The Agenda is below and please go to the online event page to get the log in details for the individual sessions you want to attend.

08:00 – 08:30

Presenters: Alistair Greaves & Andy Gill – Pen Test Partners

Nijushio - A Year Targeting Nippon

Synopsis: Andy and Alistair have spent the good part of a year on Intelligence led Red Team engagements against some of the biggest organisations in Japan. They will cover some of their major successes and failures covering topics such as:

- Intelligence led phishing and utilising smishing as entry vectors;

- The importance of Pen Testing proficiency in particular build reviews when conducting Red Teams in foreign languages; - The difficulties of Red Teaming in foreign languages and how to overcome those challenges; and

- What happens when the Red Team goes Blue. Red Team led Threat Hunting.

09:00 - 09:45 Panellists: Neil Fowler-Wright, - Hitachi Rail Europe; Tracey Jones – Bank of England; Pete Cooper – Cabinet Office; - NCSC; Simon Clow – STAR Penetration Testing Focus Group Chair Rob Dartnall – CREST Threat Intelligence Professionals Group Vice Chair

The importance of Intelligence-Led Penetration Testing frameworksSynopsis: A panel of experts including government and regulators will discuss the importance of intelligence-led penetration testing frameworks for the assurance of critical functions that maybe subject to sophisticated and persistent attacks.

There will be an opportunity to put your questions to the panel. Please send any questions you may have in advance to marketing@crest-approved.org. Alternatively there will an opportunity to ask questions during the session using the question panel.

10:00 -10:30

Presenter: Ian Glover – CREST President

An update on CREST & Intelligence-Led Penetration Testing Globally

Ian Glover will give an update on current CREST projects and what is happening on the global stage.

10:30 – 11:00 BREAK

11:00 – 11:45

Presenter: Paul Laine – Context Information Security

DynamicWrapperEx – Registration-Free In-Process COM Automation Server

Synopsis: Anyone that has ever been working with Windows systems must have heard of Component Object Model (COM), and most of the time in bad terms. Additionally, despite being a revolutionary specification when it appeared in 1995, there is still a large veil of mystery around it.

In 1998, Jeff Strong released a blog post named “An Automation Object for Dynamic DLL Calls” to showcase an OLE Automation server written in C++. This component would allow dynamic invocation of methods within dynamic-link libraries (DLL) from Windows Script Host, such as JSCript and VBScript. Later in 2008, Yuri Popov (Юрий Попов) released a tool named DynamicWrapperX inspired by Jeff’s work. Yuri wrote the tool in GoAsm assembly but never provided the source code.

Over the years multiple threat actors, malware and subsequently persons working on simulated attack operations used DynamicWrapperX for first stage malware delivery. To name a few:

• zerosum0x0’s Koadic C3 COM Command & Control - JScript RAT

• RAA JCcript ransomware and stealer

• HWorm/Houdine VBS Loader

Nowadays, many signatures and rules for DynamicWrapperX exists. The objective of this presentation is to explain how to develop your own registration-free In-Process COM Automation server. This will be archived by going through the following topics:

• A brief history of COM

• COM Interface & Component

• COM Automation & Dynamic Methods

• x64 and __stdcall Calling Conventions

• Component Activation via ActCtx

• Shellcode Execution Example

Limitation, Caveats and Operational Security Consideration

12:00 – 13:00 Lunch

13:00 – 13:45

Presenter: Oliver Fairbank – Orpheus-Cyber & CREST Threat Intelligence Professionals

Towards Active Reconnaissance

Synopsis: Oliver Fairbank from Orpheus will present the current CTIPS paper regarding the restrictions on Active Reconnaissance as part on intelligence-led security testing frameworks. The presentation and subsequent discussion will build upon the Three-Tier Acquisition Model work led by Andy Flood of Nettitude.

14:00 – 14:45

Presenter: Aaron Dobie - KPMG

Red Teaming Techniques

Synopsis: Aaron from KPMG will present on a variety of red team techniques he has been working on over the past 6 months. This has included investigating and producing a DLL hijacking teams implant, migration of macro guardrails from the endpoint to block reverse engineering, and some basic hardware hacking.

15:00 – 15:30

Presenter: Samantha Alexander & Nigel Harrison – CREST

An Update on the CREST Cyber Security Global Ecosystem Project

Samantha Alexander will provide an update on the project CREST is doing in 8 countries in Africa and Asia (Bangladesh, Ethiopia, Indonesia, Kenya, Nigeria, Pakistan, Tanzania, Uganda)

15:30 – 16:00 Break

16:00 – 16:45 APT using COVID content for targeted attacks

Presenter: Jason Smart – PwC & CREST Threat Intelligence Professionals

Throughout 2020 the world has been bombarded with COVID-19 information - from government notifications, public health warnings, to everyday organisations telling us their COVID SAFE plans. In all of this information overload, threat actors with a range of motivations have taken the opportunity to use COVID and information to conduct campaigns. This presentation will touch on a few threat actors that PwC’s Threat Intelligence team have observed using COVID-19 in lures and infrastructure.