to verify the user identity of the password. Moving to biometrics, multi-factor authentication and passwordless technology has demonstrated that tools to authenticate digital identities are improving. When we factor nefarious technologies such as deep fakes and conversely future looking technology such as DNA data storage, we see that the need for governments to take the lead on digital identities is of paramount importance. 

Dave Lewis

Dave has 30 years of industry experience. He has extensive experience in IT security operations and management. Dave is a Global Advisory CISO for Cisco. He is the founder of the security site Liquidmatrix Security Digest & podcast as well as the host of DuoTV and the Plaintext podcast. 

He is currently a member of the board of directors for BSides Las Vegas. Previously he served on the board of directors for (ISC)2 as well as being a founder of BSides Toronto conference. Dave has been a DEF CON speaker operations goon for over 10 years. Lewis also serves on the advisory board for the Black Hat Sector Security Conference and the CFP review board for 44CON. He is currently working towards his graduate degree at Harvard. Dave has previously written columns for Forbes, CSO Online, Dark Reading, Huffington Post, The Daily Swig, and others. 

For fun, he is a curator of small mammals (his kids) plays bass guitar, grills, and is part owner of a whisky distillery as well as a soccer team.

This talk presents ghidriff, a new open-source Python package that offers a command line binary diffing capability leveraging the power of Ghidra with a fresh take on the standard patch diffing workflow. As seen in most security blog posts today, binary diffing tools are essential for reverse engineering, vulnerability research, and malware analysis as they identify added, deleted, and modified functions between two binaries. Matching functions across binaries is a challenging and asymmetric problem because of complex function relationships and the many changes that can occur after a simple change is introduced into the source of a binary. ghidriff overcomes this challenge by offering the latest function matching heuristics while also providing the user the ability to write custom function correlation classes. Like other binary diffing solutions, the tool stands on the shoulders of giants (SRE tooling) to interpret a binary and provide a consistent and reliable approach to binary diffing. Unlike other tools, ghidriff offers a command line experience, simplifying the entire patch diffing workflow to only a single step, significantly reducing analysis time. Additionally, the results of the diff are rendered as beautiful markdown files that can be shared and hosted almost anywhere. ghidriff is the tool security researchers need to quickly understand the latest patched vulnerabilities and easily share their next vulnerability writeup with the security community.

A security researcher in Canada who is passionate about learning and sharing knowledge on various aspects of information security. He has a keen interest in binary analysis, patch diffing, and vulnerability discovery. He is the creator of several open-source security and InfoSec tools and also blogs regularly about his research projects and experiments with Ghidra and Jupyter Notebooks. He has presented his previous work at events such as InfoSec Jupyterthon 2022 and REcon 2023. You can follow him on Twitter [@clearbluejar] or visit his website.

Over the past few years, we have seen an increasing number of threat actors moving to kernel-based attacks such as leveraging stolen certificates to sign rootkit drivers, or Bring-Your-Own-Vulnerable-Driver (BYOVD), as it’s getting harder and harder to operate stealthily on userland.

Traditionally, red teams tend to avoid kernel-land because of the complexity and unstable nature of these attacks. However, with the increase in number of threat actors adopting kernel-based attacks, as an adversary simulation team, I was intrigued in implementing these kernel-based attacks and started to integrate them into operations.

In this talk, I will talk about the journey in implementing these attacks, from how and where to look for certificates, how to go about looking for a reliable-enough vulnerability in third-party drivers to avoid BSOD, to functionalities we would want to implement in our rootkit driver.

I also go over defenses for these attacks, their strengths and weaknesses. And with these defenses in mind, I will go into possible future attack vectors in the kernel for red teams. Finally, I will demo some of the tools I designed to assist in the vulnerability discovery, as well as rootkit development.

Khang Nguyen is a senior staff red team engineer at Palo Alto Networks. He spends his time pushing the boundaries of red teaming, and adversary simulation. Moreover, his interests also include researching new exploitation and post-exploitation techniques.

The mobile industry has always had a relationship with the hacking community and it has often been collaborative when it comes to protecting consumers.
This is the first time that the mobile industry has spoken about its work with the security research community which started with very informal relationships with hackers and developed into the world’s first cross-industry Coordinated Vulnerability Disclosure (CVD) scheme. The scheme that has run since 2017 has had 70 submissions affecting technologies used by the entire mobile industry. The resulting fixes have saved end users from major pain through the avoided exploitation of the disclosed vulnerabilities.

David Rogers, the Chair of the GSMA’s Fraud and Security Group will take the audience on a journey through mobile hacking history from the industry’s point of view. Highlights include SS7 signalling attacks and rogue base stations through to femtocell hacks, LTE network breaches and lots of clever device hacking as well as some legendary names from the hacking world. The talk will focus on the technical details of the hacks, how we were able to address them as an industry; what went wrong and what we learnt along the way. The talk will also look at where we can go together in the future and what types of technology challenges and issues we expect to see.

David Rogers

David is a mobile phone and IoT security specialist who runs Copper Horse Ltd, a software and security company based in Windsor, UK. His company is currently focusing on product security for the Internet of Things as well as future automotive cyber security.

David chairs the Fraud and Security Group at the GSMA. He authored the UK’s ‘Code of Practice for Consumer IoT Security’, in collaboration with UK government and industry colleagues and is a member of the UK’s Telecoms Supply Chain Diversification Advisory Council.

David holds an MSc in Software Engineering from the University of Oxford and a HND in Mechatronics from the University of Teesside. He lectured in Mobile Systems Security at the University of Oxford from 2012-2019 and served as a Visiting Professor in Cyber Security and Digital Forensics at York St John University.

He has spoken at a number of hacking conferences on his security research work including DEF CON’s Car Hacking and Policy Villages, 44CON, B-Sides London, B-Sides Cymru and B-Sides Las Vegas.

He was awarded an MBE for services to Cyber Security in the Queen’s Birthday Honours 2019.

The Art of the Breach is designed to be a journey for anyone interested in physical security. Robert takes the audience on a trip from the public sidewalk outside a target organization all the way through to the executive filing cabinet in the President’s office. During this adventure, Robert discusses everything from successful reconnaissance prior to the breach to ensuring an easy exit afterwards. Robert spends time at each step to go over the various options for moving forward. Some of these options are easy and straightforward while others require preparations and planning. Since every business is different, Robert brings in many different options a physical penetration tester might face. This includes steel doors, cameras, armed guards and aware employees. While many physical security talks focus strictly on the information security aspect of breaching, Robert will combine this with techniques used by first responders to enter a building. If you want to up your game on physical security or at the very least bring back some ideas for improving your company’s defenses, this talk is for you.

Robert is the founder and president of the Trace Labs, a non profit organization that crowdsources open source intelligence (OSINT) to help locate missing persons. He has spoken at conferences and podcasts around the world on subjects such as social engineering, open source intelligence, physical security, insider threats, operational security and other topics. Robert primarily works in the aerospace industry where he assists newly acquired organizations to secure their environments. This includes all aspects of security in regions around the world. In 2017 and 2018 he competed at the Social Engineering Village Capture the Flag contest. He placed third in this contest (both years). In 2018, he actually ran his own Trace Labs OSINT CTF while participating (and placing 3rd) in the SECTF at Defcon Vegas. Robert is also a ten year volunteer with Search and Rescue in British Columbia, Canada. In his search & rescue capacity, Robert specializes in tracking lost persons and teaching first responders how to leverage OSINT.

BPF allows us to do great things – from hooking practically any kernel function, to blocking actions and killing processes – but it can be quite difficult to use! Wouldn’t it be amazing if you could just write some YAML and a pre-existing, mature, open source, BPF engine did all the hard work? And sent events to your logs? And your email? And maybe even to your phone as a SMS text message, and to your Slack channel? With OSS Tetragon you can! In this talk I will show you how to monitor and block actions with BPF, without actually writing any BPF.

Kevin Sheldrake is a security software developer and researcher who started working in the technical security field in 1997. Over the years, Kev has been a developer and systems administrator of ‘secure’ systems, an infosec policy consultant, a penetration tester, a reverse engineer and an entrepreneur who founded and ran his own security consulting company. His current interests are developing tools using eBPF, currently working on Tetragon, having previously ported Sysmon from Windows to Linux (using eBPF) when he worked at Microsoft Sysinternals. In the past he specialised in IoT and crypto for a number of years.

He has a Masters degree, is a Chartered Engineer and, in the past, has been a CHECK Team Leader, a CISSP and held CLAS.

Kev has presented at 44CON, Troopers, DEFCON 4420, 441452 and 441392 on RFID crypto (Cracking HiTag2 Crypto); EMF Camp, DEFCON 4420 and 441452 on hacking embedded devices (Inside our Toys); 44CON and EMF Camp on misusing Scratch to develop hacking tools (Exploits With Scratch / Taking Over The World With Scratch), based on a paper published in PoC||GTFO; presented on building debuggers for embedded devices at Securi-Tay (Phun with Ptrace()); and also presented a lengthy take down on the use of NLP in Social Engineering at DEFCON 4420 (Social Engineering LIES!).

Gone are the days of long polling, bidirectional realtime communication is here via WebSockets. This transformative technology has undeniably elevated the user experience of modern applications, but it poses a critical question: how secure is it? In this talk, we deep-dive into the threat landscape of the WebSocket protocol to discover why this is an often overlooked attack vector where traditional vulnerabilities hide. After providing a primer to the WebSocket protocol and its attack surface, we share our research findings from looking at over 50 enterprise and Open Source applications, unveiling multiple vulnerabilities leading to data leaks, account takeovers and Remote Code Execution.

Despite the widespread adoption of WebSockets, WebSocket security remains an underexplored area, presenting unique challenges when evaluating the safety of applications utilizing it. We will address these trials, the shortcomings of current tools, and then reveal our new Burp Suite Extension “SocketSleuth”. SocketSleuth boosts Burp’s WebSocket capabilities, aligning them more closely with the feature set for regular HTTP requests, such as an intruder for WS, match & replace rules, WS AutoRepeater for automated authorization testing, and more! Finally, we show how SocketSleuth can be used to improve pentest workflows and find bugs that have been hiding in realtime!

Elliot is a senior security researcher @ Snyk, with many years working on application security and offensive security topics throughout his career in penetration testing, security engineering and research.

Elliot is currently residing in Switzerland where he enjoys hacking, craft beer, cats, skateboarding and snowboarding.

Have you ever wondered how physical penetration tests are conducted? What it would be like to actually rob a bank or how someone can gain access to the most physically secure buildings in existence? Is it really as easy as walking through the front door and asking to visit the server closet, or are people creeping in at the middle of the night, face painted, wearing tactile-necks? The answer is YES. In this exclusive presentation, I’ll be covering 7 action-packed years of physical penetration tests, with stories of breaking into banks, water treatment facilities, skyscrapers in NYC, courthouses in Iowa, and cheese-packing facilities in the middle of nowhere. We’ll turn everything you know about physical security upside down – case in point, the cheese factory was by far the most secure. I’ll show you how we did it, the characters we met along the way, and share some of the greatest never before told stories.

Justin Wynn is a Director at Coalfire who specializes in physical security and regularly performs network, application, wireless, and social engineering penetration tests. You may be familiar with his wrongful arrest while testing courthouses in Iowa. He’s Keynoted conferences and conducted over 350 penetration tests and physical engagements. His past times include bank robbing, critical infrastructure parkour, and inventing new tools and techniques for physical security.


Binder Trace is our tool to help track how Android applications interact with each other and the underlying operating system. This workshop covers:

  • Setting up Binder Trace to use on an Android emulator and (if you’ve brought one) a real device
  • An introduction to using Binder Trace , including
  • The key UI components
  • How to interpret the different displays
  • How to filter message types
  • How to export data
  • How to recognise errors in parsing and what you can do about them
  • How binder and Binder Trace work:
  • The binder architecture
  • How Binder Trace accesses binder messages
  • How messages are recognised and how their data is parsed
  • Using Binder Trace against a real 3rd-party application to find out what it’s doing under the hood
  • Looking for privacy and security risks using Binder Trace
  • Using Binder Trace to help with vulnerability research

For this workshop you will need a laptop with the following already installed:

  • An Android emulator with a root shell
  • Frida-tools

It will be useful if you know the basics of getting Frida running on the emulated device.

Cam is a director of Foundry Zero, a cyber security consultancy and training company.

With over 10 years of experience in cyber security, Cam has had multiple roles from penetration tester to software engineer with a focus on research. He has performed large scale penetration testing exercises and written multiple books about the subject.

Having worked with Android across his entire career with a focus on low-level research into native vulnerabilities, Cam is experienced in taking apart Android libraries and investigating deep into the Android OS.

During the workshop, participants will delve into the intricacies of .NET reverse engineering and gain a comprehensive understanding of the techniques involved. Starting with an overview of the .NET framework, the workshop will gradually progress towards advanced topics such as deserializations, bypassing mitigations, and a lot more, empowering attendees with the necessary skills to identify and exploit vulnerabilities.

Students will be provided with lab files before the workshop which contain tools and exercises for the workshop.


– A windows 10 VM Visual studio 2022 installed .NET Framework 4.0 to 4.8
– A copy of https://github.com/pwntester/ysoserial.net.

Sina Kheirkhah is an Independent Vulnerability Researcher.

The goal of this workshop is to teach participants how to use patch diffing techniques to analyze real-world vulnerabilities in Microsoft Windows via (CVE-2023-28308) and Android via (CVE-2022-36934). The main point of the workshop is to help researchers understand that they already have the information and tools needed to understand complex vulnerabilities. By learning to patch diff “in the dark”, a researcher can progress from knowing about a vulnerability to actually understanding its root cause.

Requirements for the Workshop:

  1. Laptop with Ghidra installed or ability to run workshop VM
  2. Internet access to download workshop resources

A security researcher in Canada who is passionate about learning and sharing knowledge on various aspects of information security. He has a keen interest in binary analysis, patch diffing, and vulnerability discovery. He is the creator of several open-source security and InfoSec tools and also blogs regularly about his research projects and experiments with Ghidra and Jupyter Notebooks. He has presented his previous work at events such as InfoSec Jupyterthon 2022 and REcon 2023. You can follow him on Twitter [@clearbluejar] or visit his website.

More than 50% of major cyber incidents since 2021 would have been prevented if organizations had followed one specific principle. The Principle of Need to Have Available describes surrendering permissions not required for the next set of premeditated tasks. We compare this with the Principle of Need to Know and show how more than half of recent major cyberattacks in 2023 could have their impact limited. This is not just a principle to protect against ransomware, but also helps in longer and more targeted campaigns as it required attackers to work harder to get your data. Unfortunately, applying this principle requires a little bit more work than updating your information security policy and it might be that your organization has not yet reached a level of maturity where you are able to see a return on security investment from it. As an example of critique, given not all work within the organization can be broken into premeditated tasks, the principle cannot be applied to all roles and ranks without prior impact evaluations. Still to protect your organization, the Principle Need to Have Available provides an addition for your arsenal worthy of considering.

There are no pre-requisites for this workshop.

Yiannis Pavlosoglou

Experienced Cybersecurity Executive with a strong background in Risk and Information Security, offering 20 years of expertise in the field. Proficient in implementing industry-leading frameworks such as NIST, Operational Resilience, CERT RMM, as well as possessing extensive knowledge in Ethical Hacking, Penetration Testing, Secure Coding, and Process Excellence. Adept in Governance, consistently providing comprehensive quarterly updates to UK boards and regulators. Demonstrates a diligent approach to cost management while maintaining a focus on delivering high-quality service and optimizing processes. Highly influential in shaping the future of the cyber industry through regulatory advocacy efforts.

You’ve seen the talk – Detection And Blocking With BPF Via YAML – and now you want to get hands on!

This workshop will take you from curious to competent in configuring the open source Tetragon to hook kernel functions by only writing straight forward YAML. Follow along on your own VM as we explore numerous demonstrations of detecting and blocking kernel actions depending on function arguments. Report events, kill processes, and trigger canaries, through fine-grained and entirely configurable, kernel observability.

Bring a recent Ubuntu VM to get going quickly and easily.

Kevin Sheldrake is a security software developer and researcher who started working in the technical security field in 1997. Over the years, Kev has been a developer and systems administrator of ‘secure’ systems, an infosec policy consultant, a penetration tester, a reverse engineer and an entrepreneur who founded and ran his own security consulting company. His current interests are developing tools using eBPF, currently working on Tetragon, having previously ported Sysmon from Windows to Linux (using eBPF) when he worked at Microsoft Sysinternals. In the past he specialised in IoT and crypto for a number of years.

He has a Masters degree, is a Chartered Engineer and, in the past, has been a CHECK Team Leader, a CISSP and held CLAS.

Kev has presented at 44CON, Troopers, DEFCON 4420, 441452 and 441392 on RFID crypto (Cracking HiTag2 Crypto); EMF Camp, DEFCON 4420 and 441452 on hacking embedded devices (Inside our Toys); 44CON and EMF Camp on misusing Scratch to develop hacking tools (Exploits With Scratch / Taking Over The World With Scratch), based on a paper published in PoC||GTFO; presented on building debuggers for embedded devices at Securi-Tay (Phun with Ptrace()); and also presented a lengthy take down on the use of NLP in Social Engineering at DEFCON 4420 (Social Engineering LIES!).

You are performing a security review…Suddenly a wild Kubernetes cluster appears! Where do I start? How do I access it? What the heck is a Pod? What does a namespace do? In this workshop, we’ll walk through what to do when performing a review or penetration test of a Kubernetes cluster and how different components can be abused. Attendees will learn about containers and Kubernetes fundamentals, how they leverage Linux functionality and how they interact with each other. In the final part of the workshop, attendees will be able to practise what they have learnt by playing mini capture the flag (CTF) scenarios. The content is aimed at beginners, but attendees will be expected to be hands-on to understand more about core Kubernetes components and how they can be misconfigured and compromised. Attendees will be given access to our bespoke sandboxed training environment, including their own Kubernetes clusters for the CTF.

Requirement for the Workshop:

A laptop with Docker and an SSH client is required to participate.

Kevin is an Senior Security Engineer with over 10 years of experience designing, building and testing secure solutions for Government, Defence and Finance sectors. He has spent several years embedded with DevOps teams, introducing security controls in the pipeline as well as transforming the security posture of the pipeline itself. In his own time, Kevin enjoys hacking and hardening systems to discover the balance between security and usability. He co-authored the GKE CIS Benchmarks and CNCF FSUG Kubernetes Threat Models.

Software supply chain frameworks like NIST, SLSA, and CIS provide valuable guidelines for securing the software supply chain. However, bridging the gap between theory and practical implementation in auditing and enhancing the security of the software development lifecycle (SDLC) requires further progress. 

In this session, we will delve into the most critical risks associated with the software development lifecycle and demonstrate how open-source tools can facilitate the assessment and improvement of SDLC security. To bring it to life, we will analyze recent high-profile supply chain breaches executed by attackers and explore effective protective measures. 

Attendees will walk away with tangible guidance and actionable insights on how to bolster the security of their SDLC. They will leave equipped with practical strategies to implement in their organizations, enabling them to safeguard their software supply chain effectively.


  •  A laptop with npm install
  •  A Github Account
Mor Weinberger

Mor is a Staff Software Engineer at Aqua Security with vast experience in analyzing cloud native security and supply chain threats and developing solutions to defend against them. Mor recently worked alongside CIS to co-create the industry’s first formal guidelines for software supply chain security, and he led the development of an open source tool to audit and ensure compliance with the guidelines. Additionally, he regularly uncovers new and emerging threats such as cryptomining campaigns and unsecured environments and shares his research with the community.