Throughout September and October, members of NCC Group will be presenting their work at SANS CyberThreat, ResponderCon, BSides St John’s, ICMC, DevOps World, RootCon, and Hexacon.
- Ollie Whitehouse & Eric Shamper, “Enterprise IR:Live Free, live large” to be presented at Sans CyberThreat (September 12-13 2022)
- Balazs Bucsay, “Alternative way to detect mikatz” to be presented at ResponderCon (September 13 2022)
- Jeremy Boone, “Shooting yourself in the Boot – Common Secure Boot Mistakes” to be presented at BSides St John’s (September 15 2022)
- Paul Bottinelli, “Selected Cryptography Vulnerabilities of IoT Implementations” to be presented at the International Cryptographic Module Conference (September 16 2022)
- Viktor Gazdag, “War stories of Jenkins Security Assessments” to be presented at DevOps World 2022 (September 28-29 2022)
- Balazs Bucsay, ” Alternative way to detect mimikatz” to be presented at RootCon (September 28-29 2022)
- Cedric Halbronn & Alex Plaskett, “Toner Deaf – Printing your next persistence” to be presented at Hexacon (October 14-15 2022)
Please join us!
Enterprise IR: Live free, live large
Ollie Whitehouse & Eric Shamper
SANS CyberThreat 22
September 12-13, 2022
Abstract forthcoming.
Alternative ways to detect mimikatz
Balazs Bucsay
ResponderCon
September 13 2022
Mimikatz is detected by AVs and EDRs in different ways, mostly based on signatures and behavior analysis. These techniques are well known, but we looked into a few other things to find more exotic ways. Turns our that mimikatz by default talking to USB devices, so I created an emulated device as a user-mode driver for Windows, which is capable to detect most mimikatz variants out-of-the-box. Other technique was implemented and will be part of the presentation, where the console communication is “sniffed”, but this technique can be applied to other malware as well. Both techniques will be published and code will be opensourced after the con.
Shooting Yourself In The Boot – Common Secure Boot Mistakes
Jeremy Boone
BSides St. John’s
September 15 2022
Secure boot is the mechanism by which an embedded device safely loads and cryptographically verifies its runtime firmware or software. Secure boot is an important and necessary feature for embedded systems — without it, an attacker could compromise the device, implant a rootkit or bootkit, and even persist across factory resets or OS reinstalls. In this talk, I will describe how hardware devices typically implement secure boot, and will dive into several common implementation mistakes and foot-guns that can enable an adversary to bypass these low level hardware security controls.
Selected Cryptography Vulnerabilities of IoT Implementations
Paul Bottinelli
International Cryptographic Module Conference (ICMC 2022)
September 16, 2022
In this talk, Paul will present a number of selected cryptography vulnerabilities encountered during security reviews and penetration tests of IoT solutions.
War stories of Jenkins Security Assessments
Viktor Gazdag
DevOps World
September 29 2022
I will talk about 3 security engagements and how I was able to gain access to the Jenkins environment.
There will be an overview about what security configurations are available and what additional plugins can be installed for improving the security posture.
We will answer the question if these settings are working or is there any missing gaps/parts (like audit plugins available, but has vulnerabilities)?
Sharing a Jenkins hardening checklist for easy wins and making an attacker’s life hard when they are attacking.
Alternative ways to detect mimikatz
Balazs Bucsay
RootCon
September 28-30 2022
Mimikatz is detected by AVs and EDRs in different ways, mostly based on signatures and behavior analysis. These techniques are well known, but we looked into a few other things to find more exotic ways. Turns our that mimikatz by default talking to USB devices, so I created an emulated device as a user-mode driver for Windows, which is capable to detect most mimikatz variants out-of-the-box. Other technique was implemented and will be part of the presentation, where the console communication is “sniffed”, but this technique can be applied to other malware as well. Both techniques will be published and code will be opensourced after the con.
Toner Deaf – Printing your next persistence
Cedric Halbronn & Alex Plaskett
Hexacon
October 14-15 2022
In November 2021, NCC Group won at the Pwn2Own hacking contest against a Lexmark printer. This talk is about the journey from purchase of the printer, having zero knowledge of its internals, remotely compromising it using a vulnerability which affected 235 models, developing a persistence mechanism and more.
This talk is particularly relevant due to printers having access to a wide range of documents within an organisation, the printers often being connected to internal/sensitive parts of a network, their lack of detection/monitoring capability and often poor firmware update management processes.